Artifact GuideEU

EU RED cybersecurity product categories

Commission Delegated Regulation (EU) 2022/30 activates RED Article 3(3)(d), (e), and (f) for defined categories of radio equipment, including internet-connected products, childcare equipment, toy radio equipment, wearables, and payment-capable internet-connected radio equipment.

Use this page to map a product to the correct cybersecurity, privacy, and fraud-protection category, check the exclusions, confirm the 1 August 2025 application date, and retain release evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

The RED cybersecurity delegated act is not a blanket cyber rule for every electronic product. It applies Article 3(3)(d), (e), and (f) of Directive 2014/53/EU to specific categories of radio equipment. A useful product-category review starts with whether the item is radio equipment, then separately checks internet connectivity, personal-data or traffic/location-data processing, childcare or toy status, wearable design, payment-transfer functionality, and the listed sector carve-outs.

Section 1

Which product categories trigger Article 3(3)(d), (e), and (f)?

Delegated Regulation (EU) 2022/30 applies three different RED Article 3(3) points to different category triggers. Article 3(3)(d), the network-protection requirement, applies to radio equipment that can communicate over the internet, whether directly or through another device.

Article 3(3)(e), the personal-data and privacy requirement, applies only when the covered radio equipment can process personal data, traffic data, or location data. The covered categories are internet-connected radio equipment, radio equipment designed or intended exclusively for childcare, radio equipment covered by the Toy Safety Directive, and radio equipment designed or intended to be worn on, strapped to, or hung from the body or clothing.

Article 3(3)(f), the fraud-protection requirement, applies to internet-connected radio equipment that enables the holder or user to transfer money, monetary value, or virtual currency.

  • Use Article 3(3)(d) for internet-connected radio equipment, including products that reach the internet through other equipment.
  • Use Article 3(3)(e) only after confirming both a covered category and the ability to process personal data, traffic data, or location data.
  • Treat baby monitors and other exclusively childcare radio equipment as a separate Article 3(3)(e) category, even if they are not internet-connected.
  • Treat toy radio equipment covered by Directive 2009/48/EC and wearable radio equipment as Article 3(3)(e) categories when the data-processing condition is met.
  • Use Article 3(3)(f) for internet-connected radio equipment that enables transfers of money, monetary value, or virtual currency.
Sources for this answer
Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity
Primary source defining the radio equipment categories covered by Article 3(3)(d), (e), and (f).
Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date
Amends and corrects Delegated Regulation (EU) 2022/30, including the Article 3(3)(e) introductory wording and the application date.
Section 2

What exclusions should be checked before scoping a product in?

The delegated act includes targeted exclusions, so a product-category decision should not stop at the first apparent match. Radio equipment covered by the Medical Devices Regulation or the In Vitro Diagnostic Medical Devices Regulation is excluded from the Article 3(3)(d), (e), and (f) requirements activated by Delegated Regulation (EU) 2022/30.

For Article 3(3)(e) and (f), the delegated act also excludes radio equipment covered by the civil aviation safety regulation, the motor vehicle general safety type-approval regulation, or the electronic road toll systems directive. Those exclusions do not erase RED generally; they narrow this delegated act's cybersecurity, privacy, and fraud category triggers.

  • Check Regulation (EU) 2017/745 and Regulation (EU) 2017/746 before applying Article 3(3)(d), (e), or (f) under this delegated act.
  • For Article 3(3)(e) and (f), also check Regulation (EU) 2018/1139, Regulation (EU) 2019/2144, and Directive (EU) 2019/520.
  • Record the exclusion analysis at product-family and variant level, because software, connectivity, payment, sensor, or market-positioning changes can alter the conclusion.
  • Do not use common-charger scope, CE-marking status, or generic IoT labels as substitutes for the delegated act category test.
Sources for this answer
Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity
Primary source for the delegated act exclusions for medical devices, in vitro diagnostic medical devices, civil aviation, motor vehicles, and electronic toll systems.
Directive 2014/53/EU on radio equipment
Primary RED source for the broader radio equipment framework into which the delegated act is inserted.
Section 3

When do the cybersecurity category requirements apply?

Delegated Regulation (EU) 2022/30 originally deferred application so economic operators had time to adapt. Delegated Regulation (EU) 2023/2444 replaced the application sentence and now states that the delegated act applies from 1 August 2025.

