--- title: "When do RED cybersecurity requirements apply to connected radio equipment?" canonical_url: "https://www.sorena.io/artifacts/eu/radio-equipment-directive/faq/cybersecurity-applicability" source_url: "https://www.sorena.io/artifacts/eu/radio-equipment-directive/faq/cybersecurity-applicability" author: "Sorena AI" description: "RED FAQ explaining when Article 3(3)(d), (e), and (f) cybersecurity requirements apply to internet-connected, childcare, toy, wearable, and payment-capable radio equipment." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU Radio Equipment Directive cybersecurity applicability" - "RED Article 3(3)(d)" - "RED Article 3(3)(e)" - "RED Article 3(3)(f)" - "Delegated Regulation 2022/30" - "RED 1 August 2025" - "EU Radio Equipment Directive" - "RED" - "Cybersecurity Applicability" - "RED FAQ" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # When do RED cybersecurity requirements apply to connected radio equipment? RED FAQ explaining when Article 3(3)(d), (e), and (f) cybersecurity requirements apply to internet-connected, childcare, toy, wearable, and payment-capable radio equipment. *FAQ* *EU* ## RED FAQ Cybersecurity Applicability RED cybersecurity applicability turns on the product category and function, not on a generic connected-device label. Use this FAQ to decide whether Article 3(3)(d), (e), or (f) applies to internet-connected radio equipment, childcare devices, radio toys, wearables, or payment-capable equipment from 1 August 2025. RED cybersecurity requirements apply from 1 August 2025 when radio equipment falls into the categories specified by Commission Delegated Regulation (EU) 2022/30, as amended by Commission Delegated Regulation (EU) 2023/2444. In practice, check three triggers: whether the equipment can communicate itself over the internet, whether it is internet-connected, childcare, toy, or wearable radio equipment capable of processing personal, traffic, or location data, and whether internet-connected radio equipment enables transfer of money, monetary value, or virtual currency. ## When do RED cybersecurity requirements apply to connected radio equipment? Start with Article 3(3)(d): it applies to any radio equipment that can communicate itself over the internet, whether directly or through another device. That trigger is about the equipment's own capability to exchange data with the internet, not merely whether the product is used near a network. Then check Article 3(3)(e): it applies to covered equipment if it can process personal data under GDPR or traffic or location data under the ePrivacy Directive. The covered categories are internet-connected radio equipment, radio equipment designed or intended exclusively for childcare, radio equipment covered by the Toy Safety Directive, and wearable radio equipment. Finally check Article 3(3)(f): it applies to internet-connected radio equipment if the holder or user can use it to transfer money, monetary value, or virtual currency. The application date for these 2022/30 requirements is 1 August 2025. - Apply Article 3(3)(d) to internet-connected radio equipment for network protection and prevention of network-resource misuse. - Apply Article 3(3)(e) when the covered category and data-processing trigger are both present. - Apply Article 3(3)(f) when internet-connected radio equipment enables transfers of money, monetary value, or virtual currency. - Check the derogations in Delegated Regulation (EU) 2022/30 before concluding that an adjacent medical, vehicle, aviation, or electronic road-toll regime is also covered by the same RED cybersecurity points. Sources for this answer: - [Directive 2014/53/EU on radio equipment](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Binding RED source for Article 3 essential requirements and the legal basis for delegated acts activating Article 3(3)(d), (e), and (f). - [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Delegated source specifying the radio-equipment categories and classes for Article 3(3)(d), (e), and (f). - [Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Amending source that changes the 2022/30 application date and corrects the Article 3(3)(e) data wording. ## What facts decide RED cybersecurity applicability? The first fact is whether the item is radio equipment under RED and can communicate itself over the internet. Delegated Regulation (EU) 2022/30 treats direct and indirect internet communication as relevant, so a device that reaches the internet through a phone, hub, gateway, or other intermediate equipment can still be internet-connected for this assessment. The second fact is whether the equipment falls into a data-sensitive category. Article 