Home/Blog/RED Compliance 2026
March 2026 · 8 min read

Radio Equipment Directive: Cybersecurity Requirements Explained

A practical guide to understanding and meeting the RED cybersecurity obligations that are now fully in force.

The RED Cybersecurity Landscape in 2026

The Radio Equipment Directive (RED) 2014/53/EU has governed the placing of radio equipment on the EU market since 2016. However, the cybersecurity provisions under Article 3.3 were only activated by Delegated Regulation (EU) 2022/30, which came into full force on 1 August 2025.

This means that all internet-connected radio equipment placed on the EU market must now demonstrate conformity with cybersecurity essential requirements. This article explains what those requirements are and how to meet them.

The Three Cybersecurity Essential Requirements

Article 3.3(d) — Network Protection

Radio equipment must not harm the network or its functioning, nor misuse network resources, thereby causing an unacceptable degradation of service. In practice, this means:

  • Resistance to exploitation as a vector for network attacks
  • Protection against being used in botnets or DDoS amplification
  • Secure network protocol implementations
  • Proper handling of network resources and connections

Article 3.3(e) — Privacy Safeguards

Radio equipment must incorporate safeguards to ensure the protection of personal data and privacy of the user and subscriber. This includes:

  • Encryption of personal data in transit and at rest
  • Appropriate access controls for personal data
  • Data minimisation in default configurations
  • User consent mechanisms where applicable

Article 3.3(f) — Fraud Protection

Radio equipment must support features that ensure protection from fraud. This covers:

  • Secure authentication to prevent unauthorised access
  • Protection of payment and financial transactions
  • Resistance to identity spoofing and impersonation
  • Audit logging of security-relevant events

Which Products Are Affected?

The cybersecurity requirements apply broadly to internet-connected radio equipment. The Delegated Regulation specifies categories including:

  • Equipment that communicates via the internet (Article 3.3(d) and (e))
  • Equipment that processes personal data, traffic data, or location data (Article 3.3(e))
  • Equipment that is used for financial transactions (Article 3.3(f))
  • Child care equipment, toys, and wearables (Article 3.3(e) and (f))

How to Demonstrate Conformity

The most efficient route is to apply the harmonised standard EN 18031-1 (and parts 2 and 3 as applicable), which provides a presumption of conformity. Alternatively, manufacturers can:

  1. Apply the harmonised standard(s) for a presumption of conformity via self-declaration
  2. Use other technical specifications and demonstrate equivalence
  3. Seek a Notified Body EU-type examination

For most manufacturers, applying EN 18031 via self-declaration is the recommended approach. Where the standard doesn't fully cover the essential requirements, or for certain product categories, a Notified Body assessment may be required.

Common Compliance Challenges

Legacy Products

Products designed before the cybersecurity requirements were activated often have significant gaps. Retrofitting security into an existing architecture is more costly than designing it in — but market access requires it.

Supply Chain Dependencies

Many products incorporate third-party software and components. Manufacturers remain responsible for the cybersecurity of the final product, even when vulnerabilities originate in supply-chain components.

Documentation Burden

The technical file must include comprehensive cybersecurity evidence — risk assessments, test reports, and design documentation. Many manufacturers underestimate the documentation effort.

The Relationship with the Cyber Resilience Act

The Cyber Resilience Act will introduce additional cybersecurity obligations for products with digital elements. Products that are already compliant with RED cybersecurity requirements will have a head start on CRA compliance, but there are additional requirements — particularly around vulnerability handling, SBOM management, and ongoing obligations — that go beyond the RED.

Next Steps

If your product is internet-connected radio equipment, compliance with RED cybersecurity requirements is mandatory now. We recommend:

  1. Determine which Articles (3.3(d), (e), (f)) apply to your product
  2. Conduct a gap analysis against EN 18031
  3. Address non-conformities with prioritised remediation
  4. Complete full compliance testing and documentation
  5. Plan for ongoing CRA compliance
Get RED Compliance Support