Treat 1 August 2025 as the release-planning date for the Article 3(3)(d), (e), and (f) categories in this delegated act. Do not mix this date with the separate RED common-charger dates or with future Cyber Resilience Act milestones unless the product review explicitly compares those regimes.

  • Use 1 August 2025 for the Delegated Regulation (EU) 2022/30 cybersecurity category application date.
  • Keep the category decision, standards strategy, conformity assessment route, security test evidence, and EU declaration update aligned to that date.
  • Flag any product that is already in market but will continue to be made available after the application date for legal, regulatory, quality, and release-owner review.
  • Recheck the category decision when harmonised standards, product functions, payment flows, data processing, intended use, or exclusion status changes.
Sources for this answer
Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date
Binding amendment replacing the application date for Delegated Regulation (EU) 2022/30 with 1 August 2025.
European Commission - Radio Equipment Directive
Commission RED overview noting the delegated act activation of Article 3(3)(d), (e), and (f) for certain categories of radio equipment.
Section 4

What evidence should a product-category review retain?

The evidence should let a reviewer repeat the category decision without reconstructing the product history. For each product family and market variant, keep the radio-equipment basis, connectivity route, internet-communication analysis, data-processing analysis, intended-use claims, childcare or toy classification, wearable design assessment, payment-transfer analysis, exclusions checked, applicable Article 3(3) points, standards position, and conformity assessment route.

This page is a scope artifact, not a full security-control catalogue. The product file still needs the security design, test reports, standards mapping, supplier inputs, software-version evidence, EU declaration of conformity, and notified-body documentation where the chosen RED conformity assessment route requires it.

  • Keep a dated category matrix that separately answers Article 3(3)(d), (e), and (f), rather than one combined yes/no cybersecurity label.
  • Attach product specifications showing radio function, internet communication, sensors, microphones, cameras, location features, cloud paths, payment flows, and intended user group.
  • Keep the exclusion check with citations to the sector legislation considered and the reason it did or did not apply.
  • Tie the result to release gates for design, firmware, app, cloud service, packaging claims, instructions, supplier declarations, standards updates, and conformity assessment.
  • Reopen the record after material firmware, hardware, data-processing, payment, accessory, intended-use, supplier, market, or legal-source changes.
Sources for this answer
Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity
Primary source for the product-category matrix and Article 3(3)(d), (e), and (f) scoping questions.
Directive 2014/53/EU on radio equipment
Primary RED source for conformity assessment, EU declaration of conformity, CE marking, and technical documentation context.
European Commission - harmonised standards for radio equipment
Commission page for RED harmonised standards, including references to the delegated cybersecurity act and standards updates.
Recommended next step

Turn RED cybersecurity scope into release evidence

Use this RED category guide to align product, regulatory, security, quality, legal, and supplier teams around Article 3(3)(d), (e), and (f) scope, exclusions, application timing, standards strategy, and retained evidence.

Research workflow
Open Research Copilot

Answer RED cybersecurity scope, category, timing, and evidence questions with cited outputs.

Explore next step
Talk to Sorena
Talk through implementation

Review your RED product-category matrix, exclusions, standards strategy, conformity route, and release evidence.

Explore next step
Primary sources

References and citations

Directive 2014/53/EU on radio equipment
eur-lex.europa.eu
Referenced sections
  • Primary RED source for conformity assessment, EU declaration of conformity, CE marking, and technical documentation context.
"EU declaration of conformity"
European Commission - Radio Equipment Directive
single-market-economy.ec.europa.eu
Referenced sections
  • Commission RED overview noting the delegated act activation of Article 3(3)(d), (e), and (f) for certain categories of radio equipment.
"activating Articles 3(3)(d), (e) and (f)"
Related guides

