The Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory format for radio equipment, with requirements for spectrum management, electromagnetic compatibility (EMC), health and safety. Included in the RED Directive is Article 3.3 which identifies device requirements related to specific categories of radio equipment ranging from common interfaces to cybersecurity.
The Official Journal of the European Union published Delegated Regulation 2022/30/EU which enforces compliance requirements under the RED Article 3.3(d), (e) and (f). This section of the RED directive is specific to cybersecurity, personal data privacy and fraud protection for applicable wireless/IoT devices placed into the EU market. It took effect February 1, 2022, and becomes mandatory as of Aug 1, 2025.
Article 3.3 of the Radio Equipment Directive
Article 3.3 covers the following aspects:
• Radio equipment interworks with accessories, i.e. Common USB Type C Charger EN IEC 62680-1-3:2021
• Radio equipment interworks via networks with other radio equipment
• Radio equipment can be connected to interfaces of the appropriate type throughout the EU
• Radio equipment does not harm the network or its functioning nor misuse network resources, causing an unacceptable degradation of service
• Radio equipment does incorporate safeguards to ensure that the personal data and privacy of the user and the subscriber are protected.
• Radio equipment supports certain features ensuring protection from fraud.
• Radio equipment supports features ensuring access to emergency services.
• Radio equipment supports features in order to facilitate its use by users with a disability.
• Radio equipment supports features ensuring its software can only be loaded into the radio equipment where the compliance of the combination of the radio equipment and the software has been demonstrated.
The three points of the second subparagraph of Article 3(3) are relevant for compliance under the cybersecurity requirements:
3(3)(d) to ensure network protection
3(3)(e) to ensure safeguards for the protection of personal data and privacy
3(3)(f) to ensure protection from fraud
Network protection under Article 3.3(d)
Article 3.3(d) improves network protection. Device manufacturers will have to include features that avoid harming communication networks and prevent the device from disrupting website or services’ functionality.
Personal data and privacy under Article 3.3(e)
Article 3.3(e) strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data.
Anti-fraud measures under Article 3.3(f)
Article 3.3(f) reduces the risk of fraud. Device manufacturers will have to include features such as better user authentication control to minimize fraudulent electronic payments and monetary transfers.
Devices and Equipment
The Cybersecurity requirements under the RED directive covers devices and related equipment that can communicate over the internet, whether directly or via other equipment. Any radio-based equipment that may expose sensitive personal data is also in scope.
• Mobile phones, tablets and laptops
• Wireless toys and children’s safety equipment, such as baby monitors
• Wearable devices, such as smartwatches and fitness trackers
Article 3.3(d) applies to devices and equipment related to network protection.
Article 3.3(e) applies to equipment that processes personal data, traffic data or location data. Detailed definitions can be found at EU regulation 2016/679 directive 2002/58/EC).
Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in article EU directive 2019/713. Cybersecurity measures related to electronic payments industry such as ransomware, near-field communication-related fraud and biometric authentication are applicable.
RED Exemptions for Cyber Security
Devices already within the scope of EC regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 regulation. These types of equipment have additional testing requirements under the RED or other applicable directives.
Learn more about Cybersecurity Testing and Evaluation at D.L.S.