Overview of the Radio Equipment Directive
The Radio Equipment Directive 2014/53/EU (RED) establishes a legal framework for radio equipment by laying down essential requirements for electromagnetic compatibility, health and safety, and the effective use of the radio spectrum.
Article 3(3) of the Directive specifies additional essential requirements. Among these, the cybersecurity‑related requirements under points (d), (e), and (f) are particularly significant.
Commission Delegated Regulation (EU) 2022/30 clarifies that these requirements apply to any radio equipment that can communicate over the internet. These are commonly referred to as internet‑connected radio equipment, for which compliance with cybersecurity‑related essential requirements is critical.
Since August 1, 2025, manufacturers have been required to comply with these cybersecurity obligations before placing products on the EU market.
Cybersecurity‑Related Essential Requirements
The cybersecurity‑related essential requirements of the RED are defined in Article 3(3):
Article 3(3)(d) – Ensure protection of networks
Article 3(3)(e) – Ensure safeguards for the protection of personal data and privacy
Article 3(3)(f) – Ensure protection against fraud
The 42‑month transition period for the delegated act has ended, and compliance with these requirements is now mandatory.
Impact of RED on Internet‑Connected Devices
With the widespread adoption of Wi‑Fi, Bluetooth, NFC, and other wireless technologies, an increasing number of products function as internet‑connected radio equipment across many areas of daily life.
Radio equipment under RED includes devices that intentionally emit or receive radio waves, such as mobile phones, smart devices, Wi‑Fi routers, garage door openers, and remote‑controlled toys.
These products must undergo an appropriate conformity assessment procedure before being placed on the EU market.
Conformity Assessment Options Under RED
The Radio Equipment Directive provides several conformity assessment options:
Internal Production Control (Module A)
Manufacturers may assess their products internally, provided they have the competence to evaluate the equipment and its documentation and have applied all relevant harmonized standards.
EU‑Type Examination (Module B) + Conformity to Type (Module C)
This approach requires independent assessment by a Notified Body. The Notified Body examines the technical design and verifies compliance with the essential requirements. Technical documentation must include relevant test reports.
After a positive EU‑Type Examination, the Notified Body issues a certificate. The manufacturer must then ensure continued conformity through internal production controls.
Full Quality Assurance (Module H)
Under this option, manufacturers implement a quality management system that is assessed and approved by a Notified Body, providing the highest level of assurance.
Regardless of the conformity route selected, manufacturers remain fully responsible for product compliance.
After successful conformity assessment, manufacturers must complete technical documentation, draw up the Declaration of Conformity, and affix the CE marking before placing products on the EU market.
Role of Harmonized Standards
A European standard becomes harmonized when its reference is published in the Official Journal of the European Union (OJEU). Compliance with fully applied harmonized standards provides a presumption of conformity with the corresponding essential requirements of the Radio Equipment Directive (RED). Where a standard is published with restrictions — as is the case for the EN 18031 series — presumption of conformity does not extend to those restricted clauses.
For the cybersecurity requirements under RED, the availability and applicability of harmoniZed standards must be verified against the latest OJEU references and the specific product scope.
In practice:
ETSI EN 303 645 is widely used as a cybersecurity baseline for consumer IoT devices and aligns technically with RED's cybersecurity requirements. However, it is not listed as a harmonized standard in the OJEU under RED and does not on its own confer presumption of conformity. Ongoing work is being done to create a formal mapping between EN 303 645 and EN 18031.
IEC 62443-4-2 is commonly applied to industrial automation and control system (IACS) components at the product level. It is also not harmonized under RED, but may be used as supporting evidence in alternative conformity assessment routes.
The European Commission mandated the development of EN 18031-1, EN 18031-2, and EN 18031-3 to support conformity with the RED cybersecurity requirements for internet-connected radio equipment. These were published in the OJEU in January 2025 via Implementing Decision (EU) 2025/138, with restrictions.
Where no applicable harmonized standard exists, or where the relevant harmonized standards are not fully applied, Notified Body involvement is required under RED Article 17.
Relationship to Other Regulations
The Cyber Resilience Act (CRA) is a separate regulation that will progressively harmonize cybersecurity requirements for products with digital elements across the EU.
While CRA is distinct from RED, alignment with RED requirements and related standards can support a consistent cybersecurity approach across regulatory frameworks.
How QIMA Supports RED Cybersecurity Compliance
QIMA supports manufacturers in addressing RED cybersecurity requirements through technical evaluation, conformity assessment support, and structured project delivery.
Support includes:
Product scoping and applicability analysis for RED cybersecurity requirements
Cybersecurity testing and evaluation to support conformity assessment
Support in preparing RED technical documentation
Coordination with Notified Bodies where required, including support during EU Type Examination
In addition, QIMA applies a delivery focused approach to RED cybersecurity projects, including:
A single point of contact (FPOC) for cybersecurity and compliance activities
A one stop shop approach covering cybersecurity testing and technical support
Semi automated solutions, with further automation planned
Agile project management to support efficient delivery
Global outreach for manufacturers operating across multiple markets
A focus on practical timelines and clear communication
This approach is designed to support manufacturers throughout RED cybersecurity projects while maintaining clarity, efficiency, and regulatory accuracy.
Cyberexpert
QIMA also provides Cyberexpert, an IoT cybersecurity compliance platform designed to support manufacturers in addressing RED cybersecurity requirements through EN 18031. The platform helps manufacturers assess the applicability of EN 18031 standards to their products, generate product‑specific cybersecurity requirements, and build structured evidence and justifications for inclusion in RED technical documentation. Cyberexpert combines automated assessment with expert review and optional testing pathways, helping manufacturers prepare for conformity assessment efficiently and consistently.
