RED-DA requirements for critical cloud components #15

Jesuqq · 2025-11-04T11:00:06Z

Jesuqq
Nov 4, 2025

Hi!
We are trying to understand the effect of RED-DA on critical cloud components tightly coupled to the equipment with internet connected radio.

COMMISSION DELEGATED REGULATION (EU) 2022/30, recital 8 states:

Directive 2014/53/EU applies to products that meet the definition of ‘radio equipment’ in Article 2 of that Directive,
subject to specific exclusions specified in Article 1(2) and Article 1(3) of that Directive. Whilst the definition of radio
equipment in Article 2 of Directive 2014/53/EU refers to equipment that can communicate with radio waves, no
requirements of Directive 2014/53/EU make a distinction between the radio and non-radio functions of the radio
equipment and therefore all aspects and parts of the equipment should comply with the essential requirements
provided for in this delegated regulation.

This wording "all aspects and parts of the equipment" makes us think that cloud components, and other systems that are critical for the radio equipment to work (such as device identity management system, OTA update servers, remote connection backend, etc.) should be considered as part of RED-DA requirements. We would draw the line to systems that can be swapped at the backend, and exclude components such as IoT database or other generic cloud components, but include critical components that are required for the equipment to operate in the first place.

What do you think, and can you help us better understand where the RED-DA obligations end in terms of cloud components and other critical infrastructure?

Answered by zealience

Nov 5, 2025

Hi @Jesuqq !

Thanks for your question.

Regarding the text "no requirements of Directive 2014/53/EU make a distinction between the radio and non-radio functions of the radio equipment and therefore all aspects and parts of the equipment should comply with the essential requirements": Our interpretation is that, if your equipment is in scope of the RED, the essential requirements apply to all parts of the equipment regardless of the parts being "radio" or not. In the context of the RED DA, this means that the requirements of EN 18031 apply to the equipment as a whole. For example, the requirements on secure communication of assets (SCM) apply to any type of interfaces, whether wireless or n…

View full answer

zealience · 2025-11-05T14:43:27Z

zealience
Nov 5, 2025
Maintainer

Hi @Jesuqq !

Thanks for your question.

Regarding the text "no requirements of Directive 2014/53/EU make a distinction between the radio and non-radio functions of the radio equipment and therefore all aspects and parts of the equipment should comply with the essential requirements": Our interpretation is that, if your equipment is in scope of the RED, the essential requirements apply to all parts of the equipment regardless of the parts being "radio" or not. In the context of the RED DA, this means that the requirements of EN 18031 apply to the equipment as a whole. For example, the requirements on secure communication of assets (SCM) apply to any type of interfaces, whether wireless or not. Some of our customers ask whether they should document non-wireless interfaces such as Ethernet. In this light, the answer is always yes.

The scopes of the RED and RED DA are slightly different.

In the context of the RED, radio equipment are in scope (as stated in the excerpt you provided: "Directive 2014/53/EU applies to products that meet the definition of ‘radio equipment’ in Article 2").
In the context of the RED DA which "activated" 3 essential requirements of the RED, namely Article 3(3)(d), (e) and (f), radio equipment having certain characteristics are in scope and would have to fulfil one or more of these essential requirements. I like to summarize these characteristics as below. For example, if your radio equipment is Internet-connected and processes personal data, it has to fulfil (d) and (e).

Internet-connected	Intended for childcare, or toy, or wearable	processes personal data, or traffic data and location data	can transfer money or virtual currency	Essential requirements to meet
X				(d)
	X			(e)
X		X		(d)(e)
X		X	X	(d)(e)(f)

Note on what constitutes "Internet connected": We like to refer to the definition of the TIC Council (industry association of the Testing, Inspection and Certification sector) provided in their position paper.

Regarding the critical systems you mentioned like cloud components, they are simply not in scope of the RED DA. Demonstrating RED DA compliance is to be done per radio equipment. Therefore you do not have to also demonstrate compliance for the cloud backend used (which is likely a server sitting in a data center, not even a radio equipment itself in the first place). And even if it was, the demonstration of its compliance should be done by its manufacturer (which, I assume, is not you).

If you apply EN 18031 to demonstrate compliance with the RED DA, you have to make sure that your equipment communicates assets securely to the other systems (regardless of being cloud-based or not). Maybe my reply of yesterday regarding SCM-1 can shed some light on the standards' expectations for SCM. Regarding the OTA update servers, you will need to demonstrate that the update mechanism(s) on the equipment are secure, which may involve the documentation of some information of those update servers (eg, how updates are distributed, how they allow for automatic update, ...). But again, the servers themselves are not in scope of the RED DA.