3(3)(e) is not limited to ordinary internet-connected equipment; it also covers radio equipment designed or intended exclusively for childcare, radio equipment covered by the Toy Safety Directive, and wearable radio equipment when the data-processing trigger is met. The third fact is payment capability. If internet-connected radio equipment enables the holder or user to transfer money, monetary value, or virtual currency, map Article 3(3)(f) separately from the network-protection and privacy/data-protection checks. - Record the communications path: direct internet access, phone bridge, hub, cloud gateway, or another intermediate path. - List the data types the equipment can process, including personal data, traffic data, and location data where relevant. - State whether the product is intended for childcare, is a radio toy, is wearable, or supports payment or value-transfer flows. - Keep any exclusion or derogation analysis explicit; do not bury it in a generic RED checklist. Sources for this answer: - [Directive 2014/53/EU on radio equipment](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Binding RED source for the underlying essential requirements and Article 3(3) delegation mechanism. - [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Delegated source for the internet-connected, childcare, toy, wearable, and payment-transfer applicability triggers. - [Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Amending source confirming the current application date and corrected data-processing wording for Article 3(3)(e). ## Implementation checklist for RED cybersecurity applicability Use a short applicability record before choosing standards, tests, or notified-body routes. The record should answer which Article 3(3) point applies and why, rather than saying only that the product is connected or cyber-relevant. - Confirm the product is radio equipment and identify the radio function, software version, and market-placement scenario. - Test the Article 3(3)(d) trigger: can the equipment communicate itself over the internet, directly or indirectly? - Test the Article 3(3)(e) trigger: is the equipment internet-connected, childcare, toy, or wearable radio equipment, and can it process personal, traffic, or location data? - Test the Article 3(3)(f) trigger: can the holder or user transfer money, monetary value, or virtual currency through the internet-connected equipment? - Record the 1 August 2025 application date and the evidence source used for each yes, no, or escalation answer. Sources for this answer: - [Directive 2014/53/EU on radio equipment](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Binding RED source for Article 3 essential requirements used in the applicability record. - [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Delegated source for mapping Article 3(3)(d), (e), and (f) to covered equipment categories. - [Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Amending source for the 1 August 2025 application date. ## Common mistakes in RED cybersecurity scope decisions The biggest error is compressing all RED cybersecurity into a single yes/no label. The delegated act applies different Article 3(3) points to different equipment categories, so the record needs to show which point applies and which product fact triggered it. - Do not assume that every radio product with wireless connectivity is covered by every cybersecurity point. - Do not miss indirect internet communication through another device when applying Article 3(3)(d). - Do not apply Article 3(3)(e) without checking both the covered category and the personal, traffic, or location-data trigger. - Do not treat payment capability as only a software or service issue when the internet-connected radio equipment enables the transfer flow. - Do not use the original 1 August 2024 date after the 2023 amendment; use 1 August 2025. Sources for this answer: - [Directive 2014/53/EU on radio equipment](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Binding RED source for the essential-requirement framework behind the delegated cybersecurity act. - [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Delegated source for avoiding over-broad or under-inclusive cybersecurity applicability decisions. - [Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Amending source for the current 2022/30 application date. ## Primary sources - [Directive 2014/53/EU on radio equipment](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Binding RED source for Article 3 essential requirements and delegated-act authority. - Quote: "essential requirements" - [Commission Delegated Regulation (EU) 2022/30 on RED