---
title: "RED Cybersecurity Delegated Act Guide"
canonical_url: "https://www.sorena.io/artifacts/eu/radio-equipment-directive/red-cybersecurity-delegated-act-guide"
source_url: "https://www.sorena.io/artifacts/eu/radio-equipment-directive/red-cybersecurity-delegated-act-guide"
author: "Sorena AI"
description: "Step-by-step implementation guide for the RED cybersecurity delegated act."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "RED cybersecurity delegated act"
  - "EU 2022/30 implementation"
  - "Article 3(3)(d)(e)(f) RED"
  - "radio equipment cybersecurity CE marking"
  - "RED cybersecurity test plan"
  - "internet-connected radio equipment cybersecurity"
  - "RED"
  - "Cybersecurity"
  - "Delegated Regulation (EU) 2022/30"
  - "CE marking"
  - "Technical documentation"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# RED Cybersecurity Delegated Act Guide

Step-by-step implementation guide for the RED cybersecurity delegated act.

*EU 2022/30* *Implementation*

## EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide

Implement (EU) 2022/30 in a way you can prove.

Output: a control set + tests + technical file module for CE marking.

The delegated act is not a checklist you 'sign off'. It is a set of essential requirements that must be demonstrably met for in-scope equipment. This guide gives you a repeatable implementation pattern you can apply across product lines and firmware releases.

## 1) Applicability classification (the fastest, most important step)

Start by classifying each product variant against the delegated regulation categories. Make the decision evidence-based (architecture + connectivity + data flow).

Store the decision as a scope memo attached to the technical documentation.

- Internet-connected radio equipment (network protection requirement)
- Equipment processing personal data / traffic data / location data (privacy/data protection requirement)
- Internet-connected equipment enabling value transfer (fraud protection requirement)
- Date: applies from 1 Aug 2025 because Regulation (EU) 2023/2444 moved the start date
- Check whether the consolidated derogations remove the Article 3(3)(e) or (f) trigger for your product type

## 2) Requirements-to-controls mapping (make it testable)

Convert each activated requirement into controls with measurable acceptance criteria. Avoid control statements that can't be verified.

Use a mapping matrix: requirement -> control objective -> design control -> verification method -> evidence location.

- Network protection: prevent misuse (e.g., botnet patterns), service minimisation, secure comms, resilience
- Privacy/data: data minimisation, access control, secure storage/transport, secure defaults
- Anti-fraud: strong auth, integrity protections, anti-tampering, transaction safeguards where applicable
- Lifecycle: update security, vulnerability intake and remediation timelines, and change control

## 3) Build a verification test plan (don't rely on 'we follow best practices')

Verification is what makes the delegated act defensible. Build test cases that reflect misuse scenarios and negative testing.

Treat cybersecurity tests like spectrum/EMC tests: documented setup, repeatable methods, and variant coverage.

- Security requirements tests: authentication, authorisation, secure update path, secure communications
- Abuse and misuse tests: default credentials, exposed services, insecure APIs, weak crypto configurations
- Data protection tests: data at rest/in transit, deletion/retention controls, access logs
- Release gating: security test results required before CE documentation is updated and shipped

## 4) Package evidence in the technical documentation (CE file-ready)

Authorities and notified bodies will look for traceability: requirements -> controls -> tests -> results -> documentation.

Your goal is a single cybersecurity module in the technical file that can be reused across variants.

- Scope memo per variant + requirement triggers
- Architecture, threat model, and security objectives
- Test plan and reports (including tools, versions, and environment)
- Update and vulnerability management process summary + change log
- EU declaration of conformity updates referencing applicable acts and standards

## 5) Run it as a program (ownership and cadence)

Cybersecurity compliance breaks when it isn't owned. Assign owners and a cadence aligned to release cycles.

If firmware updates are delivered post-market, treat them as compliance-impacting changes.

- Owners: product security, engineering, compliance/QA, and supplier management
- Cadence: release gates + quarterly evidence reviews + vulnerability response SLAs
- Supplier controls: module vendors, chipsets, and cloud services must provide evidence you can cite
- Audit drill: simulate a market surveillance request and time your evidence retrieval

*Recommended next step*

*Placement: near the end of the main content before related guides*

## Use EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide as a cited research workflow

Research Copilot can take EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide from getting cited answers and faster research on this topic to a reusable workflow inside Sorena. Teams working on EU Radio Equipment Directive (RED) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide](/solutions/research-copilot.md): Start from EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through EU Radio Equipment Directive (RED)](/contact.md): Review your current process, evidence gaps, and next steps for EU Radio Equipment Directive (RED) Cybersecurity Delegated Act Guide.

## Primary sources

- [Delegated Regulation (EU) 2022/30 (EUR-Lex)](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj?ref=sorena.io) - Primary source for scope categories. Read it with Regulation (EU) 2023/2444 for the current application date and corrected Article 1(2) wording.
- [Delegated Regulation (EU) 2023/2444 (EUR-Lex)](https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj?ref=sorena.io) - Moves the cybersecurity application date to 1 Aug 2025 and corrects the processing-data wording in Article 1(2).
- [Directive 2014/53/EU (Radio Equipment Directive) (EUR-Lex)](https://eur-lex.europa.eu/eli/dir/2014/53/oj?ref=sorena.io) - Legal basis for essential requirements and CE conformity framework.
- [European Commission - Guide to the Radio Equipment Directive (RED Guide, 2018)](https://ec.europa.eu/growth/sectors/electrical-engineering/rtte-directive/?ref=sorena.io) - Practical compliance and documentation guidance (including standards and notified bodies).

