RED is binding EU product law for radio equipment. ETSI EN 303 645 is useful cyber baseline evidence for consumer IoT, but it does not by itself replace a RED conformity assessment or an OJEU-cited harmonised standard route.
Use this comparison to decide what belongs in the RED technical file, what can be reused from an ETSI EN 303 645 control assessment, and what must be separately verified before CE marking.
Structured answer sets in this page tree.
Cited legal and guidance references.
RED and ETSI EN 303 645 often meet in the same connected product program, but they answer different questions. RED decides whether radio equipment can be placed on the EU market and which Article 3 essential requirements, conformity route, technical documentation, EU declaration, CE marking, and market-surveillance duties apply. ETSI EN 303 645 can help structure consumer IoT cybersecurity evidence, but the RED file still needs a source-linked Article 3(3)(d), (e), and (f) conclusion and a standards position tied to OJEU citation status.
A practical comparison for connected radio equipment teams deciding when RED controls the legal route and when ETSI EN 303 645 evidence can support, but not replace, RED cybersecurity compliance.
RED controls EU market access for radio equipment, including essential requirements, conformity assessment, technical documentation, EU DoC, CE marking, and market-surveillance response.
ETSI EN 303 645 can organize consumer IoT cybersecurity controls and assurance evidence, but teams must verify any claimed RED presumption of conformity through the applicable OJEU-cited harmonised standard route.
| Dimension | RED | ETSI EN 303 645 | Operational implication |
|---|---|---|---|
| Scope | RED starts with whether the product is radio equipment placed or made available on the EU market. | ETSI EN 303 645 should be scoped to the consumer IoT product, service, software, and data boundary actually assessed. | A connected consumer product may need both workstreams, but a positive ETSI EN 303 645 control assessment does not prove RED scope or CE readiness. |
| Who must act | The RED manufacturer is the primary actor responsible for conformity assessment, technical documentation, EU declaration of conformity, CE marking, and market-surveillance cooperation. Importers and distributors carry secondary RED checks and can become responsible as manufacturers when they substantially modify equipment. | ETSI EN 303 645 work is typically owned by product security, engineering, or supplier-management teams. Their assessment evidence must be linked back to the RED economic operator so it can be cited in the technical file. | Name the RED economic operator in every conformity file and bridge note so security evidence produced by internal or supplier teams cannot become orphaned from the CE compliance decision. |
| Trigger or threshold | RED Article 3(3)(d) applies to internet-connected radio equipment; Article 3(3)(e) and (f) depend on the listed data-processing, childcare, toy, wearable, and payment-transfer conditions. | ETSI EN 303 645 evidence should be mapped control by control to the device features, data flows, vulnerability process, update model, and product documentation it actually covers. | Do not reuse a generic IoT security checklist; build a RED trigger matrix first, then attach ETSI EN 303 645 evidence to the relevant trigger. |
| Core obligations | RED core obligations for radio equipment include meeting Article 3 essential requirements, choosing and executing the correct conformity assessment route under Article 17, drawing up technical documentation, issuing the EU declaration of conformity, and affixing CE marking before market placement. | ETSI EN 303 645 core obligations are internal: maintain assessed security controls across the documented IoT system boundary. The standard does not create EU legal duties; teams must bridge each EN 303 645 control to its RED essential-requirement equivalent and document the standards-status position. | Translate RED essential requirements into a numbered matrix before consulting EN 303 645; do not reverse-engineer from EN 303 645 controls to RED compliance because the mapping is not always one-to-one. |
| Evidence | RED evidence should include technical documentation, risk analysis, applied standards or other technical specifications, tests, EU DoC, CE basis, and any EU-type examination or quality-assurance records. | ETSI EN 303 645 evidence should remain a security-control evidence set unless the RED file explains how each item supports a specific RED essential requirement. | Keep a bridge table with columns for RED requirement, ETSI control evidence, product boundary, test date, standard status, owner, and residual gap. |
| Timing | RED cybersecurity requirements activated by Delegated Regulation (EU) 2022/30 apply from 1 August 2025 after the amendment made by Delegated Regulation (EU) 2023/2444. | ETSI EN 303 645 evidence should be refreshed when the assessed product, software, service dependency, vulnerability process, or claimed standards status changes. | Plan RED cybersecurity testing, supplier evidence, and conformity-route decisions against the 1 August 2025 application date, not only against internal security-assurance cycles. |