International Market Access and CB Scheme
Cybersecurity standards such as ETSI EN 303 645 and IEC 62443‑4‑2 are recognized internationally.
Manufacturers targeting markets outside the EU may use the IECEE CB Scheme, which enables international certifications based on a single evaluation.
QIMA is a recognized CB Testing Laboratory (CBTL) under the National Certification Body of QIMA Certification (Germany) GmbH.
Consumer IoT and Industrial Control Systems Under RED
Consumer IoT devices and certain industrial control system components may fall under the scope of RED when radio functionality is present.
Consumer IoT devices typically rely on ETSI EN 303 645
Industrial radio equipment may rely on IEC 62443
Adherence to these standards supports secure design, privacy protection, and regulatory compliance.
Talk to Our Cybersecurity Experts
If your products include internet-connected radio functionality and are intended for the EU market, QIMA can help you understand and meet RED cybersecurity requirements.
Contact us to discuss your requirements
Resources
Explore practical guidance on RED cybersecurity compliance.
FAQs
What is the Radio Equipment Directive (RED)?
The Radio Equipment Directive (RED) is a regulatory framework established by the European Union (EU) to harmonize requirements for radio equipment placed on the EU market. It is formally known as Directive 2014/53/EU and replaced the former Radio and Telecommunications Terminal Equipment (R&TTE) Directive.
What is the purpose of the RED?
The Radio Equipment Directive establishes a regulatory framework to ensure that radio equipment placed on the EU market complies with essential requirements. These objectives include:
protection of health and safety
electromagnetic compatibility (EMC)
efficient use of the radio spectrum
cybersecurity and data protection
harmonization and free movement of goods within the EU
protection of end users
The directive also supports market surveillance and enforcement activities by EU member states.
Who does the RED apply to?
The RED applies to economic operators involved in placing radio equipment on the EU market, including:
Manufacturers: Manufacturers are responsible for ensuring that their radio equipment complies with RED essential requirements. They must perform conformity assessment procedures, prepare technical documentation, affix the CE marking, and meet other regulatory obligations.
Authorized Representatives: Manufacturers located outside the EU must appoint an authorized representative within the EU to act on their behalf.
Importers: Importers must ensure that radio equipment from non‑EU countries complies with RED requirements before placing it on the EU market.
Distributors: Distributors must verify that radio equipment bears the CE marking, is accompanied by required documentation, and complies with applicable requirements.
RED also applies to operators who place equipment on the market under their own name or trademark, modify equipment in ways that affect compliance, or assemble equipment from components to form a new product.
What types of products are covered under the RED?
RED covers a wide range of products that use radio frequency spectrum for communication or transmission, including:
wireless consumer devices (e.g. smartphones, tablets, wearables)
radio transmitters and receivers
telecommunications terminal equipment
satellite communications equipment
broadcasting equipment
short‑range devices such as Wi‑Fi, Bluetooth, RFID, and remote controls
As of August 1, 2025, internet‑connected radio equipment is also subject to specific cybersecurity requirements under Article 3(3)(d), (e), and (f).
What documentation is required for compliance with the RED?
Manufacturers must prepare and maintain technical documentation demonstrating conformity with RED essential requirements. This typically includes:
a general description of the equipment
design and manufacturing drawings and specifications
a list of applicable standards or technical specifications
descriptions of solutions adopted to meet essential requirements
results of risk assessments, design calculations, and test reports
user and installation manuals, where applicable
information on labeling and marking
Technical documentation must be made available to market surveillance authorities upon request.
Can manufacturers self‑declare compliance with the RED, or is third‑party involvement required?
Manufacturers may self‑declare conformity under Module A (Internal Production Control) where applicable, provided all essential requirements are met and relevant harmonized standards are applied.
For certain categories of radio equipment or where harmonized standards do not fully cover essential requirements, Notified Body involvement is mandatory, and manufacturers must use an appropriate conformity assessment module.
What are the penalties for non‑compliance with the RED?
Penalties for non‑compliance vary by EU member state and may include:
market withdrawal or product recall
administrative enforcement measures
fines or financial penalties
legal proceedings
restricted market access
reputational damage
Manufacturers, importers, and distributors are responsible for ensuring compliance to avoid these consequences.
Can radio equipment compliant with international standards but not RED be placed on the EU market?
Radio equipment that complies with international standards but does not fully meet RED requirements may only be placed on the EU market under specific transitional conditions.
Once the transition period ends, manufacturers must ensure full compliance with RED requirements to continue placing products on the EU market.
How does conformity assessment under the RED take place?
The conformity assessment procedure depends on the characteristics of the radio equipment and the applicable requirements. The process typically includes:
determining the appropriate conformity assessment module
preparing technical documentation
performing required testing and evaluation
issuing the Declaration of Conformity (DoC)
affixing the CE marking
Different modules may apply depending on the product and applicable standards.
When did the new RED cybersecurity requirements become mandatory?
Compliance with the cybersecurity requirements specified in Delegated Regulation (EU) 2022/30 became mandatory on August 1, 2025.
All radio equipment within scope must comply with these requirements before being placed on the EU market.
What types of radio equipment require additional cybersecurity measures under RED?
Internet‑connected radio equipment, as well as certain wireless devices such as childcare radio equipment and wearable devices, must comply with enhanced cybersecurity requirements under Article 3(3)(d), (e), and (f).
Does my device need a USB‑C port under the Common Charger rules?
Yes, if it is a small or medium‑sized portable electronic device capable of wired charging. Under Directive (EU) 2022/2380, many devices must be equipped with a USB‑C receptacle.
For laptop computers, this requirement becomes mandatory on April 28, 2026.
Can manufacturers use compliance marks other than the CE mark under the RED?
No. The CE mark is the mandatory compliance marking for radio equipment under RED and is required for legal access to the EU market.