---
title: "RED Cyber Compliance Workflow for Article 3(3)(d/e/f)"
canonical_url: "https://www.sorena.io/artifacts/eu/radio-equipment-directive/cyber-compliance-workflow"
source_url: "https://www.sorena.io/artifacts/eu/radio-equipment-directive/cyber-compliance-workflow"
author: "Sorena AI"
description: "A source-linked RED cybersecurity workflow for internet-connected radio equipment, privacy and data safeguards, payment-fraud features, evidence packs, and CE release gates."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "RED cyber compliance workflow"
  - "Radio Equipment Directive cybersecurity"
  - "Article 3(3)(d)"
  - "Article 3(3)(e)"
  - "Article 3(3)(f)"
  - "Delegated Regulation (EU) 2022/30"
  - "EU Radio Equipment Directive"
  - "RED Article 3(3)(d)"
  - "RED Article 3(3)(e)"
  - "RED Article 3(3)(f)"
  - "Commission Delegated Regulation (EU) 2022/30"
  - "RED cybersecurity evidence"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# RED Cyber Compliance Workflow for Article 3(3)(d/e/f)

A source-linked RED cybersecurity workflow for internet-connected radio equipment, privacy and data safeguards, payment-fraud features, evidence packs, and CE release gates.

*Cyber workflow* *RED Article 3(3)(d/e/f)*

## RED cybersecurity compliance workflow

Build a release-ready evidence trail for radio equipment affected by Article 3(3)(d), (e), and (f) of Directive 2014/53/EU as activated by Commission Delegated Regulation (EU) 2022/30.

Use this workflow to classify the product, decide which cyber requirements apply, capture safeguards and test evidence, and document the conformity-assessment route before CE release.

RED cyber compliance starts with a product-specific classification, not a generic security checklist. For each radio product, record whether Article 3(3)(d), (e), or (f) applies, why any derogation applies, which standards or notified-body route supports the claim, and where the evidence lives in the technical documentation.

## Classify the radio equipment against Article 3(3)(d), (e), and (f)

Start with the actual product architecture and user journey. Article 3(3)(d) is triggered by internet-connected radio equipment. Article 3(3)(e) depends on the listed equipment categories and whether the equipment can process personal data, traffic data, or location data. Article 3(3)(f) applies to internet-connected radio equipment that enables the holder or user to transfer money, monetary value, or virtual currency.

The classification memo should be short enough to review at release, but detailed enough to show how firmware, companion apps, cloud services, sensors, payment functions, and user roles were considered.

- Record whether the product can communicate over the internet directly or through another device.
- For Article 3(3)(e), check internet-connected equipment, childcare equipment, toys with radio functions, and wearable radio equipment against the relevant data-processing facts.
- For Article 3(3)(f), identify any payment, stored-value, wallet, subscription, in-app purchase, or virtual-currency transfer function enabled through the equipment.
- Document out-of-scope conclusions with the product facts and the exact legal source, not with labels such as low risk or not connected.

Sources for this answer:

- [Directive 2014/53/EU on radio equipment](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Primary RED text defining the Article 3(3)(d), (e), and (f) essential requirements.
- [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Delegated act specifying the categories and classes of radio equipment affected by Article 3(3)(d), (e), and (f).

## Check derogations and the application date before opening release gates

Before assigning controls, confirm whether another EU regime removes the product from one or more RED cyber requirements. Delegated Regulation (EU) 2022/30 excludes radio equipment covered by medical-device and in vitro diagnostic medical-device rules from Article 3(3)(d), (e), and (f). It also excludes equipment covered by the cited aviation, motor-vehicle, and electronic-road-toll legislation from Article 3(3)(e) and (f).

The application date was changed by Commission Delegated Regulation (EU) 2023/2444. Treat 1 August 2025 as the operative date for the delegated RED cyber requirements unless a product team is documenting voluntary early compliance.

- Keep a derogation decision row for each candidate regime rather than burying the answer in meeting notes.
- If only Article 3(3)(e) or (f) is excluded, continue the Article 3(3)(d) network-harm analysis where the product is internet-connected radio equipment.
- Tie release gates, supplier attestations, and test-plan due dates to the 1 August 2025 application date.
- Flag legal review when the product combines regulated medical, vehicle, aviation, tolling, payment, childcare, toy, wearable, or telecom-network functions.

Sources for this answer:

- [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Source for the listed derogations from Article 3(3)(d), (e), and (f), and from Article 3(3)(e) and (f).
- [Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Amends Delegated Regulation (EU) 2022/30 so the RED cybersecurity requirements apply from 1 August 2025.

