Security:Q&A for RED

This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Disclaimer

•       This information, associated with all ST deliverables such as these questions and answers, is an attempt to interpret the current status of the RED regulation and its impact. It helps our customers prepare for future compliance requirements.

•       This is not a legal view of the regulations

•       Some of these interpretations may vary and may change over time

•       Industry standards and consortiums are actively working on clarification on the applicability and conformance

•       All information and links are subject to changes

2. What are the application dates of RED cybersecurity?

The application date of RED is 1st August 2025.

3. How do I know if my product is impacted?

According to RED Delegated Act 2022/30:

  • RED Article 3.3(d) – to ensure network protection – applies to radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment (internet-connected radio equipment).
  • RED Article 3.3(e) – to ensure safeguards for the protection of personal data and privacy – applies to
    • internet-connected radio equipment other than referred to in points b), c) or d);
    • radio equipment designed or intended exclusively for childcare;
    • radio equipment falling under the Toys Directive (2009/48/EC);
    • radio equipment designed or intended, whether exclusively or not exclusively, to be worn on, strapped to, or hung from the body or clothing worn by human beings (wearables)
  • RED Article 3.3(f) – to ensure protection from fraud – applies to
    • internet-connected radio equipment, if that equipment enables the holder or user to transfer money, monetary value or virtual currency.

Some exemptions are listed:

  • Medical device
    • full exemption of medical devices under Regulation (EU) 2017/745 and (EU) 2017/746
  • Civil aviation
    • partial exemption (only 3.3 e and f but 3.3.d applies)
  • Motor vehicles
    • partial exemption (only 3.3 e and f but 3.3.d applies)
  • Road toll systems
    • partial exemption (only 3.3 e and f but 3.3.d applies)


If your device has an RF interface, and is connected to internet, then it may require RED cybersecurity conformance.

Some exceptions are listed by the directive:

Source: RED Delegated Act 2022/30

4. Will STM32 products be RED cybersecurity certified?

STM32 products are composed of:

  1. STM32 ICs (standalone hardware devices)
    1. Non-RF devices
      • STM32 general purpose MCUs and MPUs without an RF interface
    2. RF devices:
      • STM32WBx - Bluetooth devices
      • STM32WBAx - Bluetooth devices
      • STM32WB0x - Bluetooth devices
      • STM32WLx - Sub-Gigahertz devices
  2. STM32 RF modules
    1. STM32WBxM - Bluetooth devices
    2. STM32WBAxM - Bluetooth devices
    3. STM32WB0xM - Bluetooth devices
    4. STM32WLxM - Sub-Gigahertz devices
  3. STM32 RF evaluation boards (such as nucleo boards or discovery kits)

By nature, none of the STM32 ICs (general purpose or RF centric) embed an antenna, or a software to connect to the internet, and therefore they are not subject to RED compliance.

Modules or development and evaluation boards may be provided with an antenna, and a firmware, but not provided with a direct nor an indirect application connecting the module to internet. Therefore, these modules and boards are not subject to RED cybersecurity compliance. Device manufacturers that connect these devices to the internet (for example via an application connection acting as a gateway) must ensure compliance with the RED cybersecurity requirements.

Nevertheless, ST did several exercises to show the potential RED cybersecurity compliance:

  1. Exercise done of an IC, STM32WB0x, as a result an attestation of conformity (AoC) is publicly available
  2. Exercise done on a full nucleo board, NUCLEO-WBA55CG, allowing ST to claim a public EU-TYPE EXAMINATION CERTIFICATE (EU-TEC) - identification number: 79389RNB.001A1

5. What shall I do to know exactly if my product is concerned by RED?

Our advice is to contact one of the RED notified bodies.

6. I developed a product many years ago, am I impacted?

Products produced or imported within Europe after 1st August 2025 are impacted. Therefore, we believe that legacy products are impacted.

7. Do I need CE marking on my device and if yes how?

YES; Products will bear the CE marking to indicate that they comply with the RED.