Explore more topics

Are radio kits and evaluation boards covered by the RED? | RED FAQ
RED FAQ for radio kits, construction kits, amateur-radio kits, and custom-built professional R&D evaluation boards under Directive 2014/53/EU.
EU Radio Equipment Directive Timeline: practical guide
EU Radio Equipment Directive guide to Timeline with scope decisions, owner actions, evidence records, source-linked citations, and practical next steps.
EU RED Applicability Test for Radio Equipment
Decide whether Directive 2014/53/EU applies to a connected product, which RED requirements are triggered, and what evidence belongs in the technical file.
EU RED Common Charger FAQ: Which devices need USB-C?
FAQ on EU RED common charger scope, 28 December 2024 and 28 April 2026 dates, USB-C, USB Power Delivery, charger unbundling, labels, pictograms, and evidence.
EU RED Common Charger Obligations: USB-C scope, dates, labels
source-linked RED common charger guide covering in-scope device categories, 28 December 2024 and 28 April 2026 dates, USB-C, USB PD, charger unbundling, labels, pictograms, and evidence.
EU RED compliance evidence guide
Build a Radio Equipment Directive compliance file with Article 3 requirement mapping, harmonised-standard checks, conformity assessment evidence, EU declarations, CE marking, and RED source links.
EU RED FAQ: Scope, CE and USB-C
Answers to common EU RED questions on radio equipment scope, Article 3 requirements, cybersecurity, USB-C common charger rules, CE marking, and technical-file evidence.
EU RED Radio Equipment Scope: products and exclusions
Decide whether a product is radio equipment under Directive 2014/53/EU, with RED scope tests, exclusions, examples, and evidence records.
EU RED Requirements Map: CE and Article 3
Map Radio Equipment Directive requirements for radio products: Article 3 safety, EMC, spectrum, selected Article 3(3) duties, common charger rules, conformity assessment, CE marking, EU declaration, and technical documentation.
EU RED Scope and Classification
Classify products under the EU Radio Equipment Directive with source-linked tests for radio equipment scope, exclusions, Article 3 requirement buckets, cybersecurity, common charging, and evidence records.
EU RED Scope Classification Workflow
Classify products under the EU Radio Equipment Directive with a source-linked workflow for RED scope, exclusions, Article 3 requirements, standards, CE evidence, cybersecurity, and common-charger triggers.
RED Article 10 labelling, instructions, and restrictions
source-linked RED Article 10 guide for radio equipment labels, manufacturer contact details, instructions, DoC statements, frequency information, and use restrictions.
RED Article 3 requirement selection workflow
Select the right RED Article 3 branches for radio equipment: safety, EMC, spectrum, delegated Article 3(3) duties, cybersecurity, common charging, evidence, and conformity assessment.
RED Article 3 Requirements: Safety, EMC, Spectrum and Cyber
Map Radio Equipment Directive Article 3(1), 3(2), and 3(3) requirements to safety, EMC, spectrum, interoperability, emergency, software, and cyber evidence.
RED Compliance Checklist for Radio Equipment
source-linked RED checklist for radio equipment scope, Article 3 requirements, technical documentation, DoC, CE marking, cybersecurity, common charger, and notified-body decisions.
RED compliance deadlines calendar: 2016, 2024, 2025 and 2026 dates
Calendar the EU Radio Equipment Directive deadlines that affect launches: RED applicability, transition end, common charger dates, cybersecurity requirements, OJEU standards, CE marking, declarations and technical files.
RED conformity assessment and CE marking
EU Radio Equipment Directive guide to Article 17 conformity modules, notified-body triggers, technical documentation, EU declarations, and CE marking.
RED Conformity Assessment Template
Template fields for documenting RED Article 3 requirements, Article 17 route selection, harmonised standards, notified-body evidence, technical documentation, EU declaration, CE marking, cybersecurity, and common-charger checks.
RED Cyber Compliance Workflow for Article 3(3)(d/e/f)
A source-linked RED cybersecurity workflow for internet-connected radio equipment, privacy and data safeguards, payment-fraud features, evidence packs, and CE release gates.
RED Cybersecurity Delegated Act Guide | Article 3(3)(d/e/f)
Practical guide to Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive, covering Article 3(3)(d), (e), and (f) cybersecurity scope, 1 August 2025 application, evidence, standards, and notified-body checkpoints.
RED Cybersecurity Requirements for Radio Equipment
EU RED cybersecurity requirements under Article 3(3)(d), (e), and (f): scope, affected radio equipment, application date, standards, notified bodies, and evidence.