| Enforcement and market surveillance | RED enforcement is handled by market-surveillance authorities in each Member State under Regulation (EU) 2019/1020. Non-compliant radio equipment can be subject to corrective action, withdrawal, recall, and prohibition orders, and persistent infringement can lead to administrative or criminal penalties under national law. | ETSI EN 303 645 has no direct enforcement authority. Non-compliance with an EN 303 645 control assessment does not itself constitute a RED infringement unless the standard has been cited in the Official Journal and is being relied on for a presumption-of-conformity claim. | Document the enforcement route clearly: which national MSA has jurisdiction, which Article 3 requirements are relevant, and whether OJEU-cited harmonised standards support the conformity claim so the authority response file is accurate from the start. |
| Overlap and reuse | RED technical documentation can incorporate EN 303 645 test results as supporting evidence where the assessed system boundary matches the radio equipment under review and the tested controls map to specific Article 3(3)(d), (e), or (f) requirements. | ETSI EN 303 645 control records can be reused for RED purposes only after adding a bridge note that identifies the RED essential requirement supported, the OJEU citation status of any related harmonised standard, and any residual gap requiring additional RED-specific testing or documentation. | Keep evidence reuse conditional: document the system-boundary match, the requirement mapping, the standards-status check, and the owner so a future reviewer or authority can independently verify each link without relying on undocumented project context. |
| Decision rule | Use RED as the controlling workstream whenever the decision affects EU market placement, Article 3 essential requirements, conformity assessment, CE marking, DoC wording, or authority response. | Use ETSI EN 303 645 as supporting evidence when it strengthens the cybersecurity control record and the product boundary matches the RED equipment under review. | The defensible answer is usually not RED or ETSI EN 303 645. It is RED for the legal route, with carefully tagged ETSI EN 303 645 evidence where it actually supports the RED cyber case. |
RED starts with whether the product is radio equipment placed or made available on the EU market.
ETSI EN 303 645 should be scoped to the consumer IoT product, service, software, and data boundary actually assessed.
A connected consumer product may need both workstreams, but a positive ETSI EN 303 645 control assessment does not prove RED scope or CE readiness.
The RED manufacturer is the primary actor responsible for conformity assessment, technical documentation, EU declaration of conformity, CE marking, and market-surveillance cooperation. Importers and distributors carry secondary RED checks and can become responsible as manufacturers when they substantially modify equipment.
ETSI EN 303 645 work is typically owned by product security, engineering, or supplier-management teams. Their assessment evidence must be linked back to the RED economic operator so it can be cited in the technical file.
Name the RED economic operator in every conformity file and bridge note so security evidence produced by internal or supplier teams cannot become orphaned from the CE compliance decision.
RED Article 3(3)(d) applies to internet-connected radio equipment; Article 3(3)(e) and (f) depend on the listed data-processing, childcare, toy, wearable, and payment-transfer conditions.
ETSI EN 303 645 evidence should be mapped control by control to the device features, data flows, vulnerability process, update model, and product documentation it actually covers.
Do not reuse a generic IoT security checklist; build a RED trigger matrix first, then attach ETSI EN 303 645 evidence to the relevant trigger.
RED core obligations for radio equipment include meeting Article 3 essential requirements, choosing and executing the correct conformity assessment route under Article 17, drawing up technical documentation, issuing the EU declaration of conformity, and affixing CE marking before market placement.
ETSI EN 303 645 core obligations are internal: maintain assessed security controls across the documented IoT system boundary. The standard does not create EU legal duties; teams must bridge each EN 303 645 control to its RED essential-requirement equivalent and document the standards-status position.
Translate RED essential requirements into a numbered matrix before consulting EN 303 645; do not reverse-engineer from EN 303 645 controls to RED compliance because the mapping is not always one-to-one.
RED evidence should include technical documentation, risk analysis, applied standards or other technical specifications, tests, EU DoC, CE basis, and any EU-type examination or quality-assurance records.
ETSI EN 303 645 evidence should remain a security-control evidence set unless the RED file explains how each item supports a specific RED essential requirement.
