Guide to the RED — cybersecurity requirements for internet-connected radio equipment, CE marking, and IoT compliance.
The Radio Equipment Directive (2014/53/EU) sets essential requirements for radio equipment placed on the EU market, including safety, electromagnetic compatibility, and efficient spectrum use. Article 3(3)(d), (e), and (f) — activated by Delegated Regulation 2022/30 — add cybersecurity, privacy, and fraud prevention requirements for internet-connected radio equipment. These new cybersecurity obligations apply from 1 August 2025, making the RED a key regulation for IoT device manufacturers.
Manufacturers of radio equipment placed on the EU market — smartphones, Wi-Fi routers, IoT sensors, Bluetooth devices, connected home appliances, wearable devices, and child-related products with radio capability.
Article 1
Article 2
Article 3
Article 3(3)(d)
Article 3(3)(e)
Article 3(3)(f)
Article 10
Article 17
Article 18
Article 19
Cybersecurity obligations
1 Aug 2025Article 3(3)(d), (e), (f) cybersecurity, privacy, and fraud prevention requirements become applicable.
Products failing to meet RED requirements cannot bear CE marking and cannot be placed on the EU market. National market surveillance authorities can order product withdrawal or recall.
From August 2025, internet-connected radio equipment must meet specific cybersecurity standards.
Law4Devs provides the full RED as structured JSON. Filter by essential requirement type, product category, or economic operator role. Cross-reference with the CRA and CSA.
GET /v1/frameworks/red/articles → 200 OK · structured JSON · official EUR-Lex source
The Radio Equipment Directive (2014/53/EU) establishes a regulatory framework for placing radio equipment on the EU market. It sets essential requirements covering safety, electromagnetic compatibility, and efficient use of the radio spectrum. Crucially, Article 3(3)(d), (e), and (f) — activated by Delegated Regulation (EU) 2022/30 — add cybersecurity, privacy protection, and fraud prevention requirements for internet-connected radio equipment. These new cybersecurity obligations apply from 1 August 2025, making RED a key regulation for IoT device manufacturers.
The RED applies to manufacturers of radio equipment placed on the EU market, their authorised representatives, importers, and distributors. Radio equipment includes any product that intentionally emits or receives radio waves for communication or radio determination — from smartphones and Wi-Fi routers to IoT sensors, Bluetooth devices, and connected home appliances. Starting August 2025, the cybersecurity delegated act extends requirements to all internet-connected radio equipment, wearable devices, and child-related products with radio capability.
From 1 August 2025, internet-connected radio equipment must not harm network or infrastructure integrity (Article 3(3)(d)), must include safeguards to protect personal data and privacy (Article 3(3)(e)), and must support features to prevent fraud (Article 3(3)(f)). Manufacturers must perform conformity assessments, apply CE marking, and issue EU declarations of conformity. The CRA will eventually take over many of these cybersecurity requirements, with a transition period coordinated between the two regulations.
Law4Devs provides the full RED text as structured JSON via API. Filter by essential requirement type (safety, EMC, spectrum, cybersecurity, privacy), product category, or economic operator role. Access specific provisions on conformity assessment procedures, CE marking requirements, and delegated act cybersecurity obligations. Cross-reference with the CRA for overlapping product cybersecurity requirements and with the CSA for certification frameworks.
All articles, recitals, and amendments — queryable, filterable, and always up to date.