Cybersecurity and the Radio Equipment Directive


On 29 October 2021 the Delegated Act to the Radio Equipment Directive (RED) was adopted by the European Commission (EU). By adopting this Act, the EU has laid down new legal requirements for cybersecurity of wireless devices.

IoT (internet of Things) devices, such as mobile phones, tablets, smartwatches, as well as wireless toys and baby monitors, are increasingly playing a very important role in our daily lives, both on a personal and industrial level. As the use of ‘smart’ devices increases, so do the risks of cyberthreats for every consumer.

The Delegated Act to the Radio Equipment Directive (RED)

The Delegated Act is related to Article 3 of Radio Equipment Directive (RED). It covers internet-connected radio, toy and wearable devices. Cyberthreats can manifest themselves in, e.g., the theft of data from a computer or placing spyware on a wireless device. In many cases, however, the consumer is unaware of these risks, reason why the European Commission has decided to adopt the Delegated Act, as a supplement to the existing RED that already provided some rules for the cybersecurity of IoT devices.

Specific aims of the Delegated Act

  • improve network security (article 3.3 (d) of RED)
  • improve security of the user’s privacy and personal data (article 3.3 (e) of RED)
  • prevention of monetary fraud (article 3.3 (f) of RED)

What does it mean for manufacturers?

The new delegated Act requires manufacturers of wireless devices to comply with the Radio Equipment Directive 2014/53/EU (RED) in regard to not only health & safety (article 3.1a), EMC (article 3.1b), and the efficient use of the radio spectrum (article 3.2), but also to the modified requirements for cyber security (article 3.3 d, e and f).

The new legal requirements must be upheld by the manufacturer for the research, design and production of IoT devices, before placing the devices on the EU market.

Transition period

The transition period of 30 months started as of 29 October 2021. After the transition period the new requirements of the delegated Act for RED will become mandatory.

Please note that devices that have already been placed on the market before the end of the transition period, will need no adjustments and can remain on the market.

Coming up!

This Delegated Act has been adopted within the scope of the new EU Cybersecurity Strategy which was presented in December 2020. This Strategy is aimed at fighting cyber threats, not only regarding telecommunications (RED), but also in other sectors where wireless devices are being used, such as finances (banks), energy and health.

In addition to the Delegated Act, a Cyber Resilience Act will also soon be adopted. This Act will cover more products, based on their life cycle.

Let’s get ready for the changes!

The experts of Certification Company are members of the the NEN IoT Product Security working group . This working group is part of the Cyber Security & Privacy Standards Committee. This standards committee is concerned with establishing standards in the field of Internet of Things (IoT). The standards committee also determines the Dutch position on the global and European standards that are under development.

Are you a manufacturer of IoT devices and are you planning to place your devices on the EU market? In that case, it is very important to anticipate the cybersecurity changes to your RED compliance. Contact our experts today! We are ready to assist you with the compliance of the IoT devices.

    Questions? Contact us Today

    Do you have more questions?

    Our experts help you further