The Radio Equipment Directive (RED, Directive 2014/53/EU) sets out uniform requirements for devices with radio technology throughout Europe. The focus is on health, electromagnetic compatibility (EMC), safety (including cybersecurity), and the use of the radio spectrum. The aim is to ensure a common standard of protection and the efficient and interference-free use of the limited radio spectrum. In Germany, the RED is implemented by the Radio Equipment Act.

  • Which products are regulated by the Radio Equipment Directive? 
    •     Exceptions
  • Essential requirements
    •     Cyber and data security of internet-enabled radio equipment
  • What are the obligations of manufacturers?
  • Harmonized standards
    •     Cybersecurity standards series EN 18031-1 to 18031-3
  • What needs to be considered during product development?
  • What penalties apply in the event of violations?
  • Sources of supply
  • Support for RED-compliant product development

Article 2(1)(1) defines radio equipment as "an electrical or electronic product that emits and/or receives radio waves for the purpose of radio communication and/or radio location, or an electrical or electronic product that requires accessories, such as an antenna, in order to emit and/or receive radio waves for the purpose of radio communication and/or radio location."

This means that all products with at least one radio interface are covered by the regulation, including consumer products such as smartphones or smartwatches, Wi-Fi routers, Bluetooth devices, IoT devices, or GPS receivers. In the industrial sector, the RED applies to all machine and plant components with their own radio interface for communication or location, such as radio-enabled sensors and actuators, radio-based remote or fieldbus gateways, or telecontrol technology with a radio interface. Even if a previously “wired” device or component is retrofitted with a radio module and placed on the market, this variant is subject to RED.

Exceptions

According to Article 1(3), the regulation does not apply to radio equipment used exclusively for defense, public safety, and national security. According to Annex I, exceptions also apply to all non-commercial amateur radio equipment, purely self-built equipment, and customer- or application-specific test modules. Equipment covered by Directive 96/98/EC and Regulation (EU) 2018/1139 for civil aviation is also exempt.

Article 3 of the RED sets out the following essential requirements for radio equipment:

  • Protection of the health and safety of persons, domestic animals, livestock, and property, including the usual aspects of electrical safety (Article 3(1a))
  • Ensuring an adequate level of electromagnetic compatibility by limiting interference emissions (Article 3(1)(b)).
  • Efficient use of the radio spectrum and support for effective use of the radio spectrum to avoid radio interference (Article 3(2))

According to the Radio Equipment Directive, devices and products with wireless communication must bear a certificate of conformity in the form of a CE mark in order to be sold on the European market.

Cybersecurity of internet-enabled radio equipment

In October 2021, the European Commission supplemented the RED with Delegated Regulation (EU) 2022/30. The additions concern Article 3(3)(d), (e), and (f) and aim to increase cybersecurity and the protection of personal data and privacy in internet-enabled radio equipment. Manufacturers must implement these requirements from August 1, 2025.

Specifically, this means:

  • Both radio equipment that can communicate via the internet itself and equipment that communicates via other devices must not impair the network or its functioning and must not misuse network resources, thereby causing unacceptable impairment (addition to Article 3(3)(d)). 
  • In addition to 3(3e), manufacturers are now required to take robust measures to prevent unauthorized access to personal data (including traffic and location data) or the transmission of such data without consent.
  • To reduce the risk of fraud in digital transactions and electronic payments, manufacturers must integrate protective mechanisms.

In order to place their equipment on the market in the European Economic Area, manufacturers must demonstrate through conformity assessment and technical documentation that their radio equipment complies with the RED requirements. This is usually done by fully applying the relevant harmonized standards (see below). In the case of partial application or if product-specific restrictions argue against harmonization, an independent notified body must be involved to carry out a conformity assessment procedure.

The CE marking is based on this. Importers and distributors are also obliged to supply only compliant and correctly marked equipment.

Harmonized standards published in the Official Journal of the European Commission apply to RED compliance. Important harmonized standards include IEC 62368-1 for the electrical safety of information and communication technology and AV equipment, and the EN 301 489-x family of standards for the electromagnetic compatibility of various radio services. The selection of the relevant standards depends on the type of device, radio technology, and the specific requirements regarding safety, EMC, cybersecurity, and efficient use of the radio spectrum.

Here you will find a list of harmonized standards valid until the beginning of 2025.

Cybersecurity standards series EN 18031-1 to 18031-3

One of the most important harmonized standards is the new EN 18031 series, which has been in force since August 2025.  It serves as concrete guidance for manufacturers and as proof of implementation of requirements relating to network and cybersecurity (EN 18031-1), data protection (EN 18031-2), and fraud prevention (EN 18031-3).

The measures and requirements described in EN 18031 are based on the principle of “security by design.” Taking into account the complexity and diversity of modern devices, the series of standards provides clear guidelines for implementing robust security measures—such as access control, authentication, secure updates, cyber resilience, and cryptography—and enables manufacturers to take a flexible yet robust approach to security.

Despite harmonization, however, there are some exceptions to the presumption of conformity with the Radio Equipment Directive. These concern, for example, devices that allow no password to be set or used. Children's toys are also exempt from the presumption of conformity if the access control methods do not ensure that only legal guardians have access. In such cases, a notified body must be involved for approval.

When developing RED-compliant products, it is important to consider not only the basic requirements of the directive, but also “security by design” and “privacy by design” at an early stage. 

The scope of application, relevant requirements, and potential risks such as electromagnetic interference, cybersecurity vulnerabilities, or conflicts in the radio spectrum must be identified as early as the design phase. The risk assessment also serves to select the harmonized standards to be applied.

Technical implementation includes the implementation of security mechanisms, including strong authentication, encrypted communication, secure update procedures, and protective measures against unauthorized access and data leaks. Electromagnetic compatibility, antenna performance, and efficiency of radio spectrum use, etc., must be tested in the installed state. In addition, vulnerabilities are addressed through monitoring and regular patches; all changes are documented.

Finally, technical documentation must be prepared for conformity assessment, including product description, risk analysis, assignment to standards, test reports, and parts lists. 

Violations of the Radio Equipment Directive are generally punished as administrative offenses in EU member states, with penalties regulated at the national level.

In Germany, violations of the RED are primarily punished as administrative offenses or violations of the Product Safety Act. Depending on the severity and nature of the violation, fines of up to €100,000 or more may be imposed, particularly in cases of missing CE marking, missing technical documentation, or the placing on the market of non-compliant radio equipment. In addition, market surveillance authorities can remove devices from the market and order recalls.

In the case of particularly serious violations, such as endangering safety or the environment, criminal proceedings may also be initiated.

The text of the Radio Equipment Directive is available online in all 24 official languages of the EU: https://eur-lex.europa.eu/eli/dir/2014/53.

The supplement to the directive (in all 24 official languages of the EU) is available at the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R0030.

 

 

NewTec supports manufacturers in the development of devices and products with wireless technology that comply with the requirements of the RED and CRA (Cyber Resilience Act) and relevant standards such as EN 18031. We support you, for example, in requirements management and risk analysis, in the integration of security measures, in the implementation of secure update processes, and in the creation of RED-compliant technical documentation. 

Questions? Contact us: Contact.
Or call us on +49 7302 9611-0.

 

 

(Translated with DeepL.)

 

This might interest you:

Your contact person


Stephan Strohmeier

Head of Safety & Security Solutions