RED Cybersecurity Requirements

If you place connected radio equipment on the EU market, the RED cybersecurity requirements affect how certain products need to be designed, documented, and assessed. Commission Delegated Regulation (EU) 2022/30 activates additional essential requirements under Article 3(3)(d), (e), and (f) of the Radio Equipment Directive.

Start Free Assessment

What changed under RED cybersecurity requirements

The Radio Equipment Directive, RED 2014/53/EU, already set the regulatory framework for placing radio equipment on the EU market. The change is that additional cybersecurity-related essential requirements now apply to certain categories of radio equipment under Article 3(3)(d), (e), and (f). Those additions come from Delegated Regulation (EU) 2022/30.

For manufacturers, this means cybersecurity is no longer a side topic handled only at product security level. It affects scope, technical documentation, conformity assessment, and launch readiness for products in scope.

Which Products Are Affected

The delegated regulation applies Article 3(3)(d) to radio equipment that can communicate itself over the internet, whether directly or through other equipment. Article 3(3)(e) applies to internet-connected radio equipment that processes personal data, traffic data, or location data, and also to certain childcare, toy, and wearable radio equipment that processes those data types. Article 3(3)(f) applies to internet-connected radio equipment that enables the holder or user to transfer money, monetary value, or virtual currency.

This is why product teams need to look beyond the hardware itself. The relevant scope can include connected functions, apps, backend services, account handling, updates, and data flows tied to how the product actually works.

Besoin de plus d'informations ?

En contactant QIMA, vous acceptez notre politique de confidentialité et nos conditions générales.

Articles 3(3)(d), (e), and (f), in Practice

Article 3(3)(d)

Focuses on protecting networks and network resources from harm or misuse caused by radio equipment.

Article 3(3)(e)

Focuses on protecting personal data and user privacy where the equipment processes personal, traffic, or location data.

Article 3(3)(f)

Focuses on protection against fraud for radio equipment that can transfer money, monetary value, or virtual currency.

If you want a closer look at how Articles 3(3)(d), (e), and (f) apply in practice, read our detailed guide to RED Article 3(3) requirements.

How EN 18031 Fits In

EN 18031 is the harmonized standards family linked to these RED cybersecurity requirements. In January 2025, the European Commission cited EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024 in the Official Journal. These standards provide a recognized route manufacturers can use to support conformity with the RED cybersecurity requirements, although use of harmonized standards remains voluntary. In practical terms:

  • RED defines the legal requirements

  • EN 18031 helps structure how those requirements can be addressed

  • product documentation and evidence show how the product supports conformity

For more on the standards side, see EN 18031 overview.

What Evidence Manufacturers Typically Need

Manufacturers typically need documentation that connects the product, the applicable requirements, and the controls or decisions that support conformity. The UK government factsheet on Regulation (EU) 2022/30 notes that manufacturers need updated technical documentation and an updated EU Declaration of Conformity covering the additional essential requirements.

In practice, that often means:

  • product scope and architecture definition

  • identification of relevant RED cybersecurity requirements

  • requirement mapping across device, app, and backend

  • security control descriptions and justifications

  • data handling and privacy documentation where relevant

  • update, access-control, and vulnerability handling documentation

  • supporting review, validation, or testing records

  • technical file materials ready for conformity assessment

This is usually where teams lose time if scope, ownership, and evidence structure are unclear.

How Cyberexpert Supports Readiness and Documentation

Cyberexpert helps teams turn the RED cybersecurity requirements into a more structured readiness workflow. With Cyberexpert, teams can:

  • assess whether the product falls within the relevant RED cybersecurity scope

  • understand how EN 18031 connects to the product

  • define scope across device, app, and backend

  • create a product-specific requirements map

  • build a clearer evidence checklist for documentation work

  • prepare for next-step review, assessment, or expert support

Start free assessment.