EU Radio Equipment Directive Cybersecurity Delegated Regulation (EU) 2022/30
EU Delegated Regulation 2022/30 activates RED cybersecurity requirements for internet-connected radio equipment, mandating network protection, privacy safeguards, and fraud prevention from August 2025. Compliance is tied to CE marking and EU market access.
What the RED Cybersecurity Delegated Regulation Is
Delegated Regulation (EU) 2022/30 activates specific cybersecurity requirements under Article 3(3) of the Radio Equipment Directive (RED, Directive 2014/53/EU). The RED governs wireless and radio equipment placed on the EU market, and this delegated act "switches on" essential requirements that protect networks, safeguard personal data and privacy, and protect against fraud. It exists because the explosion of connected wireless devices, from smartphones to IoT sensors, created systemic risks that basic radio safety rules did not address.
The requirements become mandatory for affected equipment from 1 August 2025, after the date was extended to give industry time to prepare. Harmonized standards support manufacturers in demonstrating conformity.
Who It Applies To
The regulation applies to manufacturers, importers, and distributors placing in-scope radio equipment on the EU market. It covers internet-connected radio equipment and certain devices that process personal data, traffic data, or location data, as well as equipment enabling monetary transfers. Some categories, such as certain medical devices and motor vehicles already covered by sector cybersecurity rules, are excluded to avoid duplication.
Key Requirements
- Network protection (Article 3(3)(d)) — Ensure equipment does not harm the network or its functioning or misuse network resources.
- Privacy and personal data (Article 3(3)(e)) — Incorporate safeguards to protect users' personal data and privacy.
- Protection against fraud (Article 3(3)(f)) — Support features that reduce the risk of fraud in electronic payments and transfers.
- Conformity assessment — Demonstrate conformity, using harmonized standards where available, and apply CE marking.
- Secure design — Build devices with secure defaults, authentication, and protection of data in transit and at rest.
- Documentation — Maintain technical documentation evidencing compliance.
Penalties for Non-Compliance
Member states set and enforce penalties under their RED implementing laws, which can include fines, withdrawal or recall of non-compliant equipment, and prohibition from the market. Because compliance is tied to CE marking, non-conforming devices can be barred from sale across the EU, which is the most significant commercial consequence.
How to Comply
Manufacturers should determine whether their wireless devices fall in scope, then build in protections for network integrity, personal data, and fraud prevention from the design stage. Use applicable harmonized standards to streamline the conformity assessment and prepare technical documentation that evidences how each essential requirement is met. Apply CE marking, and coordinate with related frameworks such as the upcoming Cyber Resilience Act so overlapping obligations are addressed coherently.