cybersecurity](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Delegated source specifying when Article 3(3)(d), (e), and (f) apply to covered radio equipment. - Quote: "internet-connected radio equipment" - [Commission Delegated Regulation (EU) 2023/2444 on RED cybersecurity application date](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Amending source for the 1 August 2025 application date and corrected data wording. - Quote: "It shall apply from 1 August 2025." - [European Commission - cybersecurity of wireless devices and products](https://ec.europa.eu/growth/news/commission-strengthens-cybersecurity-wireless-devices-and-products-2021-10-29_en?ref=sorena.io) - Commission context page describing the policy purpose and examples of wireless products covered by the delegated act. - Quote: "mobile phones, tablets and other products" ## Topic Guides - [Are radio kits and evaluation boards covered by the RED? | RED FAQ](/artifacts/eu/radio-equipment-directive/faq/kits.md): RED FAQ for radio kits, construction kits, amateur-radio kits, and custom-built professional R&D evaluation boards under Directive 2014/53/EU. - [EU Radio Equipment Directive Timeline: practical guide](/artifacts/eu/radio-equipment-directive/timeline.md): EU Radio Equipment Directive guide to Timeline with scope decisions, owner actions, evidence records, source-linked citations, and practical next steps. - [EU RED Applicability Test for Radio Equipment](/artifacts/eu/radio-equipment-directive/applicability-test.md): Decide whether Directive 2014/53/EU applies to a connected product, which RED requirements are triggered, and what evidence belongs in the technical file. - [EU RED Common Charger FAQ: Which devices need USB-C?](/artifacts/eu/radio-equipment-directive/faq/common-charger.md): FAQ on EU RED common charger scope, 28 December 2024 and 28 April 2026 dates, USB-C, USB Power Delivery, charger unbundling, labels, pictograms, and evidence. - [EU RED Common Charger Obligations: USB-C scope, dates, labels](/artifacts/eu/radio-equipment-directive/common-charger-obligations.md): source-linked RED common charger guide covering in-scope device categories, 28 December 2024 and 28 April 2026 dates, USB-C, USB PD, charger unbundling, labels, pictograms, and evidence. - [EU RED compliance evidence guide](/artifacts/eu/radio-equipment-directive/compliance.md): Build a Radio Equipment Directive compliance file with Article 3 requirement mapping, harmonised-standard checks, conformity assessment evidence, EU declarations, CE marking, and RED source links. - [EU RED Cybersecurity Product Categories: 2022/30 scope](/artifacts/eu/radio-equipment-directive/cybersecurity-delegated-act-product-categories.md): source-linked guide to RED Delegated Regulation (EU) 2022/30 product categories for Article 3(3)(d), (e), and (f), carve-outs, 1 August 2025 application, and release evidence. - [EU RED FAQ: Scope, CE and USB-C](/artifacts/eu/radio-equipment-directive/faq.md): Answers to common EU RED questions on radio equipment scope, Article 3 requirements, cybersecurity, USB-C common charger rules, CE marking, and technical-file evidence. - [EU RED Radio Equipment Scope: products and exclusions](/artifacts/eu/radio-equipment-directive/radio-equipment-scope.md): Decide whether a product is radio equipment under Directive 2014/53/EU, with RED scope tests, exclusions, examples, and evidence records. - [EU RED Requirements Map: CE and Article 3](/artifacts/eu/radio-equipment-directive/requirements.md): Map Radio Equipment Directive requirements for radio products: Article 3 safety, EMC, spectrum, selected Article 3(3) duties, common charger rules, conformity assessment, CE marking, EU declaration, and technical documentation. - [EU RED Scope and Classification](/artifacts/eu/radio-equipment-directive/scope-and-classification.md): Classify products under the EU Radio Equipment Directive with source-linked tests for radio equipment scope, exclusions, Article 3 requirement buckets, cybersecurity, common charging, and evidence records. - [EU RED Scope Classification Workflow](/artifacts/eu/radio-equipment-directive/red-scope-classification-workflow.md): Classify products under the EU Radio Equipment Directive with a source-linked workflow for RED scope, exclusions, Article 3 requirements, standards, CE evidence, cybersecurity, and common-charger triggers. - [RED Article 10 labelling, instructions, and restrictions](/artifacts/eu/radio-equipment-directive/article-10-labelling-and-restrictions.md): source-linked RED Article 10 guide for radio equipment labels, manufacturer contact details, instructions, DoC statements, frequency information, and use restrictions. - [RED Article 3 requirement selection