EU: Cybersecurity – repeal of Delegated Regulation supplementing the Radio Equipment Directive

 

The EU Commission has announced that the RED Delegated Regulation for cybersecurity will be repealed from 11 December 2027.

Directive 2014/53/EU on radio equipment (the ‘Radio Equipment Directive’ or ‘RED’) establishes the regulatory framework governing the placing of radio equipment on the Single Market and lays down mandatory conditions for market access. It applies to electrical and electronic equipment capable of using the radio spectrum for communication and/or radio determination purposes. Member States are required, through their national market surveillance authorities, to take appropriate corrective measures in respect of radio equipment that does not comply with the Directive.

Article 3 of the RED sets out the essential requirements with which radio equipment placed on the Union market must comply. Article 3(1)(a) concerns requirements relating to health and safety, Article 3(1)(b) addresses electromagnetic compatibility, and Article 3(2) lays down requirements relating to the effective and efficient use of the radio spectrum. Article 3(3) provides for additional essential requirements applicable to specific categories or classes of radio equipment, as determined by Commission delegated acts adopted pursuant to that provision. In addition, Article 3(4) establishes essential requirements concerning the compatibility of certain categories or classes of radio equipment with a common charger.

The essential requirements set out in Article 3(3), first subparagraph, points (d), (e), and (f), of the RED relate to protection against harm to networks, the safeguarding of personal data and privacy of users and subscribers, and protection against fraud. These requirements therefore address elements linked to the mitigation of cybersecurity risks.

Commission Delegated Regulation (EU) 2022/301 made the essential requirements referred to in Article 3(3), first subparagraph, points (d), (e), and (f), of the RED applicable, as of 1 August 2025, to certain categories or classes of radio equipment, in response to concerns that such equipment did not adequately ensure protection against cybersecurity risks.

On 23 October 2024, Regulation (EU) [Cyber Resilience Act] was adopted, establishing horizontal rules on product cybersecurity as a condition for market access. The essential cybersecurity requirements set out in Annex I to the Cyber Resilience Act encompass all elements covered by the essential requirements referred to in Article 3(3), first subparagraph, points (d), (e), and (f), of Directive 2014/53/EU. The Cyber Resilience Act will become fully applicable from 11 December 2027.

To find out more about cybersecurity for products, do not hesitate to contact the Product Compliance Institute.