Radio Equipment Directive (RED)

The Radio Equipment Directive (RED, EU 2014/53/EU) establishes the regulatory framework for placing radio equipment on the EU market. It covers any device that intentionally emits or receives radio waves for the purpose of communication or radio determination — including Wi-Fi routers, Bluetooth devices, mobile phones, IoT sensors, and any internet-connected device with wireless connectivity. RED requires manufacturers to demonstrate that equipment meets essential requirements covering electrical safety, electromagnetic compatibility, and efficient spectrum use. Products complying with RED bear the CE mark. RED is enforced by national market surveillance authorities and is one of the most frequently cited directives for connected consumer and industrial devices.

In 2022, the European Commission adopted Delegated Regulation EU 2022/30, activating three previously optional cybersecurity provisions of RED Article 3.3 for certain product categories. These provisions require that: (d) radio equipment does not harm networks or misuse network resources; (e) equipment incorporates safeguards to protect personal data and privacy; and (f) equipment incorporates features to prevent fraud. These requirements applied from August 2025 for internet-connected radio equipment. They are explicitly cybersecurity-focused and significantly overlap with the CRA's essential requirements. The Commission's intent is for the CRA to eventually supersede these RED cybersecurity provisions for products within its scope.

The CRA and RED overlap for wireless connected products. The CRA recitals acknowledge this overlap and provide that, once the CRA applies fully, manufacturers of products with digital elements that are also radio equipment will primarily be governed by the CRA's cybersecurity requirements. The RED cybersecurity requirements (Article 3.3(d)(e)(f)) will continue to apply for aspects not covered by the CRA. In practical terms, a manufacturer of a connected IoT device needs to assess compliance with both frameworks during the transition period. Products already CE-marked under RED with cybersecurity provisions applied may have a head start on CRA conformity, but the CRA's requirements — particularly around vulnerability handling, CVD policies, and SBOMs — go considerably further than RED.

Manufacturers of radio equipment that is also a product with digital elements should take a dual-framework approach:

1. Assess RED applicability: Confirm whether the product is radio equipment and whether EU 2022/30 applies based on the product category.
2. Map RED to CRA: Identify which CRA essential requirements correspond to RED Article 3.3(d)(e)(f) obligations and avoid duplicating conformity assessment effort.
3. Plan for CRA transition: Build CRA-compliant vulnerability handling and technical documentation into the design process, since the CRA will be the primary cybersecurity framework once fully operative.
4. Consult harmonised standards: ETSI EN 303 645 and ETSI TS 103 701 are widely used to demonstrate RED cybersecurity compliance and are expected to underpin CRA harmonised standards for consumer IoT categories.