RED vs UK PSTI for connected radio products

RED covers radio equipment made available on the EU market or put into service in the Union, starting with products that intentionally emit and/or receive radio waves for radio communication or radiodetermination.

UK PSTI planning should start only after confirming the product is in a UK connected-product scope. Do not assume every RED radio product is a PSTI product, or that every PSTI product is RED radio equipment.

Write two scope findings: one for EU RED radio-equipment status and one for UK PSTI status. Reuse the product description, but keep the legal conclusion separate.

RED assigns duties across economic operators, including manufacturers, authorised representatives, importers, and distributors. The manufacturer remains responsible for conformity assessment and the EU declaration route.

UK PSTI may assign duties to a different commercial actor for the same SKU, especially where the UK importer, distributor, brand owner, or online channel differs from the EU chain.

Map EU and UK operator roles separately before assigning owners for declarations, statements, labels, customer notices, supplier evidence, or corrective actions.

RED is triggered by making radio equipment available on the EU market or putting it into service, not by an incident or customer request. A radio module, antenna, wireless function, or software change can reopen the RED assessment.

UK PSTI planning is triggered by UK connected-product placement facts and security claims. Treat UK product-security evidence as a separate checkpoint rather than a RED substitute.

Add intake questions for radio technologies, EU market placement, UK market placement, connected-product functionality, software update support, and security statements.

RED obligations include meeting Article 3 essential requirements for health and safety, EMC, efficient spectrum use, and any activated Article 3(3) requirements; selecting the conformity-assessment route; preparing technical documentation; drawing up the EU declaration; and affixing CE marking.

UK PSTI planning should focus only on the connected-product security obligations the UK regime actually imposes, using a UK source pack before naming specific evidence or statement duties.

Turn shared engineering controls into two deliverable lists: RED CE deliverables and UK PSTI deliverables. A penetration test, password design, or update policy may support both, but it should not replace either legal artifact set.

RED evidence should include the Article 3 matrix, risk analysis, harmonised-standards position, test reports, technical documentation, EU declaration of conformity, CE-marking and instruction records, and notified-body documents where the chosen route requires them.

UK PSTI evidence should stay in its own pack, with specific UK statements, security records, supply-chain approvals, and customer claims included only where those have been separately sourced and approved.

Keep a shared evidence register with columns for RED, UK PSTI, product version, market, owner, source, and expiry or review trigger.

RED has several clocks: the baseline directive has applied since 13 June 2016, technical documentation and EU declarations must be kept available for 10 years after placement on the market, and RED cybersecurity under Delegated Regulation (EU) 2022/30 applies from 1 August 2025.

UK PSTI timing should be tracked separately for UK launch gates, security claim approvals, and distributor or importer readiness where those duties are confirmed by UK sources.

Use separate EU and UK launch gates. The earlier gate controls release sequencing, while the longer retention or support commitment controls operating cadence.

RED assurance runs through CE conformity evidence, economic-operator traceability, technical documentation, market-surveillance readiness, and notified-body involvement when the selected conformity-assessment route requires it.

UK PSTI assurance should name the UK authority path, customer-facing security claims, corrective-action owner, and importer or distributor response plan only after the UK source pack is reviewed.

Do not put PSTI enforcement assumptions inside the RED technical file without labelling them as UK-only planning material.

RED cybersecurity evidence may cover network protection, privacy and personal-data safeguards, and fraud protection for specified radio-equipment categories under Article 3(3)(d), (e), and (f). EN 18031 references can help only within their cited scope and restrictions.

UK PSTI can often use the same underlying design facts, such as credential design, update policy, and vulnerability intake, but only the UK workstream should decide whether those facts satisfy PSTI duties.

Create a bridge note for each reused control: what fact is shared, which RED requirement it supports, which UK PSTI claim it may support, and what gap remains.

Use RED as the controlling workstream when the blocker is EU market access for radio equipment, Article 3 conformity, harmonised standards, notified-body routing, CE marking, or the EU declaration.

Run UK PSTI in parallel when the blocker is UK connected-product launch, UK product-security claims, or UK supply-chain assurance.

The practical answer is often both: RED for EU CE access, PSTI for UK product-security readiness, and a controlled evidence bridge between the two.