## Build the Article 3(3)(d/e/f) evidence matrix

The evidence matrix should connect each applicable RED cyber requirement to concrete product evidence. A reviewer should be able to trace from the legal trigger to the product feature, safeguard, verification result, residual issue, release owner, and technical-documentation location.

Do not use a single cybersecurity policy as the only evidence. RED evidence should include product-specific architecture, firmware and software behavior, data flows, authentication and access controls, update behavior, abuse cases, test results, supplier inputs, and conformity-assessment decisions.

- For Article 3(3)(d), capture network-resilience evidence showing how the equipment avoids harming networks, misusing network resources, or causing unacceptable degradation of service.
- For Article 3(3)(e), capture privacy and data-protection safeguards for personal data, traffic data, and location data, including default access, encryption, authentication, and unauthorized transmission risks where relevant.
- For Article 3(3)(f), capture payment-fraud safeguards such as user authentication, transaction authorization, fraud-abuse testing, and limits around money, monetary value, or virtual-currency transfer functions.
- Link each evidence row to a test report, design record, supplier declaration, software bill or version record, issue tracker item, risk decision, or technical-file section.

Sources for this answer:

- [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Explains the network, personal-data and privacy, and fraud risks behind the activated RED essential requirements.
- [European Commission - cybersecurity of wireless devices and products](https://ec.europa.eu/growth/news/commission-strengthens-cybersecurity-wireless-devices-and-products-2021-10-29_en?ref=sorena.io) - Commission announcement summarizing the network-resilience, privacy, and monetary-fraud objectives of the delegated act.

*Recommended next step*

*Placement: after implementation section*

## Turn the RED cyber workflow into release evidence

Use Sorena to convert product facts, supplier inputs, standards decisions, and Article 3(3)(d/e/f) evidence into a reviewable RED cybersecurity pack.

- [Open Research Copilot](/solutions/research-copilot.md): Answer RED scope, timing, and interpretation questions with cited outputs.
- [Talk through implementation](/contact.md): Review your product classification, evidence matrix, standards route, and release gates.

## Choose the standards, notified-body, and CE documentation route

After classification and evidence mapping, decide how the manufacturer will demonstrate conformity. Harmonised standards can support presumption of conformity when they are available and cited for the relevant requirement, but standards are not mandatory. Where the standards route does not support the claim, document the alternative conformity-assessment route and whether a notified body is needed.

Keep cyber evidence aligned with the broader RED technical documentation, EU declaration of conformity, CE marking decision, instructions, and post-release change controls. A firmware or cloud-service change can undermine the original evidence if the release process does not re-run the affected Article 3(3)(d/e/f) checks.

- Record the exact harmonised standard, edition, OJEU citation status, requirement coverage, and test-lab output used for each claim.
- Where no suitable harmonised standard is used, record the conformity-assessment module, notified-body involvement, certificate or opinion reference, and unresolved limitations.
- Add a release hold if a cyber evidence row is missing, the product facts changed, a supplier component changed, or the standard cited no longer supports the claim.
- After launch, re-run the workflow for security incidents, vulnerability fixes, material software updates, supplier substitutions, and authority or customer requests.

Sources for this answer:

- [European Commission - harmonised standards overview](https://single-market-economy.ec.europa.eu/single-market/goods/european-standards/harmonised-standards_en?ref=sorena.io) - Commission source for harmonised standards and presumption-of-conformity context.
- [Commission Notice - Blue Guide on EU product rules (2022)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A52022XC0629%2804%29&ref=sorena.io) - General EU product-law guidance for manufacturer responsibility, conformity assessment, CE marking, and technical documentation.
- [European Commission - cybersecurity of wireless devices and products](https://ec.europa.eu/growth/news/commission-strengthens-cybersecurity-wireless-devices-and-products-2021-10-29_en?ref=sorena.io) - Commission source noting standards support and notified-body assessment as conformity routes for the new RED cyber requirements.

