Radio Equipment Directive (RED)
1. Why the RED cyber rules matter now
The Radio Equipment Directive (RED) cybersecurity rules are defined by two key legal acts. First, the main Directive 2014/53/EU established the framework and created dormant security clauses in RED Art. 3 § 3(d-f). Second, a subsequent Delegated Regulation (EU) 2022/30 activated these clauses for a wide range of consumer and industrial products, making them legally mandatory.
From 1 August 2025, any in-scope device must meet these essential requirements to receive a CE mark. This regulation acts as a precursor to the broader Cyber-Resilience Act (CRA), but with a compliance deadline that is over two years earlier. Manufacturers of products covered by both must meet the RED's deadline first.
- Official Journal (Directive) – Legally binding text of Directive 2014/53/EU as published on 22 May 2014: OJ:L:2014:153 HTML.
- Consolidated Version (RED) – Integrates subsequent corrections and amendments: CELEX:02014L0053-20241228 HTML.
- Delegated Act (DA) – Activates the security requirements for specific product classes: CELEX:32022R0030 HTML.
- Amendment to DA – Postponed the application date to 1 Aug 2025: OJ:L_202302444 HTML.
The consolidated version is easier for clause citations, but in case of doubt the official journal prevails.
While harmonised standards are still under development, Germany's Federal Office for Information Security (BSI) has published a detailed technical guideline that serves as a practical playbook for CRA compliance. Since the security principles overlap significantly, it is a highly recommended resource for implementing the RED's requirements.
Timeline of Key Dates
| Date | Event | Legal/Standard Reference |
|---|---|---|
| 2022-01-12 | Delegated Regulation (EU) 2022/30 is published, activating RED's security articles. | Delegated Act |
| 2023-10-18 | Regulation (EU) 2023/2444 is published, postponing the compliance deadline by 12 months. | Amendment to Delegated Act |
| 2025-01-30 | Anticipated Harmonised standards (e.g., ETSI EN 18031 series) expected to be cited in the OJEU. Note: This date may change, as standardisation bodies have noted the complexity of the work. | Standardisation Mandate M/585 |
| 2025-08-01 | Compliance is mandatory. Products placed on the market must meet the essential requirements. | Delegated Act Art. 2 |
Relationship to other EU laws
| Law | How it interacts with RED Security Rules |
|---|---|
| Cyber-Resilience Act (CRA) | The CRA will become the primary horizontal law for product cybersecurity. Its essential requirements include and build upon those in the RED. Once a product complies with the CRA, it will be presumed to comply with RED Art. 3 § 3(d-f) (CRA Art. 11). However, since the RED deadline (Aug 2025) is earlier, manufacturers must comply with it first. Crucially, the CRA does not apply to medical devices covered by the MDR or IVDR. (CRA Recital 30) |
| NIS 2 Directive | NIS 2 governs organisational cyber risk for critical sectors, while the RED focuses on product security. An organisation might be a NIS 2 "essential entity" and also manufacture products that must comply with the RED. The obligations are cumulative. (NIS 2 Art. 21 § 2) |
| CE-marking framework | The RED security requirements are enforced through the CE-marking framework. A product may only bear the CE mark if it complies with all applicable legislation, which, from Aug 2025, includes RED Art. 3 § 3(d-f) for in-scope devices. (Reg. 765/2008 Art. 30) |
2. Scope – Which Products are Covered?
The Delegated Regulation (EU) 2022/30 applies the cybersecurity requirements to specific categories of radio equipment. If your product falls into any of the categories below, it must comply by 1 August 2025.
2.1 In-Scope Product Categories
| Category | Description | Legal Basis |
|---|---|---|
| Internet-Connected Radio Equipment | Any radio equipment that is capable of communicating over the internet, whether directly or indirectly (e.g., via a gateway or smartphone). This is the broadest category and covers most modern IoT devices. | DA Art. 1(a) |
| Toys | Any radio equipment that falls under the scope of the Toy Safety Directive 2009/48/EC. This includes connected toys that can communicate with other devices. | DA Art. 1(b) |
| Wearables & Personal Data Processors | Any radio equipment designed to be worn by a person (wearable) or that processes certain categories of personal data as defined by GDPR. | DA Art. 1(c) |
2.2 Examples
| Product Example | Category | In Scope? | Reasoning |
|---|---|---|---|
| Smart Speaker (e.g. Alexa) | Internet-Connected Radio | ✅ Yes | Connects directly to the internet to provide services. |
| Wi-Fi Enabled Baby Monitor | Internet-Connected Radio, Personal Data Processor | ✅ Yes | Connects to the internet and processes personal video/audio data. |
| Bluetooth Fitness Tracker | Wearable, Personal Data Processor | ✅ Yes | Worn by the user and processes health data, syncs with a smartphone that is internet-connected (indirect connection). |
| Connected Toy Robot | Toy, Internet-Connected Radio | ✅ Yes | Falls under the Toy Safety Directive and connects to a network. |
| Industrial IoT Sensor | Internet-Connected Radio | ✅ Yes | Connects to an industrial network which in turn connects to the internet for monitoring. |
| Simple Bluetooth Speaker | Radio Equipment | ❌ No | Does not connect to the internet (directly or indirectly) and does not process personal data beyond a/v streaming. |
| Automotive Infotainment | Radio Equipment | ❌ No | Excluded from the RED as it is covered by vehicle type-approval rules (Regulation 2018/858). |
3. RED Requirements & How to Implement Them
The Delegated Act activates three key security requirements from the main RED text. While these are the focus for the 2025 deadline, it is important to remember that RED Article 3 also contains foundational requirements for all radio equipment, including the protection of health and safety (Art. 3(1a)) and electromagnetic compatibility (EMC) (Art. 3(1b)).
