Further analysis of the enforcement mechanism reveals that competent authorities across multiple member states are expected to adopt a phased approach, with initial focus on high-risk product categories before extending surveillance to broader market segments. The transition period, while
Get the full enforcement breakdown including affected platforms, regulatory framework details, practical compliance actions, and regional trend analysis.
The EU Radio Equipment Directive cybersecurity requirements became mandatory on August 1, 2025, establishing new security standards for IoT devices and connected products. These requirements will transition to the Cyber Resilience Act framework by 2027, fundamentally changing compliance obligations for manufacturers of radio equipment, smart devices, and connected products across the European market.
The Radio Equipment Directive (RED) 2014/53/EU originally focused on essential requirements for radio spectrum efficiency and electromagnetic compatibility. The rapid proliferation of IoT devices and increased connectivity exposed significant security vulnerabilities in connected products, prompting regulatory intervention. The European Commission recognised that traditional radio equipment approval processes were insufficient to address cybersecurity risks posed by billions of connected devices entering the market annually.
The expansion of RED with cybersecurity requirements represents the EU's first comprehensive attempt to regulate security standards for connected products at the point of market entry. This regulatory shift affects manufacturers who previously faced minimal cybersecurity obligations under product safety legislation.
The Commission Delegated Regulation (EU) 2022/30 introduced mandatory cybersecurity requirements under Article 3(3) of the Radio Equipment Directive. These requirements became enforceable on August 1, 2025, establishing three core security obligations: network security protection, personal data and privacy protection, and fraud prevention mechanisms.
The Cyber Resilience Act, adopted in 2024, will supersede these RED cybersecurity requirements when it becomes applicable in 2027. According to the European Commission's Q&A document, "the CRA will replace the cybersecurity requirements currently applicable under the Radio Equipment Directive for products with digital elements that fall within its scope."