The Radio Equipment Directive: cybersecurity requirements for wireless devices
Adopted 2026-06-16 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
Since 1 August 2025 the RED imposes mandatory cybersecurity requirements on wireless, internet-connected devices. If you place connected hardware on the market, you must protect the network, personal data and payments.
Short answer: Since 1 August 2025 the Radio Equipment Directive (Directive 2014/53/EU) imposes mandatory cybersecurity requirements on wireless, internet-connected devices. If you place connected hardware on the market โ telematics, trackers, on-board computers โ you must protect the network, personal data and payments before the product can carry a CE marking.
What is changing
The RED has long set the baseline for radio equipment on the European market. Through Delegated Regulation (EU) 2022/30 three cybersecurity requirements are now activated under Article 3(3), points (d), (e) and (f) of the directive:
- Network protection (point d): the device must not harm the communications network and must resist abuse.
- Protection of personal data and privacy (point e): safeguards for the user's data and subscriber traffic.
- Protection against fraud (point f): security of money-transfer and payment functions.
These requirements apply from 1 August 2025. Devices placed on the market after that date and falling within scope must demonstrably comply.
Who is affected
The requirements target wireless equipment that can connect to the internet, or that processes personal data or monetary value. In transport and logistics this directly touches a lot of hardware: telematics units, GPS and cargo trackers, on-board computers and sensors in vehicles, trailers and containers. If you import or manufacture such equipment, you are responsible for compliance.
How to demonstrate compliance
Compliance can be demonstrated through harmonised standards. The EN 18031 series was developed for this purpose, translating the three requirements into concrete technical measures. If you apply these standards, a presumption of conformity applies and you can in principle carry out the assessment yourself. If you deviate from them, a notified body is usually required.
How it relates to the Cyber Resilience Act
The RED requirements form the first, product-specific layer of hardware cybersecurity. The Cyber Resilience Act (CRA) sits on top as a broader, horizontal regime covering products with digital elements in general. There is overlap: align your compliance approach across both so you avoid duplicated effort and do not miss any requirement.
Read more: the Transport & Logistics overview. Take the scan.
Sources
- https://eur-lex.europa.eu/eli/reg_del/2022/30/oj
Delegated Regulation (EU) 2022/30: cybersecurity requirements under the RED. - https://eur-lex.europa.eu/eli/dir/2014/53/oj
Directive 2014/53/EU (RED): radio equipment.
Read next
Does my telematics hardware fall under the Cyber Resilience Act?
Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.
Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet
A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.
DORA or NIS2: which one applies to my (logistics) organisation?
A logistics organisation generally falls under NIS2 (transport is an essential sector), not DORA. DORA applies to financial entities. If you are both, DORA takes precedence as lex specialis.