![Ayyekas-Logo_Horizontal-1062x400.png]](https://www.ayyeka.com/hs-fs/hubfs/Ayyekas-Logo_Horizontal-1062x400.png?width=105&height=40&name=Ayyekas-Logo_Horizontal-1062x400.png){kind=logo}
RED Cybersecurity Compliance - Ayyeka Wavelet Declaration of Conformity
Ayyeka has assessed the Ayyeka Wavelet device family, running firmware version 2.566 and newer, against EN 18031-1:2024 for internet-connected radio equipment under RED Article 3(3)(d). Based on this assessment, Ayyeka declares conformity with the applicable RED cybersecurity requirements and maintains the required technical file and EU Declaration of Conformity.
1. What is the Radio Equipment Directive (RED)?
The Radio Equipment Directive - Directive 2014/53/EU - is a mandatory European regulation that applies to radio equipment placed on the EU market. It establishes essential requirements for radio equipment, including health and safety, electromagnetic compatibility, efficient use of radio spectrum, and additional requirements that may apply to specific categories of equipment.
Demonstrating conformity with the applicable RED requirements is required before affixing the CE mark and placing radio equipment on the European Economic Area market.
Reference: Directive 2014/53/EU - Radio Equipment Directive
2. Cybersecurity Requirements Under RED
Under Commission Delegated Regulation (EU) 2022/30, cybersecurity became part of the RED essential requirements for certain categories of radio equipment. For Ayyeka Wavelet devices, the relevant cybersecurity requirement is RED Article 3(3)(d), which addresses protection of the network and prevention of harm to network infrastructure.
The RED cybersecurity requirements have applied since 1 August 2025, following the application-date update introduced by Commission Delegated Regulation (EU) 2023/2444.
3. EN 18031-1:2024
EN 18031-1:2024 is the harmonized European cybersecurity standard for internet-connected radio equipment under RED Article 3(3)(d). It provides the technical framework used to assess whether applicable internet-connected radio equipment includes appropriate cybersecurity protections. Commission Implementing Decision (EU) 2025/138 lists EN 18031-1:2024 as supporting Article 3(3)(d), with the published restrictions and notices.
For Ayyeka Wavelet telemetry devices, the applicable RED cybersecurity assessment scope is EN 18031-1:2024.
The Wavelet declaration scope does not include EN 18031-2 or EN 18031-3, as those parts address other RED cybersecurity requirements that are not applicable to the Wavelet use case.
4. EN 18031-1 - High-Level Cybersecurity Requirements
EN 18031-1 addresses cybersecurity controls for internet-connected radio equipment, including:
- Network resilience - Devices must include controls that reduce the risk of unauthorized access to networks or network services.
- Protection of communication and security assets - Devices must protect security-relevant assets such as credentials, certificates, keys, configuration, and communication interfaces against unauthorized access or misuse.
- Prevention of harm to network infrastructure - Devices must include controls that reduce the risk of being misused to harm network operation or internet infrastructure.
- Secure software updates - Devices must support secure update mechanisms, including validation of update authenticity and integrity before installation.
- Minimal attack surface - Devices should expose only the interfaces and services required for their intended operation.
- Secure default configuration - Devices must ship with secure defaults and must not rely on generic or shared credentials for security-sensitive access.
5. Ayyeka Wavelet Cybersecurity Controls
Ayyeka Wavelet devices implement cybersecurity controls aligned with EN 18031-1, including:
- Mutual TLS (mTLS) - Certificate-based mutual authentication and encrypted communication between devices and the server, enforcing strong device identity and preventing unauthorized access, impersonation, or replay attacks. The mTLS private key is stored in the device's internal protected memory and cannot be externally accessed or extracted.
- Secure software updates - A secure bootloader verifies the authenticity and integrity of every firmware package before installation. Only authenticated, untampered firmware released by Ayyeka can be installed on the device.
- Strong local access controls - BLE and Trace/USB interfaces require authenticated sessions with strong password policies and automatic rotation. BLE access is time-limited and requires physical activation. Brute force protection is enforced across all interfaces.
- Encrypted and integrity-protected storage - All data written to the SD card is encrypted at rest and digitally signed. Signatures are verified on every read, ensuring unauthorized modifications are detected and rejected. MCU internal flash is encrypted and cannot be read externally.
- Hardware root of trust - Cryptographic operations are anchored to a hardware-based root of trust, ensuring authentication and signature verification rely on secure, trusted keys stored exclusively in protected internal memory.
- Minimal attack surface - USB access is restricted to diagnostic trace logs only. Unused interfaces and services are disabled.
6. Declaration of Conformity
Compliance with EN 18031-1 is documented by the manufacturer as part of the RED conformity assessment process. This includes:
- Mapping applicable EN 18031-1 requirements to Wavelet design controls
- Maintaining a technical file with supporting evidence
- Documenting relevant architecture, implementation, and test evidence
- Issuing an EU Declaration of Conformity
- Affixing the CE mark in accordance with applicable EU requirements
Ayyeka has completed the EN 18031-1 conformity assessment for the Ayyeka Wavelet device family running firmware version 2.566 and newer. Based on this assessment, Ayyeka declares conformity with the applicable RED cybersecurity requirements under Article 3(3)(d).
7. Scope of Declaration
This declaration applies to the following Wavelet products and firmware versions:
- Product family: Ayyeka Wavelet device family
- Applicable firmware versions: 2.566 and newer
- Applicable RED cybersecurity standard: EN 18031-1:2024
- RED requirement covered: Article 3(3)(d)
EN 18031-2 and EN 18031-3 are outside the declared scope for the Wavelet cybersecurity assessment.
8. References
- Directive 2014/53/EU - Radio Equipment Directive - establishes the EU regulatory framework for radio equipment and CE marking requirements.
- Commission Delegated Regulation (EU) 2022/30 - applies RED Article 3(3)(d), (e), and (f) cybersecurity requirements to defined categories of radio equipment.
- Commission Delegated Regulation (EU) 2023/2444 - updates the application date of the RED cybersecurity requirements to 1 August 2025.
- Commission Implementing Decision (EU) 2025/138 - lists EN 18031-1:2024 as a harmonized standard supporting RED Article 3(3)(d) for internet-connected radio equipment.
- EN 18031-1:2024 - Common security requirements for radio equipment - Part 1: Internet connected radio equipment - European cybersecurity standard applicable to internet-connected radio equipment.