EU 2022/30Cybersecurity

EU Radio Equipment Directive (RED) Cybersecurity Requirements

Treat RED cybersecurity like a certification-grade control set.

Output: controls + tests + technical file evidence for 1 Aug 2025 applicability.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 21, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 21, 2026

Overview

Delegated Regulation (EU) 2022/30 activates cybersecurity-related essential requirements in the RED for defined radio equipment categories. If you ship internet-connected radio products, wearables, childcare products with radio, or devices handling sensitive data or value transfers, treat cybersecurity as part of your CE evidence pack, not as a separate security policy.

Section 1

What (EU) 2022/30 does (in plain language)

The RED already contains cybersecurity-related essential requirements in Article 3(3)(d), (e) and (f). The delegated regulation makes them applicable to specific categories of radio equipment.

It applies from 1 August 2025 because Regulation (EU) 2023/2444 postponed the original start date, and it does not prevent voluntary early compliance.

Date: applies from 1 Aug 2025
It activates: network protection, privacy/personal data protection, and fraud protection
It is CE-relevant: you must be able to demonstrate compliance in your technical documentation

Section 2

Which products are in scope (the practical triggers)

Scope is defined by product characteristics. Use architecture and data-flow facts, not marketing labels.

If your product category is unclear, document your interpretation and keep it with the technical file.

Internet-connected radio equipment: triggers network protection (Article 3(3)(d))
Equipment processing personal data or traffic/location data: triggers privacy/data protection (Article 3(3)(e))
Internet-connected equipment enabling transfer of money/monetary value/virtual currency: triggers fraud protection (Article 3(3)(f))
Special attention categories discussed in the delegated regulation include childcare products, toys, and wearable radio equipment
Check the consolidated derogations for products already subject to Regulation (EU) 2018/1139, Regulation (EU) 2019/2144, or Directive (EU) 2019/520

Section 3

Translate requirements into controls (what 'good' looks like)

Avoid generic statements like we are secure. Build a control set that maps to the three activated requirements and can be verified.

Make controls measurable: configuration baselines, security objectives, and test evidence.

Network protection: secure boot chain, hardening, network-service minimisation, resilience against misuse (e.g., botnet enrolment patterns)
Privacy/data protection: data minimisation, secure storage, access control, secure communications, and privacy-by-design decisions documented
Fraud protection: strong authentication, transaction integrity, anti-tampering, and abuse monitoring for value transfer flows
Update and vulnerability handling: patchability and disclosure/response processes as part of lifecycle controls

Recommended next step

Turn EU Radio Equipment Directive (RED) Cybersecurity Requirements into an operational assessment

Assessment Autopilot can take EU Radio Equipment Directive (RED) Cybersecurity Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU Radio Equipment Directive (RED) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU Radio Equipment Directive (RED) Cybersecurity Requirements

Start from EU Radio Equipment Directive (RED) Cybersecurity Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU Radio Equipment Directive (RED)

Review your current process, evidence gaps, and next steps for EU Radio Equipment Directive (RED) Cybersecurity Requirements.

Explore next step

Section 4

Evidence pack (what to keep for CE and market surveillance)

Your evidence should be structured so you can answer authority questions quickly.

Treat the cybersecurity pack as a module in the technical documentation: traceability matters.

Scope memo: why (EU) 2022/30 does/doesn't apply + which requirement(s) are triggered
Architecture + threat model: trust boundaries, data flows, security objectives
Verification: test plan and results (including negative tests and misuse cases)
Operational lifecycle: update policy, vulnerability intake/response, and change-control records

Primary sources