Follow: CE marking and EUR-Lex - 52022XC0629(04) - EN - EUR-Lex

8. Will STM32 devices have CE marking explicitly for RED?

Only STM32 RF modules and boards will be CE marked. However, this will not include the cybersecurity requirements.

9. Can I get fined if my product is not compliant to RED?

Yes, but details are not described within the texts.

10. Will STM32 provide SBOM for software packages?

Yes. STM32Cube packages will be delivered with SBOM, in CycloneDx format. The process of exposing the SBOM publicly on the STM32Cube packages has been started and over time be extended to most of them if they are updated.

SBOM delivery policy is aligned with STM32Cube package policy.

Other formats such us SPDX are not provided by ST but multiple commercial and open-source converters are publicly available.

11. Where will I find STM32Cube SBOMs?

The SBOM will be delivered within the STM32Cube packages or on the GitHub page. For example, on STM32CubeWBA has it within the main directory: “sbom_cdx.json” file.

12. Can STSAFE help for RED & compliance?

Yes. STSAFE secure elements can help ease the RED compliance for product developers, thanks to several countermeasures to security vulnerabilities:

  • STSAFE-A comes loaded with secrets and X.509 certificate to authenticate and attest the device to perform device authentication and attestation operations
    • Protected against attacks on chip with best-in-class security countermeasures
    • Loaded at ST inside a certified manufacturing site
    • Personalization of the STSAFE at ST, secured and certified manufacturing site
  • STSAFE, best-in-class mitigation to:
    • Attack of devices in the field to clone device IDs
    • Leakage of device IDs and credentials at manufacturing and configuration
  • STSAFE to ease product conformity assessment
    • STSAFE-A is common criteria certified (CC EAL5+, AVA_VAN5)
    • This certification can be referred to by device maker assessing the certification compliance of objects

Please refer to ST secure MCU webpage

13. Can I use legacy STM32 for my new devices?

Yes. ST does not expect legacy STM32 to be blocked by RED. But a clear application risk assessment must be done to understand the applicative security functions required on the application and see if the functions provided by each STM32 allows to fulfill the requirements. If not, then STM32 devices with proper security functionalities are available to replace them.

14. Does ST provide vulnerability information for ICs and software?

Yes. ST provides security advisories and security notes on each product page (hardware or software) and also on our product security incident response team (PSIRT) page.

St also invites readers to visit the European vulnerabilities database (EUVD) as well as the NIST national vulnerability database for CVE.

15. Is there mapping of RED versus security standards?

GlobalPlatform is hosting a public version of the SESIP & RED mapping.

16. Will RED mandate post quantum cryptography (PQC)?

PQC is not directly stated within RED. But it mandates to use recognized security standards for the application and use of cryptography. Therefore, because NIST deprecated the classical asymmetric cryptographic algorithms from 2030, the PQC will be required. Our PQC compliant library allow users to start developing future proof cryptographic solutions.

17. Does ST provide risk analysis solutions?

No, ST does not provide risk analysis services. Some of the qualified ST partners do provide risk analysis services.

For device scope ST does not know / cannot recommend risk analysis standard.

The current experience on risk analysis is based on the requirements held from various standards such as IEC62443-4-3-2, ISO21434, ISO27005, EN303645

Some tools and methodologies exist and should be chosen according to your industry segment and product scope.  For example, we can list:

OWASP Threat Modeling:

Title: OWASP Threat Modeling

Publisher: Open Web Application Security Project (OWASP)

or

STRIDE Model

Title: STRIDE Threat Model

Publisher: Microsoft

We also invite our readers to visit the CWE website on MITRE website

18. Where can I find further deeper information on RED by ST?

For further information, you can also watch the webinars part I and part II on the subject and download our detailed presentations and Q&A.

Security Q&A for CRA QRCODE.png

19. References



Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Q%26A_for_RED&oldid=79754"