## Primary sources

- [Directive 2014/53/EU on radio equipment](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Primary RED legal source for radio-equipment scope and Article 3 essential requirements.
  - Quote: "radio equipment"
- [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Delegated act activating Article 3(3)(d), (e), and (f) for specified categories and classes of radio equipment.
  - Quote: "essential requirements referred to in Article 3(3)"
- [Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Amends Delegated Regulation (EU) 2022/30 by changing the application date to 1 August 2025 and correcting Article 1(2) wording.
  - Quote: "It shall apply from 1 August 2025."
- [European Commission - cybersecurity of wireless devices and products](https://ec.europa.eu/growth/news/commission-strengthens-cybersecurity-wireless-devices-and-products-2021-10-29_en?ref=sorena.io) - Commission announcement explaining the network-resilience, privacy, and monetary-fraud objectives behind the RED cybersecurity delegated act.
  - Quote: "Reduce the risk of monetary fraud"
- [European Commission - harmonised standards overview](https://single-market-economy.ec.europa.eu/single-market/goods/european-standards/harmonised-standards_en?ref=sorena.io) - Commission overview for harmonised standards and presumption of conformity.
  - Quote: "Harmonised standards are European standards"
- [Commission Notice - Blue Guide on EU product rules (2022)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A52022XC0629%2804%29&ref=sorena.io) - EU product-law guidance for conformity assessment, technical documentation, CE marking, and manufacturer responsibility.
  - Quote: "The manufacturer is responsible for the conformity assessment."

