While the Cyber Resilience Act (CRA) will not apply until 2026, the first significant cybersecurity obligations for radio equipment - particularly Internet of Things (IoT) devices - will already apply from August 1, 2025. The legal basis for these requirements is found in Article 3(3)(d)-(f) of the Radio Equipment Directive (RED).
At first glance, it may seem unusual that this directive, which has been in place for over a decade, is only now being enforced in this context. Until recently, these cybersecurity requirements had not been applied because the European Union had not adopted a delegated act specifying the categories of radio equipment to which the requirements would apply.
With the publication of Delegated Regulation 2022/30 in January 2022, the European Union has now defined the specific categories of radio equipment subject to Article 3(3)(d)-(f) of the RED.
A. Scope of Application
The scope of the directive is determined by the placing on the market and commissioning of radio equipment. According to Article 2(1) of the RED, a radio equipment device is any electrical or electronic product that is intended to emit and/or receive radio waves for the purpose of radio communication and/or radio determination, or any electrical or electronic product that requires accessories, such as an antenna, to emit and/or receive radio waves for these purposes.
The material scope is further limited by Article 1(2), (3), and Annex I of the directive, which set out exclusions. The delegated regulation also introduces additional requirements for the applicability of the cybersecurity provisions, most notably that the device must be capable of connecting to the internet.
B. Cybersecurity Requirements
Under Article 3(3)(d)-(f) of the RED, certain categories of radio equipment must be designed in such a way that they:
- Do not adversely affect the network or its operation, nor misuse network resources;
- Are equipped with security features to ensure the protection of personal data and the privacy of users and subscribers;
- Support specific functions to protect against fraud.
In addition, the European Union has tasked the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) with developing technical standards to implement the requirements of Article 3(3)(d)-(f) RED. The harmonized standards were published in early January 2025.
C. RED and CRA
The CRA and the RED overlap significantly in terms of their scope of application. As a rule, radio equipment will almost always be products with digital elements. The CRA also covers all cybersecurity requirements set out in Article 3(3)(d)-(f) of the RED. However, the crucial point - and one that many economic operators are not yet aware of - is that the obligations under the RED will already apply as of August 1, 2025, and not only from 2026 or 2027.
What´s next?
Manufacturers, distributors, and importers of relevant products should, if they have not already done so, promptly familiarize themselves with the RED and the delegated regulation, and carefully assess whether their products fall within the scope of these new cybersecurity requirements.
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2025-06-30-18-20-05-882-6862d555bf3898129ef17194.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-07-16-17-10-08-796-6877dcf08a589e70316079b9.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-07-15-17-50-47-278-687694f71772065ab8f2ca28.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-07-10-20-07-20-443-68701d780a1cc52eec8a12ac.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-07-09-19-50-25-296-686ec801dc307594ef19c65f.jpg)