RED DoC and CE marking file: what to include
FAQ answer for Radio Equipment Directive declarations of conformity, CE marking evidence, technical documentation, notified-body records, and related labels.
RED EMC and LVD Safety Interplay for Radio Equipment
Explain how EU RED Article 3 applies LVD safety objectives and EMC requirements to radio equipment, with evidence, test-plan, and technical-file guidance.
RED Harmonised Standards and Test Plans: OJEU evidence guide
Build a Radio Equipment Directive standards matrix and test plan around OJEU-cited harmonised standards, Article 3 requirements, Article 17 route triggers, and Annex V technical-file evidence.
RED importer obligations FAQ | Directive 2014/53/EU
What importers must check before placing radio equipment on the EU market: conformity assessment, spectrum use, technical documentation, EU declaration, CE marking, traceability, instructions, restrictions, storage, corrective action, and authority cooperation.
RED notified body route selection under Article 17
Decide when RED radio equipment can use internal production control and when Article 17 requires Annex III EU-type examination or Annex IV full quality assurance.
RED Notified Body Trigger Workflow: Article 17 evidence guide
Decide when the EU Radio Equipment Directive needs a notified body by mapping Article 3 requirements, OJEU-cited harmonised standards, Annex III EU-type examination, and Annex IV full quality assurance evidence.
RED penalties, fines, and enforcement actions
EU Radio Equipment Directive penalties guide covering Article 46, Member State penalty rules, recalls, withdrawals, formal non-compliance, and enforcement evidence.
RED radio modules FAQ: host product assessment
FAQ on how Directive 2014/53/EU treats RF modules and host products, including module evidence, final-product responsibility, Article 3 assessment, technical documentation, instructions, antennas, software, and DoC records.
RED SAR and RF Exposure Evidence FAQ
What SAR and RF exposure evidence to keep under the EU Radio Equipment Directive, including Article 3(1)(a), foreseeable use, frequency, power, antenna, and standards evidence.
RED software update impact for radio equipment
Assess when firmware, app, and software updates can affect EU Radio Equipment Directive conformity, technical documentation, DoC, standards, and notified-body evidence.
RED standards not cited in the OJEU: can you use them?
FAQ answer for Radio Equipment Directive products when a standard is useful but not OJEU-cited, including presumption of conformity, Article 17 route selection, and technical-file evidence.
RED vs Cyber Resilience Act: radio equipment cyber scope
Compare RED cybersecurity duties with Cyber Resilience Act planning for connected radio equipment, using grounded RED scope, evidence, dates, and caveats.
RED vs EMC Directive: when radio equipment uses RED instead of EMCD
Compare the EU Radio Equipment Directive and EMC Directive for radio products, EMC evidence, CE marking, declarations, technical files, and scope boundaries.
RED vs ETSI EN 303 645: IoT cyber evidence comparison
Compare EU RED cybersecurity duties with ETSI EN 303 645 evidence reuse for connected radio products, OJEU standards, CE files, and 1 August 2025 planning.
RED vs LVD: when radio equipment uses RED for electrical safety
Compare the EU Radio Equipment Directive and Low Voltage Directive for radio-product safety, voltage limits, CE marking, technical files, and declarations.
RED vs Market Surveillance Regulation: radio equipment compliance roles
Compare RED product conformity duties with EU Market Surveillance Regulation controls for radio equipment, online sales, responsible operators, customs holds, and evidence.
RED vs UK PSTI for connected radio products
Compare EU RED duties with UK PSTI planning for connected radio products: scope, actors, evidence, cybersecurity overlap, CE marking, and separate UK product-security workstreams.
When do RED cybersecurity requirements apply to connected radio equipment? | RED FAQ
RED FAQ explaining when Article 3(3)(d), (e), and (f) cybersecurity requirements apply to internet-connected, childcare, toy, wearable, and payment-capable radio equipment.
Which receivers and transmitters are covered by RED? | Directive 2014/53/EU FAQ
RED scope FAQ for products that intentionally emit or receive radio waves for radio communication or radiodetermination, including receiver-only products, transmitters, accessory-dependent products, and common exclusions.
Wi-Fi and Bluetooth Products Under the EU RED
FAQ for assessing Wi-Fi, Bluetooth, BLE and other short-range wireless products under the EU Radio Equipment Directive, including Article 3, CE, technical file, cybersecurity and notified-body triggers.