RAKwireless Commitment to RED Compliance 2025 and CRA Compliance

In today’s increasingly connected world, regulatory compliance is a central topic in every customer conversation and is no longer a back-office concern. Consumers are now mindful not just of what a product can do, but also whether it meets essential safety and cybersecurity standards outlined in the Radio Equipment Directive cybersecurity Delegated Regulation as well as CRA compliance standards. At RAKwireless, we acted early to guarantee that our IoT solutions meet all aspects of RED compliance 2025 long before it became mandatory. 

Traditionally, RED required products to meet four main categories of compliance:

• RF – Radio Frequency performance
• EMD – Electromagnetic compatibility
• SAFETY – Electrical and physical safety
• HEALTH – Protection from harmful exposure

As of August 1, 2025, RED now includes a fifth pillar, Cybersecurity. Therefore, we completed a full technical assessment of our wireless products and gateway devices against the EN 18031 certification standards. This assessment confirmed that RAKwireless fully meets the RED compliance 2025 standards outlined in the RED Delegated Regulation. 

Here is a breakdown of our conformity status by requirement:

Following this confirmation, we began issuing updated EU CE Marking Declarations of Conformity (DoCs) that reflect our full compliance, including cybersecurity. Our most in-demand products, such as the RAK7289V2 Gateway, now carry refreshed technical documentation and DoCs available upon request.

To further strengthen our compliance, we are also pursuing RED DA certification through an accredited Notified Body, which we expect to complete by September 2025.

The Cyber Resilience Act (CRA) Compliance

Many of our clients are also asking about the Cyber Resilience Act (CRA). CRA is another key regulation that introduces mandatory cybersecurity rules for digital products. This includes wireless devices, wired-connected products, standalone software, and parts like processors sold within the EU. Although mandatory CRA compliance enforcement begins in 2027, the emphasis on built-in IoT security is clear.

We have reviewed our portfolio and expect our devices to fall under the “non-critical” category. This classification may allow us to assess our own compliance with the CRA, rather than having to obtain certification from an external organization. However, we are not waiting. Our teams are already following updated steps in product development and quality checks to meet the requirements of CRA compliance.

We actively engage with EU regulatory discussions and monitor updates on harmonized standards and conformity procedures. RAK has already established strong internal systems that will quickly align with CRA requirements once enforcement starts.

RAKwireless has also embedded cybersecurity practices in every stage of its product lifecycle. We prioritize IoT security standards from the very first idea of a product to the moment it reaches customers and even after that. Each device goes through careful checks to make sure it can resist attacks and keep data safe. Our approach to cybersecurity is implemented in these measures:

• Conducting structured risk assessments before product release.
• Applying secure-by-design principles in architecture and engineering.
• Performing regular vulnerability testing.
• Maintaining incident response protocols.
• Documenting Software Bill of Materials (SBOMs).
• Keeping audit-ready records of all development and security actions.

We also maintain ISO 27001 ISMS certification under ISO/IEC 27001:2013. This is verified annually by Lloyd's Register Quality Assurance (LRQA) to ensure our information security management systems meet global standards. This certification confirms that our internal processes, infrastructure, and third-party partnerships meet strict information security benchmarks.

In addition, we uphold GDPR Article 32 compliance standards to protect customer data. We use strong access controls and encryption to keep data safe while it’s being transferred and when it’s stored.

IoT Gateway Security Guides Our Strategy

Security at RAKwireless doesn’t stop with compliance checklists. It extends to the device firmware, cloud infrastructure, design updates, and support systems.

• We deliver Over-The-Air (OTA) firmware updates across all RAK gateways with regular security patching schedules. This helps us react quickly to new threats.
• Configuration data and system state are encrypted and stored securely on the device to block unauthorized access.
• LoRaWAN security ensures that data in transit is protected via industry standard TLS 1.2 encryption. This protects the communication path between gateways and network servers.
• All cloud-based data handled through our platforms, including WisDM, is protected by AES-256 encryption on AWS servers. This ensures strong WisDM data protection for critical IoT data.
• WisDM does not store or log payloads exchanged between gateways and end devices. Your data remains yours, end-to-end.

Our global security team monitors all systems in real-time and stands ready with structured incident protocols to act immediately when needed.

Advanced Security Beyond RED Compliance 2025

At RAKwireless, we see security as a shared responsibility and a strategic advantage. Cybersecurity is built into our product development from day one. We design for it, test for it, and remain accountable to it. This is not because the regulations say so, but because it is the right thing to do.

RAKwireless will continue to update documentation and certifications to maintain RED Compliance 2025 and CRA Compliance as the legal framework develops. If you need formal documentation or compliance reports, we are here to assist.

When you build with care, compliance follows and trust stays. 
That is why we go beyond regulatory adherence.

Ken Yu

CEO, RAKwireless