Skip to main content

RED Delegated Act Activates Mandatory Cyber Requirements

· 2 min read
SBD Community
SBD Community
Maintainer

In a move with major implications for the connected device market, the European Commission published Delegated Regulation (EU) 2022/30 in January 2022. This act officially activated the dormant cybersecurity clauses within the Radio Equipment Directive (RED), turning what were once recommendations into hard legal requirements.

The new rules apply to a wide range of products, including any internet-connected radio device and all connected toys.

An Earlier, Stricter Deadline

The most critical takeaway for manufacturers is the compliance deadline: August 1, 2025.

This is more than two years before the main compliance date for the Cyber-Resilience Act (CRA). This means that any company producing in-scope radio products for the EU market must meet these specific cybersecurity requirements first. Failure to do so could result in products being barred from the market.

The regulation activates three key articles of the RED:

  • Article 3(3)(d): Protection of the network.
  • Article 3(3)(e): Safeguarding of personal data and privacy.
  • Article 3(3)(f): Protection from fraud.

Compliance with these articles can be achieved by following harmonised standards, with ETSI EN 303 645 being the most prominent one for consumer devices.

This delegated act signals a clear shift in the EU's approach: cybersecurity is no longer optional. For a detailed guide on the scope, timelines, and its relationship with the CRA, see our RED Overview.