Cyber Security & CE
Imagine this: You are selling smart products, such as Bluetooth power sockets, wearables or baby monitors, on Amazon. You have always focused on functionality, design, price, and logistics. But now, since the summer of 2025, something else has become mandatory in order to get access to the EU market: cyber security.
The EU is expanding the requirements for the CE marking by including mandatory safety regulations for connected devices. If you fail to prepare, you not only risk high costs for technical upgrades, you may even be denied access to the market.
If you are an Amazon seller listing products that include an app, cloud computing, or radio technology (Bluetooth, WLAN, etc.), these regulations affect you directly.
This blog post tells you about:
- the new statutory provisions
- which devices are subject to the regulations
- the requirements you have to fulfill, and
- the steps sellers should take
Ready? Let’s go.
Legal basis: RED Delegated Regulation (EU) 2022/30
Overview and objective
The Delegated Regulation (EU) 2022/30 supplements the existing Radio Equipment Directive (RED 2014/53/EU), implementing binding cyber security requirements for certain radio equipment.
Specifically, it refers to points (d), (e) and (f) of Article 3(3) RED:
- (d) equipment must not harm or misuse the network or its functioning
- (e) equipment must ensure that the personal data and privacy of the user are protected
- (f) equipment that supports payment features or virtual assets must ensure protection from fraud
These new requirements have been mandatory for devices being sold on the EU market since August 1, 2025.
But why?
The EU wants to make sure that connected products do not constitute a vulnerability, i.e., that they do not accidentally compromise networks, cause data leaks, or can be tampered with or misused. Furthermore, it wants to prevent the misuse of such devices as botnet or for the illegal collection of user data and large-scale attacks.
Transition & harmonized standards
In order to smooth the way for the transition, new harmonized standards have been introduced: the EN 18031 series (–1, –2, –3) to support the requirements in regard to security, data protection, and protection against fraud. If you comply with these standards, compliance with the requirements is presumed.
Please note: If you do not comply with these standards in their entirety, or if certain restrictions apply, a so-called Notified Body may be involved in the assessment of conformity.
Which products are affected?
The regulation does not cover every product, but a large and growing product class:
Devices with radio connection
All products equipped with radio modules that communicate with networks:
- WLAN, Bluetooth, Zigbee, LoRa, mobile telephony / NB-IoT, etc.
- Devices that are connected to the Internet, either directly or by way of a gateway or hub
Typical examples include:
- smart sockets and relays
- smart watches, fitness trackers, wearables
- baby monitors / monitoring devices
- smart doorbells, cameras, alarm systems
- IoT devices connected to an app or cloud
- toys with radio/Internet connection
Extended scope of application
Even if a device does not have radio equipment, but processes data or interacts with a cloud computing service, it may be affected—particularly if it is connected by way of an app, sensor system, or additional module. The Directive refers to “radio equipment” connected to the Internet.
In addition, special requirements apply if devices traffic data or location data, process personal data, or support payment functions / virtual currency.
Details of the new requirements
The following list of the key requirements gives you an overview of the exact specifications:
a) Network protection / preventing harm to the network
Your device must not disrupt or endanger the network or misuse resources. Examples:
- no denial-of-service (DoS) attacks
- no flooding of the network
- efficient use of the bandwidth
- protection against unauthorized routing or rerouting
b) Data protection and privacy
If your product processes personal data or traffics data or location data, you have to ensure:
- encryption of data for transfer and storage
- strong authentication (e.g., no standard passwords)
- minimization of access to data (need-to-know basis)
- transparency and user control
c) Protection against fraud
In the case of devices with a payment function or virtual assets, you have to ensure:
- safeguard of transactions
- mechanisms to prevent manipulation
- protection against unauthorized access to payment functions
d) Update and patch management
An important detail: Your product must be able to safely receive and apply updates:
- safe update processes (e.g., signed firmware)
- rollback / emergency update mechanisms
- regular security patches throughout the product’s lifespan
e) Documentation and certification obligations
- Technical documentation including all security measures
- Risk analysis and security concept
- Test reports, tests and certificates
- Declaration of conformity confirming that all the requirements have been fulfilled
- Revision history, change logs, update logs
What does this mean for you as an Amazon seller?
If you are selling products that fall within the scope of application, you need to make some changes:
a) CE marking with cyber security certificate only
Since August 1, 2025, you are no longer allowed to affix the CE marking to your products “just like that”. You have to prove that they also comply with the new cyber requirements. Without such proof, you risk being rejected by market surveillance or even Amazon itself.
You can find more information about the CE marking in our blog posts CE Marking Part 1 & CE Marking Part 2.
b) Update of technical documentation
You need to update your technical documentation to include:
- security architecture
- risk assessments
- tests / test reports
- revision and update management
- certificates regarding encryption, authentication, etc.
If your documentation is incomplete, you could get in trouble in the case of an audit.
c) Closer cooperation with manufacturers and labs
If you act as a seller, you have to ensure that your products and the manufacturers comply with these requirements, and provide corresponding security certificates. Furthermore, you have to choose test labs with cyber security expertise in addition to radio equipment, EMC, etc.
This blog post provides an overview of the issue of lab tests: Lab tests & certificates: The great overview
d) Amazon, marketplace guidelines & risk
Amazon can block or even delete your products if the CE marking is incorrect or the certificate of conformity is missing. The market surveillance authorities also have new powers. The manufacturer bears full responsibility.
e) Life cycle monitoring
You have to guarantee that you will provide patches and updates after the product is sold. If vulnerabilities are discovered, you have to be able to react, both on the technical level and in regard to the documentation.
Implementation: How to make your products CE-ready and safe
Here is a handy to-do list to help you prepare:
1. Contact your suppliers and developers
- Advise them of the RED cyber requirements
- Demand security functions from the start
- Include safety standards in the development process
2. Check firmware updates
- Make sure that firmware updates are enabled on your devices
- Use signed firmware, secure channels, rollback mechanisms
- Keep a revision history and logs
3. Document security functions
- Encryption, authentication, access control
- Logging & event logs
- Minimize vulnerabilities (ports, open interfaces)
- Surveillance and defense mechanisms
4. Choose test labs with cyber security expertise
- Choose labs with specific expertise in the field of cyber security testing, not only radio/EMC
- Cooperate with a lab technician to clarify the requirements from the start
- Request test reports, penetration tests, risk assessments
5. Use the standard presumption of conformity
If you comply with the harmonized standards (EN 18031-1, -2, -3) conformity is presumed, which simplifies many test processes.
6. Ensure long-term updates & maintenance
- Plan for a long-term support and update schedule
- Provide for processes to identify and patch vulnerabilities
- Clearly notify users of updates & safety measures
7. Risk management and insurance
- Conduct risk assessments according to best practices
- Check that your product liability insurance covers damage caused by cyber attacks
- Keep records of all safety measures as proof
Conclusion
Since mid-2025, cyber security is no longer optional, but a mandatory part of the CE marking for many connected devices. For you as an Amazon seller, this means: You need to act now. Security cannot be the manufacturer’s sole technical responsibility; you as a seller have a responsibility, too. Being prepared means protecting not only your customers and data, but your market position as well.
Make the necessary calls, start the documentation, and select your partners today, and you will be ready for the future. If you are acting on the market without the requisite certificates after August 1, 2025, you may well get into trouble sooner or later.
Ergo: Put cyber security at the top of your agenda and make your smart product CE-ready.
Who wrote this article?
As an author, Christina fills the blog section of our website with exciting and informative articles, so that our readers can always take care of product compliance in their company in the most well-informed way.
