RED Delegated Act (EU 2022/30) — Cybersecurity Requirements for Radio Equipment
The RED Delegated Act (Commission Delegated Regulation EU 2022/30) is the legal instrument that activated the latent cybersecurity clauses of the Radio Equipment Directive (2014/53/EU, “RED”). Articles 3(3)(d), (e), and (f) had been embedded in the directive since 2014 but were never enforced. The Delegated Act changed that — making cybersecurity compliance mandatory for internet-connected radio equipment placed on the EU market from 1 August 2025.
Key Facts
| Detail | Information |
|---|---|
| Full citation | Commission Delegated Regulation (EU) 2022/30 |
| Published | 29 October 2021 (entered into force 12 January 2022) |
| Compliance mandatory | 1 August 2025 |
| Legal basis | Article 3(3)(d)(e)(f) of Radio Equipment Directive 2014/53/EU |
| Applicable products | Internet-connected radio equipment (Wi-Fi, Bluetooth, LTE, NB-IoT, Zigbee, LoRa, and any other radio interface with internet connectivity) |
| CE marking consequence | Products not meeting Article 3(3)(d/e/f) cannot receive a CE mark under RED post August 2025 |
| Harmonised standards | EN 18031-1 (network), EN 18031-2 (privacy), EN 18031-3 (anti-fraud) |
The Three Cybersecurity Articles Activated
The Delegated Act activates three distinct articles, each addressing a different dimension of cybersecurity risk:
| Article | Obligation | Who It Applies To |
|---|---|---|
| 3(3)(d) | Network protection — equipment must not harm networks, must not misuse network resources | Any device that connects to the internet via any radio interface |
| 3(3)(e) | Privacy and personal data protection — equipment must incorporate safeguards against unauthorised access to personal data, location data, and traffic data | Devices that process, store, or transmit personal data or location data |
| 3(3)(f) | Anti-fraud protection — devices must feature protections against fraudulent financial transactions | Devices capable of initiating, processing, or authorising financial transactions |
Almost every internet-connected radio product must comply with at minimum Article 3(3)(d) — this includes Wi-Fi sensors, Bluetooth wearables, LTE trackers, smart home devices, NB-IoT industrial gateways, and any other product that connects to a network via radio.
Which Products Are Affected?
The Delegated Act applies to a wide range of product categories:
Consumer products:
- Smart speakers and displays
- Wi-Fi / LTE routers and access points
- Bluetooth wearables (smartwatches, fitness trackers)
- Connected home appliances (thermostats, cameras, doorbells)
- Smart toys with internet connectivity
- E-health devices with wireless connectivity
Industrial and IoT products:
- Industrial IoT gateways and edge nodes
- NB-IoT and LoRaWAN asset trackers
- Smart meters with wireless readout
- Connected PLCs and field devices with radio interfaces
- Agricultural sensors with cellular connectivity
Products NOT in scope of the Delegated Act:
- Radio equipment used exclusively on ships, aircraft, or in defence
- Equipment placed on the market before 1 August 2025 (sold from stock, not manufactured after the deadline)
- Products covered by sector-specific regulations that exclude RED applicability (e.g., some military equipment)
Harmonised Standards: The EN 18031 Series
The European Commission published the EN 18031 series as the harmonised standards providing presumption of conformity for the Delegated Act requirements. Using these standards allows manufacturers to self-declare conformity — avoiding the need for mandatory third-party Notified Body assessment.
| Standard | Article | Scope |
|---|---|---|
| EN 18031-1 | 3(3)(d) — Network protection | All internet-connected radio devices: secure boot, unique credentials, minimal attack surface, secure updates, network resilience |
| EN 18031-2 | 3(3)(e) — Privacy | Devices processing personal or location data: data minimisation, encryption at rest, user consent, secure data deletion |
| EN 18031-3 | 3(3)(f) — Anti-fraud | Devices initiating financial transactions: transaction authentication, tamper evidence, hardware key storage, audit trail |
Manufacturers not applying the EN 18031 harmonised standards must undergo an EU-type examination by a Notified Body (Annex IV of RED) — a significantly more costly and time-consuming conformity route.
Compliance Pathway: Step by Step
1. Scope Determination
Confirm that the product is radio equipment as defined under RED and that it connects to the internet. Determine which Article 3(3) sub-paragraphs apply (d, e, f) based on product functionality.
2. Gap Analysis Against EN 18031
Map each EN 18031-1/2/3 requirement to the product’s current hardware and software architecture. Identify gaps — requirements that the current design cannot meet.
3. Hardware Architecture Validation
Determine whether identified gaps require hardware changes. Key questions:
- Does the MCU/SoC support hardware-anchored Secure Boot (OTP-fused root key)?
- Is there a hardware-protected keystore (Secure Element, TrustZone, eFuse)?
- Is there unique credential storage provisioned per device at manufacturing?
