Skip to main content

Oil meters, energy meters, water meters, Internet-of-Things and smart metering

New radio directive that also affects utilities, HVAC, sub metering, real estate - What applies from August 1, 2025?

EU directive

Stockholm, August 10, 2025 – The EU has decided on new rules for radio communications, EU-owned frequencies and mobile frequencies such as wireless M-bus, LoRaWAN mesh and Mioty. These are far-reaching requirements regarding security and other aspects. The aim is to protect the population, but how will our industries be affected?

From 1 August 2025, a new supplementary regulation (Delegated Regulation EU2022/30) to the Radio Equipment Directive (RED; 2014/53/EU) came into force, which means that several categories of radio equipment must meet new cybersecurity requirements in order to receive the CE marking when sold within the EU.

Let’s find out what applies.

Contents

Water meter with IoT

History

The intentions have been good. The EU has gradually introduced rules to ensure our privacy. Already in 1999, rules were introduced (R&TTE Directive 1999/5/EC) that dealt with safety, EMC and efficient use of radio spectrum.

In 2014, a completely new regulatory system was introduced through the RED Directive (2014/53/EU). It applies to all radio and wireless communication equipment, including Bluetooth, Wi-Fi, wireless M-bus, LoRa and LTE devices. It was expanded to:

  • Electromagnetic compatibility (EMC)
  • User safety
  • Efficient spectrum use
  • Protection of networks and against harmful interference
    Harmonization across the EU

During 2016–2020, cybersecurity was debated, leading to additional rules Delegated Regulation EU 2022/30. Includes requirements for:

  • Network security (d)
  • Data protection and privacy (e)
  • Fraud protection (f)

The new rules from 2025-08-01 harmonize the standards as follows.

What do the new rules that we must follow look like?

Below is the formal text. Scroll down to the summary for easier reading.

Application of Articles 3.3(d), (e) and (f) of the RED:

  • Article 3.3(d) – Network integrity:
    Devices must not negatively impact the functioning of the network or misuse resources, e.g. by causing congestion or DDoS attacks.
  • Article 3.3(e) – Protection of personal data and privacy:
    Radio devices must protect the data and privacy of users/individuals through technical security measures (encryption, minimized data collection, etc.).
  • Article 3.3(f) – Protection against fraud:
    Devices handling virtual payments or monetary data require features such as secure boot firmware, authentication and protection against spoofing/counterfeiting.

Harmonized standards EN18031:

Three standards published in early 2025 and harmonized by the EU:

  • EN18031-1: network security (3.3(d))
  • EN18031-2: protection of personal, traffic and location data (3.3(e))
  • EN18031-3: fraud protection in monetary/virtual transactions (3.3(f))

Applying these standards normally provides a presumption of conformity – i.e. a way to demonstrate that the product complies with the RED requirements.

Scope:

  • Applies to all radio devices placed on the EU market from 1 August 2025 – regardless of when the product itself was designed or type-approved.
  • Internet-connected devices are covered by all three requirements (d, e, f).
  • Non-Internet-connected devices may be exempted from (e) and (f), but (d) may still apply when interacting with other network resources.
  • Examples: wearables, baby monitors, Internet-IoT modules – even if they are not connected, they may require (e) if they handle personal or traffic data.

Consequences of non-compliance:

  • If a product does not meet the new requirements, it will not be CE marked and may therefore not be sold or used in the EU.
  • Penalties may include recalls, market bans, financial fines and in serious cases even legal sanctions.

How are products affected by this?

Products must therefore meet the new requirements in order to be sold within the EU. Violations of this may lead to a ban on trading. The self-control and requirements of manufacturers/suppliers are described below.

Manufacturer options:

  • Self-declaration according to the EN18031 series
  • Certification via an accredited workshop, if self-declaration is not possible or if the conditions of the standard are not met.

Technical mechanisms involved (according to the EN18031 models):

  • Authentication and access controls
  • Encrypted communication and storage
  • Secure update mechanisms (OTA)
  • Network monitoring and traffic limitation
  • Resilience against various attacks, including DDoS
  • Secure management of cryptographic keys, logging and incident management.

What responsibility falls on installers/contractors?

As an installer, you are responsible for ensuring that the products comply with applicable regulations. Ask the suppliers about this.

Since foreign companies are more difficult to set requirements, it is an assurance to buy products from Swedish suppliers who then take the risks associated with not following the regulations.

Below we describe how to ensure that the products comply with the regulations.

Products manufactured before August 1, 2025 are not affected by the new regulations, even if they are sold later.

Note

Please note that products may contain radio communication even if you have not ordered this.

What does this mean for customers?

Customers who purchase equipment are responsible for ensuring that they do not purchase equipment that violates these rules. The directives are also for customer safety, so an easy way to increase your cybersecurity is to carefully specify the requirements for the delivery of new products.

Please note that the rules apply to both transmitters and receivers, i.e. sensors and gateways/concentrators/access points.

How do you know if the products are allowed?

Products must comply with EN18031-1, EN18031-2 and EN18031-3. See the supplier's website and/or data sheet.

At the time of writing (August 2025), the majority of European manufacturers are approved, but almost none from China and other non-European products.

Summary

From 1 August 2025, all radio and wireless devices launched on the EU market must comply with these requirements – otherwise, the CE marking and market access will be lost. By following the EN18031 series of standards, manufacturers can demonstrate compliance and continue to sell legally within the EU. Confirm compliance via technical documentation or, if necessary, third-party certification from an certified body.

New requirement category What the requirement means Relevant standards
3.3 (d) Network The device must not harm or burden networks EN 18031‑1
3.3 (e) Integrity Protection of personal, traffic or location data EN 18031‑2
3.3 (f) Fraud protection Protection of monetary transactions or virtual currency EN 18031‑3

For more information or in-depth information – just get in touch!

Contact: Karl-Johan Hultman

Phone: +468-501 676 76
This email address is being protected from spambots. You need JavaScript enabled to view it.

www.ambiductor.se

About Ambiductor

Ambiductor is a Swedish technology company specializing in smart meters and IoT solutions for the energy and water sectors. With a focus on innovation, openness and sustainability, the company delivers products and services to municipalities, property owners and installers across Sweden.

Phone:

+46 8-501 676 76
Contact us

Email:

This email address is being protected from spambots. You need JavaScript enabled to view it.

Corporate facts

Requests: This email address is being protected from spambots. You need JavaScript enabled to view it.
Support: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone +468-501 676 76

Propellervägen 8 B, 183 62 TÄBY, Sweden

We support

Avaliable in Sweden at selected whole salers

© Copyright 2010 - 2025 - Ambiductor AB - All Rights Reserved - Platform by Joomlaproffs.se