EU Radio Equipment Directive

The postponed EU Radio Equipment Directive (RED) cybersecurity delegated regulation now applies from 1 August 2025. Manufacturers, importers, and distributors of internet-connected radio equipment—including smartphones, wearables, toys, child-care devices, and building automation products—must prove compliance with Articles 3(3)(d), 3(3)(e), and 3(3)(f) of Directive 2014/53/EU. That means demonstrating that devices protect network resilience, safeguard personal data and privacy, and mitigate fraud risks. Senior leaders should treat the cutover as a major product-governance event: quality management systems must embed secure development lifecycle controls, technical documentation has to show conformity against harmonized standards (such as EN 303 645 and ETSI EN 303 767 when cited), and EU declarations of conformity must be updated and traceable in product portfolios.

Regulatory scope and expectations

The Commission’s Delegated Regulation (EU) 2022/30—amended by 2023/2442 to defer application—covers categories of radio equipment capable of communicating over the internet, processing personal data, or handling money transfers. Compliance requires aligning design, production, and post-market surveillance processes with the essential requirements. Market surveillance authorities can seize non-compliant products, levy fines under national law, and trigger mandatory recalls. The RED compliance framework also interacts with the Cyber Resilience Act (CRA), the General Data Protection Regulation (GDPR), and the Product Safety Regulation, requiring coordinated governance.

Manufacturers must compile a technical documentation dossier demonstrating conformity assessment results, risk analyzes, and product-specific security controls. Where harmonized standards are unavailable or insufficient, manufacturers must execute the RED Article 17 internal production control procedure supplemented by EU-type examination or full quality assurance modules. Distributors and importers must verify that products bear the CE marking, are accompanied by updated instructions, and that manufacturers have produced required documentation. Economic operators must retain documentation for ten years after the product is placed on the market.

Governance controls

Board accountability. Boards or product governance committees should review a readiness plan mapping every impacted product line, supply chain partner, and market. Minutes must evidence allocation of accountability to senior management, typically through the Chief Product Officer, Chief Information Security Officer (CISO), and EU authorized Representative.

Policy framework. Update product security policies, secure development lifecycle standards, and incident response procedures to reference the RED cybersecurity requirements and forthcoming CRA obligations. Policies should define mandatory threat modeling, secure coding standards, vulnerability handling, and update mechanisms.

Risk management. Integrate RED risks into the enterprise risk register with quantified impact assessments, control owners, residual risk ratings, and mitigation plans. Document risk appetite statements for product security, customer data protection, and regulatory compliance.

Third-party governance. Suppliers providing firmware, software libraries, connectivity modules, or cloud services must contractually commit to security requirements, vulnerability disclosure obligations, and patch timelines. Maintain due diligence reports, penetration test summaries, and software bill of materials (SBOM) inventories.

Audit and assurance. Internal audit should schedule reviews of product security governance, certification readiness, and documentation completeness. Capture findings, management responses, and closure evidence.

Evidence pack structure

Construct a structured evidence repository aligned with the conformity assessment process:

• Product inventory. A maintained list of all impacted SKUs, radio modules, software versions, and market destinations. Include unique identifiers, risk classification, and lifecycle status.
• Risk assessments. Threat models, data protection impact assessments (where personal data processing is significant), fraud risk evaluations, and network resilience analyzes. Link to design controls and mitigation outcomes.
• Design and development artifacts. Secure coding standards, code review logs, static and dynamic analysis reports, fuzz testing evidence, cryptographic key management procedures, and secure boot configurations.
• Testing records. Laboratory test reports demonstrating compliance with harmonized standards, penetration testing results, red-team exercises, and interoperability tests. Include accreditation information for test labs.
• Supply chain documentation. Supplier contracts, SBOMs, vulnerability disclosure agreements, and change notifications. Track alignment with the EU common vulnerability reporting format and ICSMS submissions.
• Post-market surveillance. Incident logs, customer support tickets, vulnerability response timelines, and field update metrics. Document how issues feed back into design improvements.
• Regulatory submissions. EU declaration of conformity templates, notified body certificates (if used), and communications with market surveillance authorities.

Tag documents with metadata for product, version, market, and requirement clause. Implement access controls, retention schedules, and change logs so that audits can trace evidence from requirement to artifact.

Product lifecycle controls

Embed cybersecurity controls throughout the product lifecycle:

1. Concept stage. Conduct regulatory impact assessments determining whether the product falls under the RED delegated act, CRA, or other sectoral requirements (medical devices, automotive). Document compliance strategies and resource estimates.
2. Design stage. Perform detailed threat modeling using methodologies like STRIDE or ISO/IEC 62443. Capture security requirements covering authentication, encryption, data minimization, secure pairing, and protection against malicious software. Align privacy features with GDPR data protection by design and default.
3. Development stage. Mandate secure coding checklists, automated scanning (SAST/DAST), dependency management, and SBOM generation. Enforce branch protection, peer review, and secure build pipelines with tamper detection.
4. Verification stage. Execute penetration tests, fuzzing, side-channel analysis (where relevant), and resilience testing against denial-of-service attacks. Document pass/fail criteria, remediation actions, and retest evidence.
5. Production stage. Implement secure provisioning, key injection controls, and manufacturing line inspections ensuring that configurations match approved baselines. Maintain tamper-evident seals and secure logistics records.
6. Deployment and support stage. Provide secure update mechanisms with authentication, rollback protection, and cryptographic signing. Maintain vulnerability disclosure programs aligned with ISO/IEC 29147 and respond within defined service levels.
7. End-of-life stage. Document decommissioning plans, support timelines, and communication strategies for customers. Ensure data deletion processes and residual risk assessments are captured.