## Related Topic Guides

- [Are radio kits and evaluation boards covered by the RED? | RED FAQ](/artifacts/eu/radio-equipment-directive/faq/kits.md): RED FAQ for radio kits, construction kits, amateur-radio kits, and custom-built professional R&D evaluation boards under Directive 2014/53/EU.
- [EU Radio Equipment Directive Timeline: practical guide](/artifacts/eu/radio-equipment-directive/timeline.md): EU Radio Equipment Directive guide to Timeline with scope decisions, owner actions, evidence records, source-linked citations, and practical next steps.
- [EU RED Applicability Test for Radio Equipment](/artifacts/eu/radio-equipment-directive/applicability-test.md): Decide whether Directive 2014/53/EU applies to a connected product, which RED requirements are triggered, and what evidence belongs in the technical file.
- [EU RED Common Charger FAQ: Which devices need USB-C?](/artifacts/eu/radio-equipment-directive/faq/common-charger.md): FAQ on EU RED common charger scope, 28 December 2024 and 28 April 2026 dates, USB-C, USB Power Delivery, charger unbundling, labels, pictograms, and evidence.
- [EU RED Common Charger Obligations: USB-C scope, dates, labels](/artifacts/eu/radio-equipment-directive/common-charger-obligations.md): source-linked RED common charger guide covering in-scope device categories, 28 December 2024 and 28 April 2026 dates, USB-C, USB PD, charger unbundling, labels, pictograms, and evidence.
- [EU RED compliance evidence guide](/artifacts/eu/radio-equipment-directive/compliance.md): Build a Radio Equipment Directive compliance file with Article 3 requirement mapping, harmonised-standard checks, conformity assessment evidence, EU declarations, CE marking, and RED source links.
- [EU RED Cybersecurity Product Categories: 2022/30 scope](/artifacts/eu/radio-equipment-directive/cybersecurity-delegated-act-product-categories.md): source-linked guide to RED Delegated Regulation (EU) 2022/30 product categories for Article 3(3)(d), (e), and (f), carve-outs, 1 August 2025 application, and release evidence.
- [EU RED FAQ: Scope, CE and USB-C](/artifacts/eu/radio-equipment-directive/faq.md): Answers to common EU RED questions on radio equipment scope, Article 3 requirements, cybersecurity, USB-C common charger rules, CE marking, and technical-file evidence.
- [EU RED Radio Equipment Scope: products and exclusions](/artifacts/eu/radio-equipment-directive/radio-equipment-scope.md): Decide whether a product is radio equipment under Directive 2014/53/EU, with RED scope tests, exclusions, examples, and evidence records.
- [EU RED Requirements Map: CE and Article 3](/artifacts/eu/radio-equipment-directive/requirements.md): Map Radio Equipment Directive requirements for radio products: Article 3 safety, EMC, spectrum, selected Article 3(3) duties, common charger rules, conformity assessment, CE marking, EU declaration, and technical documentation.
- [EU RED Scope and Classification](/artifacts/eu/radio-equipment-directive/scope-and-classification.md): Classify products under the EU Radio Equipment Directive with source-linked tests for radio equipment scope, exclusions, Article 3 requirement buckets, cybersecurity, common charging, and evidence records.
- [EU RED Scope Classification Workflow](/artifacts/eu/radio-equipment-directive/red-scope-classification-workflow.md): Classify products under the EU Radio Equipment Directive with a source-linked workflow for RED scope, exclusions, Article 3 requirements, standards, CE evidence, cybersecurity, and common-charger triggers.
- [RED Article 10 labelling, instructions, and restrictions](/artifacts/eu/radio-equipment-directive/article-10-labelling-and-restrictions.md): source-linked RED Article 10 guide for radio equipment labels, manufacturer contact details, instructions, DoC statements, frequency information, and use restrictions.
- [RED Article 3 requirement selection workflow](/artifacts/eu/radio-equipment-directive/article-3-requirement-selection-workflow.md): Select the right RED Article 3 branches for radio equipment: safety, EMC, spectrum, delegated Article 3(3) duties, cybersecurity, common charging, evidence, and conformity assessment.
- [RED Article 3 Requirements: Safety, EMC, Spectrum and Cyber](/artifacts/eu/radio-equipment-directive/article-3-1-3-2-and-3-3-requirements.md): Map Radio Equipment Directive Article 3(1), 3(2), and 3(3) requirements to safety, EMC, spectrum, interoperability, emergency, software, and cyber evidence.
- [RED Compliance Checklist for Radio Equipment](/artifacts/eu/radio-equipment-directive/checklist.md): source-linked RED checklist for radio equipment scope, Article 3 requirements, technical documentation, DoC, CE marking, cybersecurity, common charger, and notified-body decisions.
- [RED compliance deadlines calendar: 2016, 2024, 2025 and 2026 dates](/artifacts/eu/radio-equipment-directive/deadlines-and-compliance-calendar.md): Calendar the EU Radio Equipment Directive deadlines that affect launches: RED applicability, transition end, common charger dates, cybersecurity requirements, OJEU standards, CE marking, declarations and technical files.
- [RED conformity assessment and CE marking](/artifacts/eu/radio-equipment-directive/conformity-assessment-and-ce.md): EU Radio Equipment Directive guide to Article 17 conformity modules, notified-body triggers, technical documentation, EU declarations, and CE marking.
- [RED Conformity Assessment Template](/artifacts/eu/radio-equipment-directive/red-conformity-assessment-template.md): Template fields for documenting RED Article 3 requirements, Article 17 route selection, harmonised standards, notified-body evidence, technical documentation, EU declaration, CE marking, cybersecurity, and common-charger checks.
- [RED Cybersecurity Delegated Act Guide | Article 3(3)(d/e/f)](/artifacts/eu/radio-equipment-directive/red-cybersecurity-delegated-act-guide.md): Practical guide to Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive, covering Article 3(3)(d), (e), and (f) cybersecurity scope, 1 August 2025 application, evidence, standards, and notified-body checkpoints.
- [RED Cybersecurity Requirements for Radio Equipment](/artifacts/eu/radio-equipment-directive/cybersecurity-requirements.md): EU RED cybersecurity requirements under Article 3(3)(d), (e), and (f): scope, affected radio equipment, application date, standards, notified bodies, and evidence.
