Delegated Act of the RED Directive on Cybersecurity

The new articles to be included are:

  • 3(3)(d), to ensure network protection;
  • 3(3)(e), to ensure safeguards for the protection of personal data and privacy,
  • 3(3)(f), to ensure protection from fraud. 

Applicability of these articles:

  • 3(3)(d) shall apply to any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment (‘internet-connected radio equipment’).
  • 3(3)(e) shall apply to any of the following radio equipment, if that radio equipment is capable of processing personal data or traffic data and location data.
  • 3(3)(f) shall apply to any internet-connected radio equipment, if that equipment enables the holder or user to transfer money, monetary value or virtual.

Excluded from parts of this applicability are devices that are already covered in other (harmonized) regulations and directives, such as Medical devices, In-Vitro Diagnostic Medical Devices, Civil aviation including drones and remote control systems, Motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, Electronic road toll systems


The delegated act will come into force following a two-month scrutiny period, should the Council and Parliament not raise any objections (that will be end of 2021).

Following the entry into force, manufacturers will have a transition period of 30 months to start complying with the new legal requirements. 


Manufacturers can prove the conformity of their products by ensuring their assessment by relevant notified bodies such as LCIE Bureau Veritas

Consult our service offer for Cybersecurity, click here