## Related Topic Guides

- [Conformity Assessment and CE Marking | EU RED 2014/53/EU | Technical Documentation, EU DoC, Notified Bodies](/artifacts/eu/radio-equipment-directive/conformity-assessment-and-ce.md): A practical guide to RED conformity assessment and CE marking under Directive 2014/53/EU.
- [Essential Requirements | EU Radio Equipment Directive (RED) 2014/53/EU | Safety, EMC, Spectrum, Cybersecurity (EU) 2022/30](/artifacts/eu/radio-equipment-directive/requirements.md): A practical RED essential requirements guide for Directive 2014/53/EU: map Article 3 requirements to product features and verification evidence for safety.
- [Harmonised Standards and Test Plans | EU RED 2014/53/EU | Presumption of Conformity, OJ References, Verification Strategy](/artifacts/eu/radio-equipment-directive/harmonized-standards-and-test-plans.md): A practical guide to harmonised standards under the EU Radio Equipment Directive (RED) 2014/53/EU: how presumption of conformity works.
- [RED Applicability Test | Is My Product in Scope of the EU Radio Equipment Directive (RED) 2014/53/EU?](/artifacts/eu/radio-equipment-directive/applicability-test.md): A structured RED applicability test for Directive 2014/53/EU: determine if your product is radio equipment, whether any exclusions apply.
- [RED Compliance Checklist | EU Radio Equipment Directive 2014/53/EU | CE Marking Evidence Pack](/artifacts/eu/radio-equipment-directive/checklist.md): An audit-ready RED compliance checklist for Directive 2014/53/EU: scope and classification, essential requirements mapping (safety/health, EMC, spectrum).
- [RED Compliance Program | EU Radio Equipment Directive 2014/53/EU Implementation Playbook](/artifacts/eu/radio-equipment-directive/compliance.md): A practical RED compliance program playbook for Directive 2014/53/EU: set up governance, map essential requirements to standards and tests.
- [RED Conformity Assessment Template | CE Technical File Structure for Directive 2014/53/EU](/artifacts/eu/radio-equipment-directive/red-conformity-assessment-template.md): A practical RED conformity assessment template for Directive 2014/53/EU: a CE technical file structure with sections for scope memo.
- [RED Cybersecurity Requirements | Delegated Regulation (EU) 2022/30 (Applies 1 Aug 2025) | Article 3(3)(d)(e)(f)](/artifacts/eu/radio-equipment-directive/cybersecurity-requirements.md): A practical RED cybersecurity requirements guide: Delegated Regulation (EU) 2022/30 activates Article 3(3)(d) network protection.
- [RED Deadlines and Compliance Calendar | Directive 2014/53/EU Key Dates (2016-2026) | Cybersecurity 2025, Common Charger 2024/2026](/artifacts/eu/radio-equipment-directive/deadlines-and-compliance-calendar.md): A practical RED deadlines and compliance calendar: core RED dates (transposition by 12 Jun 2016; measures apply from 13 Jun 2016.
- [RED FAQ | EU Radio Equipment Directive 2014/53/EU Questions | Scope, CE Marking, Cybersecurity (EU) 2022/30, Standards](/artifacts/eu/radio-equipment-directive/faq.md): A practical RED FAQ for Directive 2014/53/EU: what is radio equipment, what is in scope, what happened in the 2016/2017 transition.
- [RED Penalties and Enforcement | EU Radio Equipment Directive 2014/53/EU | Market Surveillance, CE Documentation Risk](/artifacts/eu/radio-equipment-directive/penalties-and-fines.md): A practical RED enforcement and penalties guide for Directive 2014/53/EU: how market surveillance works in practice.
- [RED Timeline | EU Radio Equipment Directive 2014/53/EU Roadmap | Cybersecurity (EU) 2022/30, Common Charger (EU) 2022/2380](/artifacts/eu/radio-equipment-directive/timeline.md): A practical RED timeline and roadmap: the core RED transition dates.
- [RED vs Cyber Resilience Act (CRA) | RED Cybersecurity (EU) 2022/30 vs CRA (EU) 2024/2847 | What Overlaps, What's Different](/artifacts/eu/radio-equipment-directive/red-vs-cyber-resilience-act.md): A practical comparison of RED vs CRA: RED (Directive 2014/53/EU) is radio-equipment-specific and.
- [Scope and Classification | EU Radio Equipment Directive (RED) 2014/53/EU | What Is Radio Equipment? Exclusions, Borderline Cases](/artifacts/eu/radio-equipment-directive/scope-and-classification.md): A practical RED scope and classification guide for Directive 2014/53/EU: what counts as radio equipment, which Annex I exclusions take products out of scope.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/radio-equipment-directive/red-cybersecurity-delegated-act-guide