Security

The EU recognized that wireless devices often lack cybersecurity protection, posing risks to networks, consumer data and privacy. In response, the EU introduced the RED Delegated Act (EU) 2022/30 (RED DA), extending the Radio Equipment Directive (2014/53/EU), focusing on strengthening cybersecurity requirements for wireless and internet-connected devices in the European market. The RED DA applies to any product placed on the EU market from 1 August 2025, and activates three essential requirements that mandate:

	Protection of networks from harm or misuse - Article 3.3(d)
	Protection of personal data and user privacy - Article 3.3(e)
	Protection against fraud and unauthorized monetary transactions - Article 3.3(f)

The EN 18031 standard was developed especially for the RED DA. It is composed of three documents: EN 18031-1, EN 18031-2 and EN 18031-3. They specify the security requirements for Article 3(3) points (d), (e) and (f) respectively, with both unique and overlapping requirements in each of them. The EN 18031 standard was ‘Recognized as Harmonized Standard with Restrictions’ by the EU Commission in January 2025. These Restrictions may evolve or be lifted in the future as the evaluation process matures.

This webpage contains a high-level summary with the key topics. If you want more information, please read our RED DA Customer guide. We will strive to keep this information up-to-date with the latest changes in RED DA and EN 18031.

The RED DA applies to specific types of radio equipment depending on their capabilities. A device may fall under more than one requirement. Nordic is not positioned to assess which requirement applies for a type of application, as it will largely depend on the end-product features and configuration choices. 

End-product manufacturers are obligated to demonstrate and show that products are compliant with the RED Delegated Act in order to legally apply the CE-marking needed to be able to import and sell products in the EU.

There are two options to show compliance:

• Self-declaration: allowed when harmonized standards are used, and if any restrictions exist they do not apply to the end-product
• Third-party assessment: required if harmonized standards are not used or if they are used with restrictions and they apply to the end-product

For products that fully conform to a Harmonized Standard there is a ‘presumption of conformity’, meaning that a manufacturer can ‘self-declare’ the conformance. This presumption is not present at the moment for EN 18031, as the EU Commission has certain reservations, and only recognized it “with Restrictions”. Each manufacturer must therefore assess compliance with the listed restrictions, to determine whether self-declaration is possible or if the conformity assessment must be conducted by a Notified Body and additional risk assessment is required.

Nordic’s approach based on the Arm Platform Security Architecture (PSA) Framework, ensures that essential concepts are implemented such as secure by design and secure by default; and that key activities are performed along the whole product development process like definition of the Product Security Objectives and Threat Modelling.

You can learn more about Nordic’s security features in our Nordic platform security whitepaper.

Additionally, we are working with external Labs to identify a path on how customers could leverage Nordic’s product security certifications (PSA certified, SESIP or EN 18031). It will help fast tracking demonstration of compliance for customer’s end-products when using Nordic reference designs and building evidence package.

Nordic also implements various supply chain control mechanisms that are part of the company's Vulnerability Management strategy:

• Software Bill of Materials (SBOM) tooling - available to customers from our nRF Connect SDK
• Security vulnerabilities disclosure portal
• A Product Security Incident Response Team (PSIRT) supports the vulnerability management process from report analysis to disclosure and communication
• Nordic sponsors a Bug Bounty Program