RAK Logo Registered
Product & Services
Resources
About WisDM
RAKwireless and the RED and CRA Compliance in 2025

RAKwireless and the RED and CRA Compliance in 2025

RAK
RAK
6 min read
Facebook RAKwireless Facebook Instagram RAKwireless Instagram X RAKwireless X LinkedIn RAKwireless LinkedIn Youtube RAKwireless Youtube Pinterest RAKwireless Pinterest TikTok RAKwireless TikTok Github RAKwireless Github Hackster RAKwireless Hackster
Our Commitment to Compliance and Secure Connectivity as a Leader in the IoT Space

Why Are So Many Customers Asking about Radio Equipment Directive (RED) and Cybersecurity Now?

In today’s increasingly connected world, regulatory compliance is no longer a back-office concern; it’s a central topic in every customer conversation. For companies operating in the EU, CE marking is a mandatory certification that indicates conformity with essential product safety, health, and environmental protection requirements.

Among the various CE directives, RED governs all radio and wireless-enabled products. Traditionally, RED required products to meet four main categories of compliance:

  • RF – Radio Frequency performance
  • EMD – Electromagnetic compatibility
  • SAFETY – Electrical and physical safety
  • HEALTH – Protection from harmful exposure

However, starting August 1, 2025, RED will expand to include a fifth pillar: Cybersecurity. This change, brought in under Articles 3(3)(d), (e), and (f) of the Directive, marks a significant regulatory shift. This means connected devices, particularly IoT and gateway products, must now also incorporate cybersecurity by design to protect networks, secure user data, and prevent misuse.

RAKwireless has observed a significant increase in customer and partner inquiries regarding these requirements. For example:

One long-time customer has requested clarification on RAK’s compliance status with the new EU Radio Equipment Directive requirements (Articles 3.3(d)-(f))... Specifically, he needs confirmation regarding the compliance of RAK’s IoT and wireless devices with respect to network security, personal data protection, and fraud prevention.

And from another partner:

Another company is asking how the new RED cybersecurity regulations affect the RAK7289V2 Gateway we supply to them. The CE documents we currently have are from 2022 — they need updated documentation or a declaration of conformity.

These examples illustrate a broader industry shift. With compliance deadlines fast approaching, partners need clarity and confidence that their suppliers are taking the necessary steps. And this blog aims to provide that information.

RAKwireless’s Commitment and Progress toward RED Cybersecurity Compliance

RAKwireless has implemented measures to ensure full compliance with the EU RED cybersecurity requirements, which took effect on August 1st, 2025.

After extensive consultation with third-party certification bodies, we have completed a comprehensive assessment of our wireless products and gateway devices against the EN 18031 standard series. This confirms that RAKwireless products meet the cybersecurity requirements defined under Articles 3(3)(d), (e), and (f) of the RED Delegated Regulation.

As a result:

  • We are already issuing updated CE Declarations of Conformity (DoCs) that include compliance with RED’s cybersecurity scope.
  • We are now actively pursuing RED DA certification through an accredited Notified Body to further validate our compliance documentation. This certification process is expected to conclude by September 2025.

Here is a breakdown of our conformity approach by requirement:

  • Article 3(3)(d): Prevent harm to the network or misuse of network resources → Compliant with EN 18031-1
  • Article 3(3)(e): Ensure protection of personal, traffic, and location data → Compliant with EN 18031-2
  • Article 3(3)(f): Related to the transfer of money, monetary value, or virtual currency → Not applicable — RAKwireless gateways do not support financial transactions

Updated CE Declarations of Conformity (DoCs) and supporting technical files, covering all five dimensions of RED compliance (including cybersecurity), are available upon request for our key products, such as the WisGate Edge Pro RAK7289V2.

What About The Cyber Resilience Act (CRA)? Here’s Our View

Many customers are also asking about CRA — a new regulation that will significantly impact the design, assessment, and maintenance of connected hardware and software products in the European market.

Here’s an overview of the CRA and RAKwireless’s preparation:

  • The CRA officially entered into force in December 2024, establishing the first EU-wide legislation focused solely on the cybersecurity of digital products.
  • Mandatory enforcement begins in 2027, following a three-year transition period designed to give manufacturers time to align with the new rules.
  • Unlike older directives, the CRA is mandatory and applies to all connected products (hardware, software, or embedded systems) placed on the EU market.
  • It mandates "cybersecurity by design and by default," and requires lifecycle-wide processes such as:
    • Risk assessments
    • Secure development practices
    • Regular vulnerability testing
    • Incident reporting mechanisms
    • Documentation and traceability (e.g., Software Bill of Materials)

At the moment, official conformity assessment procedures have not been finalized. The European Commission is still in the process of:

  • Defining harmonized standards
  • Appointing Notified Bodies
  • Clarifying the scope of "critical" and "non-critical" product categories

So while CRA is in effect in principle, the specific compliance procedures are still being finalized.