workflow](/artifacts/eu/radio-equipment-directive/article-3-requirement-selection-workflow.md): Select the right RED Article 3 branches for radio equipment: safety, EMC, spectrum, delegated Article 3(3) duties, cybersecurity, common charging, evidence, and conformity assessment. - [RED Article 3 Requirements: Safety, EMC, Spectrum and Cyber](/artifacts/eu/radio-equipment-directive/article-3-1-3-2-and-3-3-requirements.md): Map Radio Equipment Directive Article 3(1), 3(2), and 3(3) requirements to safety, EMC, spectrum, interoperability, emergency, software, and cyber evidence. - [RED Compliance Checklist for Radio Equipment](/artifacts/eu/radio-equipment-directive/checklist.md): source-linked RED checklist for radio equipment scope, Article 3 requirements, technical documentation, DoC, CE marking, cybersecurity, common charger, and notified-body decisions. - [RED compliance deadlines calendar: 2016, 2024, 2025 and 2026 dates](/artifacts/eu/radio-equipment-directive/deadlines-and-compliance-calendar.md): Calendar the EU Radio Equipment Directive deadlines that affect launches: RED applicability, transition end, common charger dates, cybersecurity requirements, OJEU standards, CE marking, declarations and technical files. - [RED conformity assessment and CE marking](/artifacts/eu/radio-equipment-directive/conformity-assessment-and-ce.md): EU Radio Equipment Directive guide to Article 17 conformity modules, notified-body triggers, technical documentation, EU declarations, and CE marking. - [RED Conformity Assessment Template](/artifacts/eu/radio-equipment-directive/red-conformity-assessment-template.md): Template fields for documenting RED Article 3 requirements, Article 17 route selection, harmonised standards, notified-body evidence, technical documentation, EU declaration, CE marking, cybersecurity, and common-charger checks. - [RED Cyber Compliance Workflow for Article 3(3)(d/e/f)](/artifacts/eu/radio-equipment-directive/cyber-compliance-workflow.md): A source-linked RED cybersecurity workflow for internet-connected radio equipment, privacy and data safeguards, payment-fraud features, evidence packs, and CE release gates. - [RED Cybersecurity Delegated Act Guide | Article 3(3)(d/e/f)](/artifacts/eu/radio-equipment-directive/red-cybersecurity-delegated-act-guide.md): Practical guide to Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive, covering Article 3(3)(d), (e), and (f) cybersecurity scope, 1 August 2025 application, evidence, standards, and notified-body checkpoints. - [RED Cybersecurity Requirements for Radio Equipment](/artifacts/eu/radio-equipment-directive/cybersecurity-requirements.md): EU RED cybersecurity requirements under Article 3(3)(d), (e), and (f): scope, affected radio equipment, application date, standards, notified bodies, and evidence. - [RED DoC and CE marking file: what to include](/artifacts/eu/radio-equipment-directive/faq/doc-and-ce.md): FAQ answer for Radio Equipment Directive declarations of conformity, CE marking evidence, technical documentation, notified-body records, and related labels. - [RED EMC and LVD Safety Interplay for Radio Equipment](/artifacts/eu/radio-equipment-directive/emc-and-lvd-safety-interplay.md): Explain how EU RED Article 3 applies LVD safety objectives and EMC requirements to radio equipment, with evidence, test-plan, and technical-file guidance. - [RED Harmonised Standards and Test Plans: OJEU evidence guide](/artifacts/eu/radio-equipment-directive/harmonized-standards-and-test-plans.md): Build a Radio Equipment Directive standards matrix and test plan around OJEU-cited harmonised standards, Article 3 requirements, Article 17 route triggers, and Annex V technical-file evidence. - [RED importer obligations FAQ | Directive 2014/53/EU](/artifacts/eu/radio-equipment-directive/faq/importers.md): What importers must check before placing radio equipment on the EU market: conformity assessment, spectrum use, technical documentation, EU declaration, CE marking, traceability, instructions, restrictions, storage, corrective action, and authority cooperation. - [RED notified body route selection under Article 17](/artifacts/eu/radio-equipment-directive/notified-body-route-selection.md): Decide when RED radio equipment can use internal production control and when Article 17 requires Annex III EU-type examination or Annex IV full quality assurance. - [RED Notified Body Trigger Workflow: Article 17 evidence guide](/artifacts/eu/radio-equipment-directive/notified-body-trigger-workflow.md): Decide when the EU Radio Equipment Directive needs a notified body by mapping Article 3 requirements, OJEU-cited harmonised standards, Annex III EU-type examination, and Annex IV