PS: The situation will be different under the CRA, which covers products with digital elements and their integrated remote data processing solution. See (11) in the CRA: "Such remote data processing solutions should be defined as data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer of the product with digital elements concerned, the absence of which would prevent the product with digital elements from performing one of its functions. That approach ensures that such products are adequately secured in their entirety by their manufacturers, irrespective of whether data is processed or stored locally on the user’s device or remotely by the manufacturer. At the same time, processing or storage at a distance falls within the scope of this Regulation only in so far as it is necessary for a product with digital elements to perform its functions. Such processing or storage at a distance includes the situation where a mobile application requires access to an application programming interface or to a database provided by means of a service developed by the manufacturer. In such a case, the service falls within the scope of this Regulation as a remote data processing solution."

The EC should publish guidance on the topic of remote data processing solution (Art. 26.2(a)) sometime soon.

I hope this helps. Do not hesitate if you have further questions or comments!

Guillaume

3 replies

Jesuqq Nov 6, 2025
Author

Thank you for your thorough answer, @zealience — it has clarified several implications RED-DA sets on our work. I’d like to ask a follow-up regarding documentation needs and shared responsibilities between us and our customers.

Our business model in brief:

We provide software development services for IIoT projects. These projects almost always include a gateway device with Internet-connected radio, but the devices and final products are owned and marketed by our customers. We do not manufacture or place equipment on the market.
We maintain a software library suite (“product family”) that customers can use in their IoT projects. These are software-only; we provide no hardware.
One library targets gateway devices, providing basic functionalities such as remote command, remote maintenance tunnel, IoT data pipeline, and an empty web server framework. Customers usually build and deploy their own web management applications on top of this.

My questions:

Our understanding is that the ultimate RED-DA compliance responsibility lies with our customers, since they are the manufacturers placing the final products on the market. We intend to support them by providing internal gap assessments and documentation for our software libraries, as well as by training our staff to assist in conformity efforts.
Should we follow EN 18031-1 or similar documentation standards in our software development processes? Our interpretation is that, because we provide software-only components and no hardware, our libraries fall outside the direct scope of RED-DA, making compliance obligations mainly our customers’ responsibility.

Is this reasoning correct, or should we expect broader compliance responsibilities under RED-DA?

If you want, I can create a separate discussion for this topic.

zealience Nov 12, 2025
Maintainer

Hello @Jesuqq ,

Thanks for your explanations. Your reasoning is correct. To elaborate on your two points:

Yes, the compliance responsibility lies with your customers as they are the manufacturers. We can find more info in the EU Blue Guide, Section 3.1 Manufacturer. In particular in your case:

"The manufacturer is any natural or legal person who is responsible for designing or manufacturing a product and places it
on the market under his own name or trademark. The definition contains two cumulative conditions: the person has to
manufacture (or have a product manufactured) and to market the product under his own name or trademark. So, if the
product is marketed under another person’s name or trademark, this person will be considered as the manufacturer."
"The manufacturer has ultimate responsibility for the conformity of the product to the applicable Union harmonisation
legislation, whether he designed and manufactured the product himself or is considered as a manufacturer because the
product is placed on the market under his name or trademark."

Technically you are not forced to follow EN 18031, however, from a business perspective, it makes a lot of sense to do so. Your software components and libraries are indeed not in scope of the RED DA, yet your customers will very likely ask you for your documentation since they need it to assemble theirs (since they are responsible as a manufacturer). I imagine that there are many elements of your software which must be documented (various assets, security mechanisms like communication mechanisms, ...).

It can be a competitive edge for you to provide your customers with your information in a way they can leverage it easily for their own EN 18031 technical documentation. This is exactly the feature we just released in our Z-CMS v2.11.0: Import/Export of technical documentation across supply chain.

With Z-CMS, you can:

Input all your software/libraries info
Get instant feedback on compliance (automatic gap assessment)
Generate an export file and send it to your customers

Your customers can then import it into their instance of Z-CMS and get a head-start by leveraging all your info.

Do not hesitate to contact us at info@zealience.com if you'd like to discuss this further.
Guillaume

Jesuqq Nov 12, 2025
Author

Thank you for your thorough answers @zealience ! This discussion has proved to be a great source when trying to understand the implications RED-DA has on our business.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RED-DA requirements for critical cloud components #15

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

RED-DA requirements for critical cloud components #15

Uh oh!

Jesuqq Nov 4, 2025

Replies: 1 comment · 3 replies

Uh oh!

zealience Nov 5, 2025 Maintainer

Uh oh!

Uh oh!

Jesuqq Nov 6, 2025 Author

Uh oh!

zealience Nov 12, 2025 Maintainer

Uh oh!

Jesuqq Nov 12, 2025 Author

Jesuqq
Nov 4, 2025

Replies: 1 comment 3 replies

zealience
Nov 5, 2025
Maintainer

Jesuqq Nov 6, 2025
Author

zealience Nov 12, 2025
Maintainer

Jesuqq Nov 12, 2025
Author