Europe’s new RED Cybersecurity Requirements under Delegated Act (EU) 2022/30 come into force on 1 August 2025, creating significant obligations for manufacturers and distributors of radio equipment. Understanding whether these requirements apply to your product and ensuring readiness is crucial.

Let’s be clear:

• Non-compliance by 1 August 2025 means suspension of EU market access.
• Enforcement actions could include product recalls and financial penalties.

This article provides detailed guidance on assessing applicability, including insights from recent case studies, a comprehensive readiness checklist, and practical advice if you find yourself unprepared as the enforcement date approaches.

Determining Applicability: Is Your Product in Scope?

The RED Cybersecurity Requirements specifically address three Essential Requirements defined under Article 3(3) of Directive 2014/53/EU (RED):

• Article 3(3)(d): Network harm prevention and protection.
• Article 3(3)(e): Safeguarding personal data and user privacy.
• Article 3(3)(f): Prevention of fraud.

According to Delegated Act (EU) 2022/30, the cybersecurity obligations apply explicitly to radio equipment that:

• Is capable of communicating directly or indirectly over the internet.
• Is designed to process personal or financial data, including but not limited to childcare equipment, toys, and wearable devices.

Source: Delegated Act (EU) 2022/30 – European Commission

Checkpoint: Are We Reallly in Scope?

In a recent case study aimed at clarifying the practical implications of the RED Cybersecurity Requirements, we conducted an in-depth evaluation of Bluetooth headsets to determine whether they truly qualified as “internet-connected” devices. This analysis focused specifically on variations in functionality and intended use, resulting in critical distinctions that can guide manufacturers in accurately assessing their products’ regulatory status.

For the analysis, we considered not only the communication protocol or radio interface but also the intended use and operational behavior of devices within a system. Due to the absence of a clear definition of “internet-connected” equipment, cases like this help clarify which requirements apply to specific products. Our case study resulted in two distinct regulatory decisions for seemingly identical products (Bluetooth Headsets), highlighting that regulatory status depends primarily on the device’s purpose and the final destination of the data generated, rather than solely on the type of physical or wireless connection used.

• For the products which their unique use case is to perform as an audio peripheral, merely converting and transmitting signals locally without the intent to reach any network functionalities -> It was evidenced the use of paired device (like a smartphone) as the final destination and processor of its data for a local function. -> Exclude it from the Cybersecurity requirements.
• For the Headsets connected via companion apps enabling communication with cloud services, including data processing and voice assistants. -> A device that uses a host as a transparent conduit or bridge to transmit data to or from the internet. -> Subject to Cybersecurity requirements (mostly 3.3 (d) and 3.3 (e))

Entirety LLC can support understanding the nuances of applicability criteria and initial risk evaluations.

What to Do if You’re Not Ready

Given the extreme urgency with the August 1st, 2025, enforcement date for the RED Delegated Regulation 2022/30 just over two weeks away, I’d recommend a two-phase engagement. The objective is to ensure your business continuity by systematically identifying products that may be justifiably exempt from the regulation and establishing a clear, defensible compliance path for those that are in scope.

• Immediate Portfolio Triage:

List all your product families that haven’t gone through conformity assessment. > Study their core functionality and connectivity features. > Categorize them into “potentially exempted” and “need conformity assessment”.

E.g: Acknowledge differences between simple audio peripherals vs. smart-assistant-enabled devices.

• Final Applicability Checkpoint:

Before pursuing unnecessary compliance measures, start with a “Data Path and Purpose” analysis. Carefully review your product’s intended use documentation, functional descriptions, and system architecture to accurately map data flows. This detailed approach allows you to confidently demonstrate why a specific product does not align with the classes or categories targeted by the regulation.

Potential outcome: You may discover certain products are exempt from the cybersecurity requirements altogether.

For a precise determination, we need to move beyond simplistic assumptions and meticulously map a product’s data flows and functional intent to build a robust technical justification for why it may not fall into the specific classes or categories of equipment targeted by the regulation.

This isn’t about evading responsibilities, but it’s about applying a complex regulation appropriately. Contrary to common misconceptions, not all radio equipment automatically requires a cybersecurity assessment. By developing and documenting a strong technical rationale for exemption, you fulfill your regulatory responsibilities, maintain compliance integrity, and secure uninterrupted market access.

• Guided Self-Assessment Framework:

For the rest of products in scope, it’s necessary to immediately establish the framework for a self-assessment, using Module A (internal production control). Here it’s possible to leverage the harmonised standards EN 18031-1:2024 and EN 18031-2:2024 and to build a defensible technical file.

1. 1. If eligible for self-assessment (i.e: the relevant harmonised standards of the EN 18031:2024 family is applied to the product and is not affected by the restrictions, as specified by the EU), the next step is to implement a structured compliance process guided by harmonized standards EN 18031-1 and EN 18031-2. This process involves creating a detailed Compliance Matrix to track requirements, collecting essential documentation such as architecture diagrams, data flow maps, and API documentation, and performing a thorough conceptual design review against the standard’s security criteria.
   2. Following this initial analysis, verification testing is conducted to ensure the product’s functionalities are complete, secure, and accurately documented. Activities include vulnerability scans to identify undocumented services, brute-force protection tests, input validation, and data deletion mechanism verification, resulting in comprehensive test evidence.
   3. Consolidate all documentation and test findings into a detailed Gap Analysis and Functional Test Evidence package. These materials form the basis of a comprehensive Self-Assessment Report, clearly outlining conformity and areas requiring remediation, thus allowing efficient early correction and compliance assurance.
   4. Finally, after collaborative review and validation, the finalized Self-Assessment Report provides the robust justification and technical evidence necessary to confidently issue your EU Declaration of Conformity, fulfilling your legal responsibilities under the Radio Equipment Directive.

Yes, you can comply by performing a self-assessment even without a lab or a Notified Body, if you follow the correct approach.

Let’s remind that the “New Legislative Framework” uses the core principle of manufacturer’s responsibility. The manufacturer it’s the solely and legally responsible for ensuring and declaring the conformity of your products. The EU Declaration of Conformity is a legal document signed by you, not by a lab or a Notified Body.

Harmonised standards like EN 18031 are provided as a powerful tool to help you meet this responsibility. They translate the high-level, legal essential requirements of the Radio Equipment Directive into detailed technical specifications. By following this “recipe,” you gain a “presumption of conformity,” which is the legal basis for placing your product on the market.

You’ve Confirmed Your Product is Compliant. What’s Next?

Great! You’re now ready to evaluate how well prepared you truly are. To help guide your final compliance verification, we’ve outlined five critical milestones you need to successfully achieve. Completing these steps will ensure your readiness and demonstrate a clear path toward compliance with the RED Cybersecurity

Entirety LLC can facilitate initial coordination and offer logistical support with official conformity bodies.

Practical Summary:

The enforcement of Europe’s RED Cybersecurity Requirements is imminent, with significant implications for radio equipment manufacturers and distributors. An accurate classification of products is critical to avoid unnecessary compliance efforts or, worse, market disruptions.

If your goal is to differentiate between truly internet-connected devices and out-of-scope products, begin with a careful review of product functionalities and intended uses.

As you discover that you’ll need to comply with these requirements, learn how to employ structured assessments aligned with harmonized standards (EN 18031-1:2024 and EN 18031-2:2024) to systematically document your conformity.

Understanding your product’s connectivity and operational intent is essential, not only to meet immediate compliance demands but also to ensure lasting market stability. Taking swift action, engaging expert guidance, and staying informed about evolving regulatory landscapes will position your business securely for today and well into the future.

For support and guidance, visit Entirety LLC at entirety.biz