RAKwireless’s Assessment and Strategy

Based on our current product portfolio and deployment scenarios, RAKwireless devices are expected to fall under the "non-critical" category. This classification may allow us to follow a self-assessment path for CRA compliance — rather than undergoing third-party certification — as long as we maintain the necessary technical evidence and documentation.

Still, we are not taking a wait-and-see approach.

RAKwireless is:

  • Closely tracking regulatory developments and participating in industry working groups.
  • Evaluating our product development and QA processes against anticipated CRA requirements.
  • Building internal frameworks and tools that will support structured compliance when enforcement begins.
  • Aligning our cybersecurity posture with the foundational principles of CRA today, not waiting until 2027.

We believe that being proactive now ensures both our readiness and our customers’ peace of mind in the years to come.

RAKwireless’s Cybersecurity Foundations Are Already in Place

While many companies are just beginning to assess what the CRA is, RAKwireless has already integrated its core principles into its daily operations and product development lifecycle.

From secure product design to post-deployment incident handling, our teams prioritize cybersecurity. This is not just for compliance but also for building customer trust in the IoT space.

How We Comply with CRA Even Before It’s Mandatory

Here are the key cybersecurity practices implemented by RAKwireless that directly align with CRA’s regulatory expectations:

  • Risk Assessment Processes
    Every new product or system deployment undergoes structured risk evaluation to identify potential vulnerabilities before they impact end users.
  • Secure-by-Design Engineering
    Security considerations are integrated from the earliest stages of product architecture, not as afterthoughts.
  • Regular Security Testing
    Our firmware and platforms are continuously tested for known vulnerabilities and common attack vectors.
  • Vulnerability Management & Response
    We maintain clear protocols for identifying, documenting, and remediating security issues across our fleet and infrastructure.
  • SBOM (Software Bill of Materials)
    We are developing and maintaining clear component traceability in our software stack to simplify compliance, response, and maintenance.
  • Audit-Ready Documentation
    All security controls, development decisions, and mitigation actions are recorded in structured and reviewable formats, enabling rapid audit response and transparency.

Certified Information Security Practices

To further support our cybersecurity framework, RAKwireless is certified under the ISO/IEC 27001:2013 standard for Information Security Management Systems (ISMS). This certification is audited annually by Lloyd’s Register Quality Assurance (LRQA), a reputable UK certification body.

This internationally recognized certification ensures that our internal processes, infrastructure, and third-party partnerships meet stringent information security benchmarks.

Compliance with GDPR Article 32

RAKwireless also aligns with Article 32 of the General Data Protection Regulation (GDPR), which mandates appropriate technical and organizational measures for securing personal data.

We take this responsibility seriously, especially in European deployments where customer data and privacy rights are paramount. Our controls ensure that:

  • Data is encrypted both at rest and in transit.
  • Access is restricted and auditable.
  • Configuration and monitoring data are protected across systems.

Gateway Security Is a Top Priority, And So Is Transparency

At RAKwireless, we understand that for our customers and partners, product compliance is only one part of the equation.  Equally important is knowing how data is protected in practice, from the firmware running on our devices to the cloud infrastructure supporting your deployments.

Here’s how we safeguard data and infrastructure:

Secure Firmware and Over-The-Air (OTA) Update Practices

  • All RAK gateways support OTA firmware updates with regular security patching schedules to ensure a fast response to emerging threats.
  • Configuration data and system state are encrypted and stored securely on the device to prevent unauthorized access.

Data Security by Design

  • LoRaWAN data in transit is secured using industry-standard TLS 1.2 encryption, protecting the communication path between gateways and network servers.
  • All cloud-based data handled through our platforms —including WisDM— is protected by AES-256 server-side encryption managed by AWS.
  • WisDM does not store or log the payloads exchanged between gateways and end devices. User data remains proprietary.

Continuous Monitoring and Incident Readiness

  • Our global security team monitors infrastructure and cloud systems 24/7, supported by automated audit pipelines.
  • We maintain well-defined incident response procedures to ensure swift action in the rare event of a security breach or anomaly.

A Culture of Security, Not Just a Checklist

At RAKwireless, we don’t treat compliance as a mere checklist item. Cybersecurity is built into our product thinking from day one. It shapes our design, testing, and support processes for all products.

Our approach is:

  • Proactive: We build secure systems before regulations require them
  • Transparent: We share compliance progress openly with our customers and partners
  • Accountable: We update our Declarations of Conformity and product certifications regularly

As we continue advancing our cybersecurity roadmap, we welcome collaboration and dialogue. If you're a distributor, systems integrator, or end customer and want more detailed documentation or compliance support, our team is available to assist.

Because in this evolving regulatory landscape, trust and readiness are paramount, and we’re committed to both.