EU 2022/30Implementation

EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide

Implement (EU) 2022/30 in a way you can prove.

Output: a control set + tests + technical file module for CE marking.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

The delegated act is not a checklist you 'sign off'. It is a set of essential requirements that must be demonstrably met for in-scope equipment. This guide gives you a repeatable implementation pattern you can apply across product lines and firmware releases.

Section 1

1) Applicability classification (the fastest, most important step)

Start by classifying each product variant against the delegated regulation categories. Make the decision evidence-based (architecture + connectivity + data flow).

Store the decision as a scope memo attached to the technical documentation.

  • Internet-connected radio equipment (network protection requirement)
  • Equipment processing personal data / traffic data / location data (privacy/data protection requirement)
  • Internet-connected equipment enabling value transfer (fraud protection requirement)
  • Date: applies from 1 Aug 2025 because Regulation (EU) 2023/2444 moved the start date
  • Check whether the consolidated derogations remove the Article 3(3)(e) or (f) trigger for your product type
Section 2

2) Requirements-to-controls mapping (make it testable)

Convert each activated requirement into controls with measurable acceptance criteria. Avoid control statements that can't be verified.

Use a mapping matrix: requirement -> control objective -> design control -> verification method -> evidence location.

  • Network protection: prevent misuse (e.g., botnet patterns), service minimisation, secure comms, resilience
  • Privacy/data: data minimisation, access control, secure storage/transport, secure defaults
  • Anti-fraud: strong auth, integrity protections, anti-tampering, transaction safeguards where applicable
  • Lifecycle: update security, vulnerability intake and remediation timelines, and change control
Section 3

3) Build a verification test plan (don't rely on 'we follow best practices')

Verification is what makes the delegated act defensible. Build test cases that reflect misuse scenarios and negative testing.

Treat cybersecurity tests like spectrum/EMC tests: documented setup, repeatable methods, and variant coverage.

  • Security requirements tests: authentication, authorisation, secure update path, secure communications
  • Abuse and misuse tests: default credentials, exposed services, insecure APIs, weak crypto configurations
  • Data protection tests: data at rest/in transit, deletion/retention controls, access logs
  • Release gating: security test results required before CE documentation is updated and shipped
Section 4

4) Package evidence in the technical documentation (CE file-ready)

Authorities and notified bodies will look for traceability: requirements -> controls -> tests -> results -> documentation.

Your goal is a single cybersecurity module in the technical file that can be reused across variants.

  • Scope memo per variant + requirement triggers
  • Architecture, threat model, and security objectives
  • Test plan and reports (including tools, versions, and environment)
  • Update and vulnerability management process summary + change log
  • EU declaration of conformity updates referencing applicable acts and standards
Section 5

5) Run it as a program (ownership and cadence)

Cybersecurity compliance breaks when it isn't owned. Assign owners and a cadence aligned to release cycles.

If firmware updates are delivered post-market, treat them as compliance-impacting changes.

  • Owners: product security, engineering, compliance/QA, and supplier management
  • Cadence: release gates + quarterly evidence reviews + vulnerability response SLAs
  • Supplier controls: module vendors, chipsets, and cloud services must provide evidence you can cite
  • Audit drill: simulate a market surveillance request and time your evidence retrieval
Recommended next step

Use EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide as a cited research workflow

Research Copilot can take EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide from getting cited answers and faster research on this topic to a reusable workflow inside Sorena. Teams working on EU Radio Equipment Directive (RED) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide

Start from EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU Radio Equipment Directive (RED)

Review your current process, evidence gaps, and next steps for EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide.

Explore next step
Primary sources

References and citations

Delegated Regulation (EU) 2022/30 (EUR-Lex)
eur-lex.europa.eu
Referenced sections
  • Primary source for scope categories. Read it with Regulation (EU) 2023/2444 for the current application date and corrected Article 1(2) wording.
Related guides

Explore more topics

Conformity Assessment and CE Marking | EU RED 2014/53/EU | Technical Documentation, EU DoC, Notified Bodies
A practical guide to RED conformity assessment and CE marking under Directive 2014/53/EU.
Essential Requirements | EU Radio Equipment Directive (RED) 2014/53/EU | Safety, EMC, Spectrum, Cybersecurity (EU) 2022/30
A practical RED essential requirements guide for Directive 2014/53/EU: map Article 3 requirements to product features and verification evidence for safety.
Harmonised Standards and Test Plans | EU RED 2014/53/EU | Presumption of Conformity, OJ References, Verification Strategy
A practical guide to harmonised standards under the EU Radio Equipment Directive (RED) 2014/53/EU: how presumption of conformity works.
RED Applicability Test | Is My Product in Scope of the EU Radio Equipment Directive (RED) 2014/53/EU?
A structured RED applicability test for Directive 2014/53/EU: determine if your product is radio equipment, whether any exclusions apply.
RED Compliance Checklist | EU Radio Equipment Directive 2014/53/EU | CE Marking Evidence Pack
An audit-ready RED compliance checklist for Directive 2014/53/EU: scope and classification, essential requirements mapping (safety/health, EMC, spectrum).
RED Compliance Program | EU Radio Equipment Directive 2014/53/EU Implementation Playbook
A practical RED compliance program playbook for Directive 2014/53/EU: set up governance, map essential requirements to standards and tests.
RED Conformity Assessment Template | CE Technical File Structure for Directive 2014/53/EU
A practical RED conformity assessment template for Directive 2014/53/EU: a CE technical file structure with sections for scope memo.
RED Cybersecurity Requirements | Delegated Regulation (EU) 2022/30 (Applies 1 Aug 2025) | Article 3(3)(d)(e)(f)
A practical RED cybersecurity requirements guide: Delegated Regulation (EU) 2022/30 activates Article 3(3)(d) network protection.
RED Deadlines and Compliance Calendar | Directive 2014/53/EU Key Dates (2016-2026) | Cybersecurity 2025, Common Charger 2024/2026
A practical RED deadlines and compliance calendar: core RED dates (transposition by 12 Jun 2016; measures apply from 13 Jun 2016.
RED FAQ | EU Radio Equipment Directive 2014/53/EU Questions | Scope, CE Marking, Cybersecurity (EU) 2022/30, Standards
A practical RED FAQ for Directive 2014/53/EU: what is radio equipment, what is in scope, what happened in the 2016/2017 transition.
RED Penalties and Enforcement | EU Radio Equipment Directive 2014/53/EU | Market Surveillance, CE Documentation Risk
A practical RED enforcement and penalties guide for Directive 2014/53/EU: how market surveillance works in practice.
RED Timeline | EU Radio Equipment Directive 2014/53/EU Roadmap | Cybersecurity (EU) 2022/30, Common Charger (EU) 2022/2380
A practical RED timeline and roadmap: the core RED transition dates.
RED vs Cyber Resilience Act (CRA) | RED Cybersecurity (EU) 2022/30 vs CRA (EU) 2024/2847 | What Overlaps, What's Different
A practical comparison of RED vs CRA: RED (Directive 2014/53/EU) is radio-equipment-specific and.
Scope and Classification | EU Radio Equipment Directive (RED) 2014/53/EU | What Is Radio Equipment? Exclusions, Borderline Cases
A practical RED scope and classification guide for Directive 2014/53/EU: what counts as radio equipment, which Annex I exclusions take products out of scope.