DA SV
legislation

Radio equipment directive (RED) requirements for radio equipment

4 minutes read
Radio equipment directive (RED) requirements for radio equipment

The RED governs the safety of radio equipment. Learn more about scope, conformity assessment and harmonized standards (EN 18031).

Scope of the RED

“Radio equipment” covers electrical or electronic products that are intended to emit and/or receive radio waves to enable radio communication or radio location. Examples include mobile phones, Wi‑Fi routers, radio remote controls and many more.

Delegated regulation (EU) 2022/30

The Delegated Regulation (EU) 2022/30 specifies the RED’s essential requirements for internet-connected radio equipment. It applies to any radio equipment that can communicate over the internet on its own, whether directly or via other devices.

Flowchart for determining applicability of the RED DA

First it must be established whether the product falls within the scope of the RED. If so, it is checked whether it can access the internet on its own. If not, it is checked whether it uses internet protocols or can communicate indirectly with the internet via another device. If that is the case, conformity with the delegated regulation is required; otherwise no further action is necessary.

Essential safety requirements

Article 3 of the delegated regulation defines specific security requirements for radio equipment.

Requirements from Article 3 of the radio equipment directive

Of particular relevance for cybersecurity are Article 3.3(d), (e) and (f):

  1. No harmful effects on networks - Article 3.3(d): Radio equipment must not have harmful effects on networks or their operation and must not cause misuse of network resources.
  2. Data protection and privacy - Article 3.3(e): Radio equipment must include appropriate security measures to protect personal data and the privacy of users and subscribers.
  3. Fraud protection - Article 3.3(f): Radio equipment must support functions to protect against fraud.

Conformity assessment

Manufacturers can only apply Module A (internal production control) if harmonized standards exist that are referenced in the Official Journal of the EU and are fully complied with.

Otherwise, a notified body must be involved in the conformity assessment to carry out additional tests and evaluations.

Implementing these security requirements aims to effectively minimize risks to networks, personal data, privacy and fraud related to radio equipment.

Harmonized standards for the delegated regulation

The European Commission published a specific standardization request for the development of harmonized standards under the delegated regulation 2022/30 to the RED.

Harmonized standards must generally meet the following requirements:

  • The standards must reflect the generally recognized state of the art.
  • The technical solutions in the standards must be proportionate to the risks they are intended to address.
  • The test procedures must be verifiable, objective and reproducible to ensure comparable product assessment.
  • Alternative mechanisms to test methods will only be developed if test methods are technically inapplicable and this is sufficiently justified.
  • Additional requirements for each specific standard will be defined.

The request requires that separate harmonized standards be developed for Articles 3(3)d, 3(3)e and 3(3)f respectively.

Complying with these requirements should ensure that the harmonized standards provide practical, proportionate and consistent specifications to implement the RED’s essential requirements.

EN 18031 standards for the delegated act

EN 18031 was developed under the European Commission’s standardization request and defines specific requirements for the security criteria listed in Article 3(3)d, 3(3)e and 3(3)f of the regulation. It provides detailed technical specifications and test methods to ensure a consistent and verifiable basis for conformity assessment.

Relationship with the Cyber Resilience Act

The Cyber Resilience Act (CRA) complements the security requirements of the radio equipment directive and its delegated act. While the RED focuses on wireless devices, the CRA covers a broader range of products with digital elements. Once the CRA enters into force, it is expected to replace the RED delegated act for cybersecurity.

Relationship between the radio equipment directive with delegated act (RED DA) and the Cyber Resilience Act (CRA)

For detailed information on the CRA and its impact on product security, read our article Cyber Resilience Act.