Cybersecurity analysis for a sanitary product in accordance with the Radio Equipment Directive

Hardware Information Security

A manufacturer of sanitary products commissioned SCS to carry out a gap analysis for a radio-networked product. The cybersecurity extension of the Radio Equipment Directive (RED) EN18031 has been in force since August 2025 and applies to all radio-networked products.

Jérôme Stettler

  • Initial situation

    According to RED, the manufacturer's embedded device for sanitary products with a radio interface is considered a "radio system connected to the Internet". It processes personal data and is therefore subject to the EN18031-1 and EN18031-2 standards.

  • SCS solution

    SCS worked with the customer to create a structured analysis in accordance with EN18031, the cybersecurity requirements of the RED. This included a risk analysis, a review of the security mechanisms and an assessment of functional sufficiency.

  • Added value

    Thanks to the analysis, the customer quickly gained a precise overview of their situation with regard to the new requirements and was able to make concrete decisions for the next steps.

Cybersecurity for radio equipment

In August 2025, the extension in the area of cybersecurity for the Radio Equipment Directive (RED or Directive 2014/53/EU) came into force. It applies to all products that are offered on the Swiss or European market. The requirements are described precisely and in a structured manner in the new EN18031 standard. They apply to all devices with radio interfaces, including devices in industry and particularly in building technology. The latter were not previously covered by any cybersecurity standard.

Testing an existing product

SCS has tested a product for the manufacturer in the sanitary sector: Does it fulfil the new cybersecurity requirements? It was an embedded device with several interfaces, including a wireless interface. According to RED, the device therefore falls under the category of “radio equipment connected to the Internet” and is subject to the new EN18031 cybersecurity requirements.

Structured analysis

SCS carried out the review using predefined templates (SCS tools) in collaboration with the customer and its development partner. EN18031 is divided into three areas:

  • EN18031-1 – Network protection
  • EN18031-2 – Data protection & personal data
  • EN18031-3 – Fraud protection

Network and data protection had to be taken into account for this product. The applicable standards EN 18031-1 and EN18031-2 are in turn well structured into individual mechanisms such as access control, authentication or software updates. A decision tree is defined for each mechanism, which must be fulfilled. Here is an example of the decision tree for the applicability of access control mechanisms ACM-1.

Radio Equipment Directive Decision making for ACM-1

Analysis according to EN18031

In a risk analysis, all assets worthy of protection were first systematically analysed and possible vulnerabilities listed in order to estimate and quantify the resulting risk. The security mechanisms of EN18031 were then reviewed and evaluated. For critical points, SCS incorporated suggestions on how security could be improved in order to design the product in compliance with the standard.

The final step was to assess functional sufficiency: Whether the implementation is appropriate for the intended use in terms of cyber security. The customer was regularly informed about the status of the analysis and at the end received a detailed risk analysis with a list of all relevant mechanisms in accordance with EN18031, including justification and conceptual assessment.

The RED analysis included:

  • Clarify which parts of the standard the appliance is subject to (EN18031-1, -2 or -3).
  • Workshop with the customer and their R&D partner to gain an overview of the situation and identify assets.
  • Carrying out the risk analysis as prescribed in EN18031.
  • Checking the safety mechanisms in accordance with EN18031.
  • Assessment of functional sufficiency.

Good result

The results of the analysis were pleasing. Cybersecurity was always a relevant topic for the customer and its R&D partner. The idea was incorporated into the development of the device right from the start (security by design). Thanks to the analysis carried out, the customer received a precise overview of its situation with regard to the new requirements and was able to make concrete decisions for the next steps.

Further information on the Radio Equipment Directive and the Cyber Resilience Act

If you want to assess one of your products with regard to the Radio Equipment Directive or the Cyber Resilience Act, you can do this in a first step with the SCS self-test. The experts at SCS will be happy to provide support for the next steps.

Related projects

When the microprocessor is cancelled

Instead of replacing an old microprocessor 1:1 with a new one, it is often worthwhile using a System on Module (SoM) with a Linux operating system. ... More

Charging management for car parks

In car parks with numerous charging stations for electric cars, controlled charging management is essential to avoid overloading the grid connection. ... More

Smart Meter Toolkit

According to the Electricity Supply Ordinance, the grid operator must enable the end customer to receive real-time measurement data from the smart ... More

Simple balise reader for the measuring train

Eurobalises are installed on all railway lines and clearly identify train tracks. First and foremost, of course, for train protection, but this is ... More

Electronic Ground Support Equipment

The Gradflex scientific experiment was part of the Foton-M3 space mission. Before the flight into space, the experiment was put through its paces, in ... More
Show all projects
Jérôme Stettler Digital transformation How can I help you?