Keep a bridge table with columns for RED requirement, ETSI control evidence, product boundary, test date, standard status, owner, and residual gap.
RED cybersecurity requirements activated by Delegated Regulation (EU) 2022/30 apply from 1 August 2025 after the amendment made by Delegated Regulation (EU) 2023/2444.
ETSI EN 303 645 evidence should be refreshed when the assessed product, software, service dependency, vulnerability process, or claimed standards status changes.
Plan RED cybersecurity testing, supplier evidence, and conformity-route decisions against the 1 August 2025 application date, not only against internal security-assurance cycles.
RED enforcement is handled by market-surveillance authorities in each Member State under Regulation (EU) 2019/1020. Non-compliant radio equipment can be subject to corrective action, withdrawal, recall, and prohibition orders, and persistent infringement can lead to administrative or criminal penalties under national law.
ETSI EN 303 645 has no direct enforcement authority. Non-compliance with an EN 303 645 control assessment does not itself constitute a RED infringement unless the standard has been cited in the Official Journal and is being relied on for a presumption-of-conformity claim.
Document the enforcement route clearly: which national MSA has jurisdiction, which Article 3 requirements are relevant, and whether OJEU-cited harmonised standards support the conformity claim so the authority response file is accurate from the start.
RED technical documentation can incorporate EN 303 645 test results as supporting evidence where the assessed system boundary matches the radio equipment under review and the tested controls map to specific Article 3(3)(d), (e), or (f) requirements.
ETSI EN 303 645 control records can be reused for RED purposes only after adding a bridge note that identifies the RED essential requirement supported, the OJEU citation status of any related harmonised standard, and any residual gap requiring additional RED-specific testing or documentation.
Keep evidence reuse conditional: document the system-boundary match, the requirement mapping, the standards-status check, and the owner so a future reviewer or authority can independently verify each link without relying on undocumented project context.
Use RED as the controlling workstream whenever the decision affects EU market placement, Article 3 essential requirements, conformity assessment, CE marking, DoC wording, or authority response.
Use ETSI EN 303 645 as supporting evidence when it strengthens the cybersecurity control record and the product boundary matches the RED equipment under review.
The defensible answer is usually not RED or ETSI EN 303 645. It is RED for the legal route, with carefully tagged ETSI EN 303 645 evidence where it actually supports the RED cyber case.
Start with RED scope. Directive 2014/53/EU applies to radio equipment and requires manufacturers to design and manufacture equipment in line with Article 3, draw up technical documentation, perform the relevant conformity assessment, issue the EU declaration of conformity, and affix CE marking before placing equipment on the market.
Then decide how ETSI EN 303 645 evidence will be used. Treat it as a control baseline or assurance input unless the team has separately verified that a relevant harmonised standard or part of a harmonised standard has been cited in the Official Journal for the RED essential requirement being claimed.
Delegated Regulation (EU) 2022/30 activates RED Article 3(3)(d), (e), and (f) for specified categories of radio equipment. The rules cover network protection for internet-connected radio equipment, personal-data and privacy safeguards for listed equipment where data processing criteria are met, and fraud-protection features for internet-connected radio equipment that enables transfers of money, monetary value, or virtual currency.
Delegated Regulation (EU) 2023/2444 moved the application date to 1 August 2025 and explains that the related harmonised standards work concerns cybersecurity, namely network protection, personal data and privacy, and fraud protection.
The RED file should be readable without project context. It should show the radio-equipment scope decision, the Article 3 requirement matrix, applied harmonised standards or other technical specifications, test reports, risk analysis, EU DoC, CE marking basis, notified-body material where required, and a bridge explaining any ETSI EN 303 645 reuse.
For ETSI EN 303 645, keep control evidence at the level of the assessed consumer IoT product or system boundary. Reuse it for RED only after documenting which RED essential requirement it supports and whether the applicable RED conformity route accepts that evidence without a notified-body step.
Map your connected radio product from RED Article 3(3) triggers to standards, tests, ETSI EN 303 645 controls, supplier evidence, CE-file records, and release decisions.
"essential requirement"
"1 August 2025"
"technical documentation"
"does not provide certification services"
"summary list of titles and references"