Manufacturers of in-scope products must design their devices to comply with the following obligations.
| Obligation & Legal Basis | Interpretation & Engineering Tasks | Implementation Guides |
|---|---|---|
| (d) No Network Harm RED Art. 3(3)(d) DA Recital 7 | The product must not harm the network or misuse its resources, causing service degradation. This means designing for resilience against DoS attacks and ensuring the device cannot be easily co-opted into a botnet. | Device Lifecycle Management CI/CD Hardening |
| (e) Protect Personal Data & Privacy RED Art. 3(3)(e) DA Recital 8 | The product must include safeguards to protect personal data and user privacy, taking into account the "state of the art". This requires implementing strong access control and modern encryption. Manufacturers must also provide clear user instructions and maintain technical documentation outlining risks and solutions (RED Art. 10, 21). | Unique Device Identity Key Provisioning & Storage Data Privacy & Secure Deletion |
| (f) Protection from Fraud RED Art. 3(3)(f) DA Recital 9 | The product must support features that protect against fraudulent activity (e.g., in electronic payments). This means ensuring the integrity of its software (e.g., via secure boot) and its identity. To aid traceability, manufacturers must ensure products bear a type, batch, or serial number (RED Art. 10(6)). | Secure Boot Unique Device Identity |
4. Self-Assessment vs. Third-Party Audit?
4.1 Assessment Routes
To demonstrate compliance and affix the CE mark, manufacturers must follow a conformity assessment procedure laid out in the RED (RED Art. 17). The route depends on whether they fully apply harmonised standards.
| Condition | Assessment Route |
|---|---|
| Manufacturer fully applies relevant harmonised standards. | Module A (Internal Production Control) → Manufacturer performs self-assessment. |
| Manufacturer does not fully apply harmonised standards (or they don't exist). | Modules B+C or Module H → Mandatory third-party audit by a Notified Body. |
- Module A (RED Annex II): The manufacturer handles all testing and documentation internally.
- Module B+C (RED Annex III): A Notified Body performs an "EU-type examination" of the technical design (Module B), and the manufacturer ensures ongoing production conforms to that approved type (Module C).
- Module H (RED Annex IV): A Notified Body approves a full quality assurance system covering the design, manufacture, and testing of the product.
These modules are foundational concepts in EU regulation. For long-term planning, manufacturers should be aware that the upcoming CRA builds upon them with a more detailed, risk-based approach. The CRA's conformity route depends on a product's risk classification, which determines whether self-assessment (Module A) is permitted or a third-party audit is required.
See the CRA Overview for a full breakdown of its risk classes and assessment routes.
4.2 The Role of Harmonised Standards
A harmonised standard (hEN) is a standard created by a European Standardisation Organisation (e.g., ETSI) that provides a technical specification for meeting the RED's essential requirements.
When a manufacturer follows a relevant hEN, their product gains a "presumption of conformity" with the legal requirements covered by that standard or parts thereof (RED Art. 16). This is the key that unlocks the simplest path to compliance: self-assessment (Module A).
For the cybersecurity requirements, the key standards are the ETSI EN 18031 series. The standardisation request from the Commission is detailed in Mandate M/585.
4.3 CE Marking
The CE mark signals that a product complies with all applicable EU legislation. For RED, it must be affixed visibly, legibly, and indelibly to the product and its packaging (RED Art. 20). If a Notified Body was involved in the assessment (e.g., Modules B+C or H), their four-digit identification number must be placed after the CE mark and be the same height.
5. Maintaining Compliance & Vulnerability Handling
While the RED is less explicit than the CRA about post-market duties, maintaining compliance with the essential requirements over time requires an effective vulnerability management process. The following practices, which are formalised in the CRA, should be considered best practice for any manufacturer placing a product on the EU market:
- Vulnerability Remediation: Address and fix vulnerabilities without undue delay, providing security updates that are free of charge and, where possible, delivered automatically.
- Component Inventory: Identify and document all software components, including by drawing up a Software Bill of Materials (SBOM), to enable vulnerability tracking.
- Security Testing: Regularly test the product for vulnerabilities using both internal processes and independent security researchers.
- Coordinated Disclosure: Establish a clear policy and a secure contact channel for third parties to report vulnerabilities.
Adopting these processes not only ensures that a product remains secure and compliant with the RED's core principles but also prepares the manufacturer for the more extensive requirements of the upcoming Cyber Resilience Act.