- [RED DoC and CE marking file: what to include](/artifacts/eu/radio-equipment-directive/faq/doc-and-ce.md): FAQ answer for Radio Equipment Directive declarations of conformity, CE marking evidence, technical documentation, notified-body records, and related labels.
- [RED EMC and LVD Safety Interplay for Radio Equipment](/artifacts/eu/radio-equipment-directive/emc-and-lvd-safety-interplay.md): Explain how EU RED Article 3 applies LVD safety objectives and EMC requirements to radio equipment, with evidence, test-plan, and technical-file guidance.
- [RED Harmonised Standards and Test Plans: OJEU evidence guide](/artifacts/eu/radio-equipment-directive/harmonized-standards-and-test-plans.md): Build a Radio Equipment Directive standards matrix and test plan around OJEU-cited harmonised standards, Article 3 requirements, Article 17 route triggers, and Annex V technical-file evidence.
- [RED importer obligations FAQ | Directive 2014/53/EU](/artifacts/eu/radio-equipment-directive/faq/importers.md): What importers must check before placing radio equipment on the EU market: conformity assessment, spectrum use, technical documentation, EU declaration, CE marking, traceability, instructions, restrictions, storage, corrective action, and authority cooperation.
- [RED notified body route selection under Article 17](/artifacts/eu/radio-equipment-directive/notified-body-route-selection.md): Decide when RED radio equipment can use internal production control and when Article 17 requires Annex III EU-type examination or Annex IV full quality assurance.
- [RED Notified Body Trigger Workflow: Article 17 evidence guide](/artifacts/eu/radio-equipment-directive/notified-body-trigger-workflow.md): Decide when the EU Radio Equipment Directive needs a notified body by mapping Article 3 requirements, OJEU-cited harmonised standards, Annex III EU-type examination, and Annex IV full quality assurance evidence.
- [RED penalties, fines, and enforcement actions](/artifacts/eu/radio-equipment-directive/penalties-and-fines.md): EU Radio Equipment Directive penalties guide covering Article 46, Member State penalty rules, recalls, withdrawals, formal non-compliance, and enforcement evidence.
- [RED radio modules FAQ: host product assessment](/artifacts/eu/radio-equipment-directive/faq/radio-modules.md): FAQ on how Directive 2014/53/EU treats RF modules and host products, including module evidence, final-product responsibility, Article 3 assessment, technical documentation, instructions, antennas, software, and DoC records.
- [RED SAR and RF Exposure Evidence FAQ](/artifacts/eu/radio-equipment-directive/faq/sar-and-wireless-exposure.md): What SAR and RF exposure evidence to keep under the EU Radio Equipment Directive, including Article 3(1)(a), foreseeable use, frequency, power, antenna, and standards evidence.
- [RED software update impact for radio equipment](/artifacts/eu/radio-equipment-directive/software-update-impact.md): Assess when firmware, app, and software updates can affect EU Radio Equipment Directive conformity, technical documentation, DoC, standards, and notified-body evidence.
- [RED standards not cited in the OJEU: can you use them?](/artifacts/eu/radio-equipment-directive/faq/standards-not-cited-in-ojeu.md): FAQ answer for Radio Equipment Directive products when a standard is useful but not OJEU-cited, including presumption of conformity, Article 17 route selection, and technical-file evidence.
- [RED vs Cyber Resilience Act: radio equipment cyber scope](/artifacts/eu/radio-equipment-directive/red-vs-cyber-resilience-act.md): Compare RED cybersecurity duties with Cyber Resilience Act planning for connected radio equipment, using grounded RED scope, evidence, dates, and caveats.
- [RED vs EMC Directive: when radio equipment uses RED instead of EMCD](/artifacts/eu/radio-equipment-directive/red-vs-emc.md): Compare the EU Radio Equipment Directive and EMC Directive for radio products, EMC evidence, CE marking, declarations, technical files, and scope boundaries.
- [RED vs ETSI EN 303 645: IoT cyber evidence comparison](/artifacts/eu/radio-equipment-directive/red-vs-etsi-en-303-645.md): Compare EU RED cybersecurity duties with ETSI EN 303 645 evidence reuse for connected radio products, OJEU standards, CE files, and 1 August 2025 planning.
- [RED vs LVD: when radio equipment uses RED for electrical safety](/artifacts/eu/radio-equipment-directive/red-vs-lvd.md): Compare the EU Radio Equipment Directive and Low Voltage Directive for radio-product safety, voltage limits, CE marking, technical files, and declarations.
- [RED vs Market Surveillance Regulation: radio equipment compliance roles](/artifacts/eu/radio-equipment-directive/red-vs-msr.md): Compare RED product conformity duties with EU Market Surveillance Regulation controls for radio equipment, online sales, responsible operators, customs holds, and evidence.
- [RED vs UK PSTI for connected radio products](/artifacts/eu/radio-equipment-directive/red-vs-uk-psti.md): Compare EU RED duties with UK PSTI planning for connected radio products: scope, actors, evidence, cybersecurity overlap, CE marking, and separate UK product-security workstreams.
- [When do RED cybersecurity requirements apply to connected radio equipment? | RED FAQ](/artifacts/eu/radio-equipment-directive/faq/cybersecurity-applicability.md): RED FAQ explaining when Article 3(3)(d), (e), and (f) cybersecurity requirements apply to internet-connected, childcare, toy, wearable, and payment-capable radio equipment.
- [Which receivers and transmitters are covered by RED? | Directive 2014/53/EU FAQ](/artifacts/eu/radio-equipment-directive/faq/receivers-and-transmitters.md): RED scope FAQ for products that intentionally emit or receive radio waves for radio communication or radiodetermination, including receiver-only products, transmitters, accessory-dependent products, and common exclusions.
- [Wi-Fi and Bluetooth Products Under the EU RED](/artifacts/eu/radio-equipment-directive/faq/wi-fi-and-bluetooth-products.md): FAQ for assessing Wi-Fi, Bluetooth, BLE and other short-range wireless products under the EU Radio Equipment Directive, including Article 3, CE, technical file, cybersecurity and notified-body triggers.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/radio-equipment-directive/cyber-compliance-workflow