From bedtime stories to interactive learning, technology has become inseparable from modern childhood. Internet-connected devices like smart baby monitors, wearable location trackers, and interactive storybooks are reshaping how children learn, play, and stay safe. According to Market Research Future1, the global smart toys market was valued at $21.55 billion in 2022 and is projected to surpass $107 billion by 2030, driven by rapid advances in AI and IoT integration.
However, this proliferation comes with a growing set of security concerns. In recent years, manufacturers have faced regulatory action and reputational damage due to unauthorized data collection, unsecured communication channels, and exploitable system flaws. In response, the European Commission has expanded the scope of the Radio Equipment Directive (RED)—a regulatory framework that ensures radio-connected devices meet essential safety and cybersecurity requirements before entering the EU market.
Stricter scrutiny for connected toys and childcare devices
Hackers may target childcare devices for several reasons: to collect sensitive information, exploit unsecured audio/video streams, or use compromised devices as entry points into broader home networks. In some reported cases, compromised baby monitors have been used to eavesdrop on households or communicate with children inappropriately.
In addition, these products are frequently used without adult supervision. Even when compromised, children may not recognize unusual behavior within their devices. Furthermore, smart toys are often built-in with passive recording or monitoring features that collect data even when not actively in use. If a product claims to support parental safety or educational benefits, it must deliver those promises securely.
For that reason, manufacturers are expected to place greater guardrails to ensure the safety of vulnerable user demographics such as children. This is especially critical as connected toys and childcare products often collect voice recordings, location data, and behavioral information. These devices may also connect to cloud services or mobile apps, establishing data pipelines that can and will be targeted by hackers.
Connected toys and childcare devices have therefore been grouped under the high-risk category of RED Article 3.3. This includes items such as voice-enabled dolls, location-tracking wearables, and app-linked nightlights that can transmit data, interact over networks, or be remotely accessed. Such items, if compromised, could endanger the privacy, safety, or health of their young users.
RED security requirements specific to smart toys
On top of general RED Article 3.3 (d), (e), and (f) provisions that manufacturers must comply with starting from August 1, 2025, smart toy and childcare product manufacturers must abide by more stringent design and testing standards:
For manufacturers of toys and childcare products, this translates to stricter design and testing standards. Products must be able to:
- Encrypt communications to protect sensitive data in transit
- Require authentication before pairing with external devices
- Prevent remote access without user consent
- Support secure firmware updates and avoid hardcoded credentials
Formalized under the EN 18031 series (Parts 1, 2, and 3)---these design imperatives form a widely recognized framework, doubling as a benchmark for market surveillance authorities when it comes to securing connected products and conforming with RED Article 3.3 cybersecurity provisions.
Common pitfalls in RED compliance testing
Common issues in RED conformance assessments of smart toys and childcare devices include continued use of default usernames and passwords, unencrypted HTTP protocols, firmware that lacks signature verification, and reliance on outdated Bluetooth pairing methods that lack mutual authentication.
These vulnerabilities can be exploited using basic sniffing tools or packet injection techniques—threats well within the reach of amateur hackers. Alarmingly, manufacturers often defer security reviews until late in development. By then, design constraints and limited timelines make remediation difficult and costly. Embedding security considerations from the beginning of the product lifecycle ensures not only smoother RED certification but better long-term resilience.
Build trust through compliance with secure design
As enforcement of RED Article 3.3 draws near, compliance is not only about securing market access—but safeguarding trust in a category that serves society’s most vulnerable users. By proactively addressing RED security requirements, manufacturers can build resilient products that stand the test of regulatory scrutiny and address increasing concerns over cybersecurity risks.
Conducting cybersecurity testing with GRL means enjoying end-to-end RED compliance support, including risk assessments, protocol analysis, security feature verification, and guidance based on EN 18031-1/2/3. Through years of experience testing wireless IoT devices—including connected toys and baby tech—you too can create products that demonstrate secure design and certified protection that will stand out in a competitive market.
References
1. https://www.marketresearchfuture.com/reports/smart-toys-market-10813