4. Secure Provisioning Process Design
Define the manufacturing-time provisioning process for per-device unique credentials, certificates, and signing keys.
5. Software Architecture Updates
Implement required software-layer security features: OTA update signing, network service hardening, credential storage APIs, data encryption, factory reset (data wipe).
6. Technical File Preparation
Compile the Technical File demonstrating conformity with EN 18031-1/2/3. Includes requirements traceability matrix, test evidence, and security architecture description.
7. Declaration of Conformity
The manufacturer issues the EU Declaration of Conformity citing the RED Delegated Act and the applicable EN 18031 parts, and affixes the CE mark.
Relationship to the CRA
Both the RED Delegated Act and the EU Cyber Resilience Act (CRA) impose cybersecurity requirements on connected hardware, but they are separate legal instruments with separate compliance paths and timelines:
| Aspect | RED Delegated Act | CRA (EU 2024/2847) |
|---|---|---|
| Legal basis | Radio Equipment Directive (2014/53/EU) | Standalone EU regulation |
| Scope | Radio equipment connected to internet | All products with digital elements |
| Mandatory from | 1 August 2025 | September 2026 (reporting) / December 2027 (full) |
| CE marking impact | Loss of CE mark for non-compliant radio products | Loss of CE mark for non-compliant digital products |
| Harmonised standards | EN 18031 series, EN 303 645 | EN 18031 series, IEC 62443 |
| Conformity route | Self-declaration (harmonised standard) or Notified Body | Self-declaration or Notified Body (based on risk class) |
Practical implication: A Wi-Fi or Bluetooth product must comply with both the RED Delegated Act (by August 2025) and the CRA (by December 2027). Full CRA compliance will satisfy most RED Delegated Act requirements — but the reverse is not guaranteed. The RED Delegated Act compliance path is the more urgent priority for products already in development.
Hardware-Level Requirements You Cannot Avoid
Unlike software-only regulations, the EN 18031 series contains requirements that cannot be satisfied through firmware updates alone on hardware not designed for security. This is the critical insight manufacturers must understand:
Secure Boot Requires Hardware Root of Trust
EN 18031-1 requires the device to verify firmware integrity before execution. This requires a hardware-anchored root of trust — typically OTP (one-time programmable) fuses in the SoC that hold the public key hash of the signing certificate. If your MCU does not support this, no amount of software can provide equivalent guarantees.
Unique Credentials Require Secure Provisioning Infrastructure
Each device must have a unique identifier and cryptographic credential. If your production line currently flashes the same firmware image to all units and relies on default credentials, you need to design a per-unit provisioning step — ideally using an HSM-based key injection station at manufacturing.
Personal Data Encryption Requires Key Management
EN 18031-2 requires stored personal data to be encrypted. Encryption keys must be derived from device-unique secrets. On devices without hardware key storage (Secure Element, TrustZone, eFuse-based protection), the key is only as protected as the flash memory — vulnerable to debugging or physical extraction.
Anti-Fraud Requires Tamper-Evident Hardware
EN 18031-3 for payment-capable devices requires tamper detection. This may require dedicated tamper-evident packaging, conductive meshes in the PCB, or a certified secure element — requirements that must be designed into the hardware from the start.
Penalties and Market Consequences
Manufacturers placing non-compliant radio equipment on the EU market after 1 August 2025 face:
- Loss of CE marking — products cannot legally be sold in the EU.
- Market withdrawal orders from national market surveillance authorities.
- Border seizures by EU customs authorities.
- Reputational damage from public product safety database listings.
The RED Delegated Act does not define a maximum monetary penalty directly — penalties are set by member state authorities, but the combination of market access loss and recall costs can be far more damaging than any fine.
Related Terms
- EN 18031 — The harmonised standard series providing the specific technical requirements for RED Article 3(3)(d/e/f) compliance.
- Radio Equipment Directive (RED) — Parent directive; the Delegated Act amends RED, not creates a new directive.
- Secure Boot — Core hardware security requirement triggered by EN 18031-1.
- Hardware Root of Trust — Required foundation for EN 18031-1 compliance.
- OTA Update — Signed, authenticated OTA updates are mandated by EN 18031-1.
- CRA — Parallel EU regulation with later deadline but overlapping technical requirements.
- CE Marking — The market access tool at stake for non-compliance.
For radio equipment manufacturers facing the August 2025 deadline, Inovasense offers an end-to-end RED Delegated Act compliance service: gap analysis against EN 18031-1/2/3, hardware architecture validation (secure boot, secure element, provisioning process), technical file compilation, and Declaration of Conformity preparation. We identify hardware changes required before PCB layout is locked, preventing the expensive rework that catches manufacturers who discover compliance gaps at the testing stage. See our EU Compliance services and embedded security expertise.
Official References
- Commission Delegated Regulation (EU) 2022/30 — RED cybersecurity Delegated Act — EUR-Lex (activates Articles 3(3)(d)(e)(f) of RED)