RED Cybersecurity Compliance

The RED Cybersecurity Delegated Act (EU 2022/30) applies to all radio-connected devices that fulfil one or more of these criteria:

• Connect to the internet (directly or indirectly)
• Process or transmit personal data (such as location, identifiers, or user behavior)
• Can be remotely controlled or misused

This includes devices using WiFi, Bluetooth, Zigbee, LTE, or other RF protocols. Examples include connected sensors, wearables, smart home devices, BLE trackers, and gateways with companion apps.

Yes, in many cases self-declaration under Module A is sufficient, but it depends on how the manufacturer demonstrates compliance with the RED Cybersecurity Delegated Act (EU 2022/30).

Module A (Internal Production Control)allows the manufacturer to assess conformity and issue a Declaration of Conformity (DoC) without involving a Notified Body — provided certain conditions are met:

✅ When Module A is sufficient:

• The product is designed and tested in accordance with relevant harmonised standards that fully cover the essential requirements of RED Article 3(3)(d), (e), and (f)
• Or, the product follows widely accepted state-of-the-art standards such as ETSI EN 303 645, and all applicable cybersecurity controls are properly implemented
• The manufacturer has a complete technical file as defined in RED Annex V

In this case, Oxeltech can support you in achieving RED Cybersecurity compliance through scope assessment, risk analysis, control implementation, and technical documentation— enabling you to self-declare and apply the CE mark.

❌ When Module A is not sufficient:

• If no applicable standard is followed
• If only partial implementation is done
• Or if your conformity relies on custom or proprietary methods without published standard coverage

In these situations, a Notified Body must be involved, typically through Module B or Module H of the RED conformity process.

Yes. The documentation we provide is structured to meet the requirements of Annex V of the Radio Equipment Directive (RED)and aligned with ETSI EN 303 645, which is widely accepted by EU authorities as the basis for RED Cybersecurity compliance.

It is intended to be:

• Used by the manufacturer to issue a valid EU Declaration of Conformity
• Included in the device’s technical file to meet RED Article 3(3)(d), (e), and (f) obligations
• Accepted by EU market surveillance authorities if requested during inspection or enforcement
• Sufficient in most cases to avoid involvement of a Notified Body, provided harmonised standards are applied or widely accepted standards (like EN 303 645) are followed

Oxeltech does not act as a Notified Body and does not certify products. Instead, we help you implement the required controls and generate the technical documentation needed for self-declaration under Module A of the RED conformity assessment procedure.

The cybersecurity requirements of the RED Delegated Act become mandatory on 1 August 2025. From that date, all affected products placed on the EU market must comply with the updated essential requirements under Article 3(3)(d), (e), and (f) of the Radio Equipment Directive.

Yes, the Act still applies if your device communicates with a smartphone or another device that connects to the internet, even if it doesn’t connect directly. Indirect internet access qualifies under Article 3(3)(d). If your device also handles personal data or can be remotely controlled, it is definitely in scope.

Not necessarily. If you apply relevant harmonised standards (once published) or follow widely accepted standards such as ETSI EN 303 645, and fully implement the required controls, you can use Module A (self-assessment)to declare conformity. A Notified Body is only required if you do not follow applicable standards or need third-party validation for partial implementations.

Currently, the most widely accepted standard is ETSI EN 303 645, which outlines baseline security requirements for consumer IoT devices. While not yet harmonised under RED, it is used by many manufacturers and accepted by EU authorities as a valid basis for compliance with Articles 3(3)(d), (e), and (f).

No. Oxeltech does not act as a Notified Body and does not provide certification. Instead, we help product teams implement the required cybersecurity controls, conduct scope assessments, and prepare the technical documentation necessary for CE marking and self-declaration of conformity under the RED Cyber DA.

If your device is in scope but does not comply with the new RED cybersecurity rules by August 2025, it may be blocked from entering the EU market, fail CE marking checks, or be withdrawn by market surveillance authorities. You may also face liability for data breaches or misuse enabled by insecure device design.

If your device is not compliant with the RED Cybersecurity Delegated Act and you are already placing it on the EU market, you face several risks:

• Regulatory enforcement by EU market surveillance authorities
• Product withdrawal or a ban on further sales
• Legal and financial liability in case of security breaches or misuse

Recommended actions:

1. Immediately stop shipping the affected devices into the EU
2. Confirm whether your product falls under Article 3(3)(d), (e), or (f) by conducting a scope assessment with Oxeltech
3. Perform a gap analysis against an accepted cybersecurity standard such as ETSI EN 303 645
4. Implement the missing security measures, including secure communication, secure firmware updates, and access controls
5. Create or update your technical file and EU Declaration of Conformity
6. If you are not using harmonised standards, consider involving a Notified Body to review and validate your compliance

Oxeltech can help with each of these steps. We support manufacturers in identifying gaps, implementing necessary changes, and preparing the required documentation so they can bring their products back into compliance and resume EU market access.