Reporting workflow

Develop a reporting workflow that converges product security, privacy, and compliance teams:

• Monthly steering committee. Review readiness dashboards, risk register updates, testing progress, and supplier issues. Record action items with accountable owners.
• Quarterly board updates. Provide progress against milestones, budget utilization, incident trends, and open non-conformities. Include scenario planning for market surveillance actions.
• Regulator engagement. Maintain contact points with national authorities, prepare technical documentation extracts, and log responses to any requests for information. Where a notified body is engaged, document meeting minutes and decisions.
• Customer communications. Coordinate with marketing and support teams to prepare FAQs, privacy notices, and security advisories consistent with the declaration of conformity.

Automate reporting through dashboards that aggregate vulnerability metrics, penetration test status, and compliance milestones. Integrate with GRC platforms to trigger alerts when key indicators (for example, unpatched critical vulnerabilities) exceed thresholds.

Metrics and monitoring

Track performance using quantifiable indicators:

• Percentage of products with completed threat models and risk assessments.
• Mean time to remediate vulnerabilities by severity level.
• Percentage of firmware builds passing automated security gates.
• Coverage of SBOMs and supplier attestations across the portfolio.
• Incidents reported to market surveillance authorities and response times.
• Compliance status against harmonized standards and notified body recommendations.

Link metrics to executive scorecards and risk appetite thresholds. Escalate breaches to the board with documented remediation plans and resource requirements.

Interaction with other EU regimes

Ensure RED cybersecurity compliance dovetails with the CRA, the NIS2 Directive (for operators of essential and important entities), and GDPR obligations. Map overlapping requirements, such as vulnerability disclosure procedures, security-by-design expectations, and incident notification timelines. Align documentation so that evidence can serve multiple regulatory reviews.

For products integrating AI functionality, monitor the EU AI Act risk classification. High-risk AI components may require additional conformity assessments, data governance controls, and post-market monitoring obligations that should be reflected in the RED compliance program.

Pre-August 2025 checklist

• Complete gap assessments against ETSI EN 303 645, EN 303 767, and relevant cybersecurity standards.
• Update technical documentation and EU declarations of conformity for each affected SKU.
• Refresh supplier contracts and SBOM inventories to include vulnerability disclosure and patch delivery terms.
• Execute third-party penetration tests on representative product families and capture remediation evidence.
• Train customer support and incident response teams on reporting obligations and escalation pathways.
• Prepare market surveillance engagement packs with product security narratives, test reports, and conformity certificates.

This brief guides manufacturers through RED cybersecurity governance, combining secure development controls, supplier assurance, and audit-ready documentation so August 2025 launches proceed without disruption.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 86/100 · July 15, 2025

Radio Equipment Directive

The EU Radio Equipment Directive's cybersecurity requirements go live July 15, 2025. If you make connected devices—anything from routers to baby monitors—you need secure-by-design controls, vulnerability management, and…

Cybersecurity · Credibility 73/100 · May 18, 2022

Microsoft Defender for Cloud: Unified Multi-Cloud Security Posture Management

Microsoft launches Defender for Cloud with unified security posture management across Azure, AWS, and GCP. The platform integrates CSPM, CWPP, and threat detection capabilities, reflecting enterprise multi-cloud security…

Cybersecurity · Credibility 92/100 · March 15, 2022

Cybersecurity Retrospective — Cybersecurity

A 2020–2022 cybersecurity retrospective charts pandemic-driven attack expansion, zero-trust policy waves, and ransomware economics—guiding security leaders on operational, governance, and sourcing priorities for the next…

Cybersecurity · Credibility 73/100 · January 12, 2022

Microsoft Exchange ProxyShell Vulnerabilities Drive Ransomware Campaigns

The ProxyShell vulnerability chain in Microsoft Exchange Server enables unauthenticated remote code execution, with active exploitation by ransomware groups requiring immediate patching and security hardening for exposed…

Cybersecurity · Credibility 92/100 · December 10, 2021

Cybersecurity Baselines Retrospective — Cybersecurity

Zero trust architectures, federal emergency directives, and collaborative defense bodies launched in 2020–2021 now anchor enterprise cybersecurity baselines, demanding sustained investment in identity, telemetry, and…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Complete Beginner Cybersecurity Guide for Home Users

  A practical cybersecurity guide designed for non-technical home users. Covers threat awareness, home network security, password management, multi-factor authentication, device…

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

References

1. Commission Delegated Regulation (EU) 2022/30 supplementing Directive 2014/53/EU (January 12, 2022) — eur-lex.europa.eu
2. Commission Delegated Regulation (EU) 2023/1717 deferring application of Articles 3(3)(d)–(f) to August 1, 2025 (August 18, 2023) — eur-lex.europa.eu
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization