EU Radio Equipment Directive (RED)

The Radio Equipment Directive (Directive 2014/53/EU) has traditionally focused on spectrum use, electromagnetic compatibility, and user safety for wireless products placed on the EU market.

Cybersecurity Delegated Act

With the introduction of Commission Delegated Regulation (EU) 2022/30, the scope of RED has formally expanded to include cybersecurity.

Through this Delegated Act, Article 3(3)(d), (e), and (f) becomes mandatory for all applicable radio equipment placed on the EU market from 1 August 2025. Any non-compliant product supplied after this date cannot be legally sold in the EU.

Key Cybersecurity Objectives

Network protection (Article 3(3)(d)): Radio equipment must be designed so it does not harm network operations or misuse network resources. This directly targets risks such as botnet infections, DDoS participation, and uncontrolled traffic generation.

Protection of personal data and privacy (Article 3(3)(e)): Devices must include built-in safeguards to protect user data and communications, aligning product security with GDPR principles at the hardware and firmware level.

Fraud prevention (Article 3(3)(f)): Products involved in payments or sensitive transactions must include security controls that reduce fraud risk, including secure authentication and cryptographic protection.

Scope and Technical Compliance

The Delegated Act applies broadly to internet-connected radio equipment such as smartphones, routers, cameras, wearables, consumer IoT devices, and wireless industrial products.