full quality assurance evidence. - [RED penalties, fines, and enforcement actions](/artifacts/eu/radio-equipment-directive/penalties-and-fines.md): EU Radio Equipment Directive penalties guide covering Article 46, Member State penalty rules, recalls, withdrawals, formal non-compliance, and enforcement evidence. - [RED radio modules FAQ: host product assessment](/artifacts/eu/radio-equipment-directive/faq/radio-modules.md): FAQ on how Directive 2014/53/EU treats RF modules and host products, including module evidence, final-product responsibility, Article 3 assessment, technical documentation, instructions, antennas, software, and DoC records. - [RED SAR and RF Exposure Evidence FAQ](/artifacts/eu/radio-equipment-directive/faq/sar-and-wireless-exposure.md): What SAR and RF exposure evidence to keep under the EU Radio Equipment Directive, including Article 3(1)(a), foreseeable use, frequency, power, antenna, and standards evidence. - [RED software update impact for radio equipment](/artifacts/eu/radio-equipment-directive/software-update-impact.md): Assess when firmware, app, and software updates can affect EU Radio Equipment Directive conformity, technical documentation, DoC, standards, and notified-body evidence. - [RED standards not cited in the OJEU: can you use them?](/artifacts/eu/radio-equipment-directive/faq/standards-not-cited-in-ojeu.md): FAQ answer for Radio Equipment Directive products when a standard is useful but not OJEU-cited, including presumption of conformity, Article 17 route selection, and technical-file evidence. - [RED vs Cyber Resilience Act: radio equipment cyber scope](/artifacts/eu/radio-equipment-directive/red-vs-cyber-resilience-act.md): Compare RED cybersecurity duties with Cyber Resilience Act planning for connected radio equipment, using grounded RED scope, evidence, dates, and caveats. - [RED vs EMC Directive: when radio equipment uses RED instead of EMCD](/artifacts/eu/radio-equipment-directive/red-vs-emc.md): Compare the EU Radio Equipment Directive and EMC Directive for radio products, EMC evidence, CE marking, declarations, technical files, and scope boundaries. - [RED vs ETSI EN 303 645: IoT cyber evidence comparison](/artifacts/eu/radio-equipment-directive/red-vs-etsi-en-303-645.md): Compare EU RED cybersecurity duties with ETSI EN 303 645 evidence reuse for connected radio products, OJEU standards, CE files, and 1 August 2025 planning. - [RED vs LVD: when radio equipment uses RED for electrical safety](/artifacts/eu/radio-equipment-directive/red-vs-lvd.md): Compare the EU Radio Equipment Directive and Low Voltage Directive for radio-product safety, voltage limits, CE marking, technical files, and declarations. - [RED vs Market Surveillance Regulation: radio equipment compliance roles](/artifacts/eu/radio-equipment-directive/red-vs-msr.md): Compare RED product conformity duties with EU Market Surveillance Regulation controls for radio equipment, online sales, responsible operators, customs holds, and evidence. - [RED vs UK PSTI for connected radio products](/artifacts/eu/radio-equipment-directive/red-vs-uk-psti.md): Compare EU RED duties with UK PSTI planning for connected radio products: scope, actors, evidence, cybersecurity overlap, CE marking, and separate UK product-security workstreams. - [Which receivers and transmitters are covered by RED? | Directive 2014/53/EU FAQ](/artifacts/eu/radio-equipment-directive/faq/receivers-and-transmitters.md): RED scope FAQ for products that intentionally emit or receive radio waves for radio communication or radiodetermination, including receiver-only products, transmitters, accessory-dependent products, and common exclusions. - [Wi-Fi and Bluetooth Products Under the EU RED](/artifacts/eu/radio-equipment-directive/faq/wi-fi-and-bluetooth-products.md): FAQ for assessing Wi-Fi, Bluetooth, BLE and other short-range wireless products under the EU Radio Equipment Directive, including Article 3, CE, technical file, cybersecurity and notified-body triggers. *Recommended next step* *Placement: after implementation section* ## Use this RED guide as a cited evidence workflow Turn this RED cybersecurity FAQ into a repeatable applicability record for product, legal, quality, security, and regulatory teams. Keep the Article 3(3) trigger, product facts, citation, owner, and evidence together. - [Open Research Copilot](/solutions/research-copilot.md): Answer RED cybersecurity scope, timing, and interpretation questions with cited outputs. - [Talk through implementation](/contact.md): Review your scope, evidence model, controls, and next actions. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/radio-equipment-directive/faq/cybersecurity-applicability