What Article 3.3 Means in Practice for Connected Device Manufacturers
Article 3.3 of the Radio Equipment Directive matters because it adds requirements beyond safety, EMC, and spectrum use for certain categories of radio equipment. For connected device manufacturers, that means cybersecurity, privacy, and fraud-related obligations now need to be considered earlier in product design, documentation, and launch planning. The European Commission activated Articles 3(3)(d), (e), and (f) through Delegated Regulation (EU) 2022/30, and those requirements apply from 1 August 2025.
What Article 3.3 Changes for Manufacturers
For products in scope, Article 3.3 changes the compliance conversation from general product conformity to product-specific cybersecurity obligations. Manufacturers need to assess whether the product falls within scope, identify which of the additional requirements apply, and update technical documentation and the EU Declaration of Conformity accordingly. The UK government’s factsheet also notes that manufacturers must ensure proper documentation is in place before placing the product on the market.
In practical terms, this affects:
product scoping
technical documentation
conformity assessment
launch readiness
handoff between engineering, compliance, and product security teams
For a broader overview of the regulation itself, see RED cybersecurity requirements.
Articles 3(3)(d), (e), and (f), in Practice
Article 3.3 of the Radio Equipment Directive contains additional essential requirements for certain categories of radio equipment. For the cybersecurity topic, the key provisions are Article 3(3)(d), (e), and (f), which were activated through Delegated Regulation (EU) 2022/30. The European Commission explains that this delegated act was introduced to strengthen cybersecurity, personal data protection, and privacy for certain categories of radio equipment.
Article 3(3)(d), Protection of Networks and Network Resources
Article 3(3)(d) applies to radio equipment that can communicate itself over the internet, whether directly or through other equipment. The requirement is that the equipment must not harm the network or its functioning, and must not misuse network resources in a way that causes unacceptable degradation of service.
For manufacturers, this usually means looking at questions such as:
can the product be abused to overload or disrupt a network
can it misuse network resources through insecure behavior
do update, communication, or remote-control functions create avoidable exposure
are there controls in place to reduce these risks
In practice, this often pulls in more than the hardware. Teams may need to assess the device, the way it connects, any supporting app, backend dependencies, and the update path.
Article 3(3)(e), Protection of Personal Data and Privacy
Article 3(3)(e) applies to internet-connected radio equipment that processes personal data, traffic data, or location data. It also applies to certain categories of childcare radio equipment, toy radio equipment, and wearable radio equipment that process those data types, even where they are not internet connected. The requirement is that the equipment must incorporate safeguards to ensure the protection of personal data and the privacy of the user and subscriber.
For manufacturers, this usually means checking:
whether the product processes personal, traffic, or location data
where that data is collected, stored, transmitted, or exposed
which parts of the system handle the data, device, app, backend, or third-party services
what safeguards are in place around access, storage, transmission, and user privacy
This is one of the clearest examples of why scope often extends beyond the device itself. A product may look simple at hardware level, but the relevant privacy and data-protection risks may sit in the app, the cloud platform, or the account layer.
Article 3(3)(f), Protection Against Fraud
Article 3(3)(f) applies to radio equipment that can communicate itself over the internet and enables the holder or user to transfer money, monetary value, or virtual currency. The requirement is that the equipment must support certain features ensuring protection from fraud. For manufacturers, this usually raises questions such as:
does the product enable payments, stored value, or virtual currency activity
where are the fraud-related functions handled
what controls protect those functions from abuse or unauthorized actions
what evidence shows those protections are designed and implemented appropriately
This can be relevant beyond traditional payment devices. Any connected radio equipment that enables these types of value-transfer functions may need closer review.
Why This Matters in Practice
The practical impact of Article 3.3 is that manufacturers need to move from a broad regulatory label to a product-specific assessment.
The real questions are:
which of these provisions apply to this product
which system parts fall within scope
what controls or design decisions address the relevant requirement
what documentation and evidence support that position
The UK government factsheet also notes that manufacturers placing radio equipment in scope of Regulation (EU) 2022/30 on the market need to ensure that the product is designed and manufactured in accordance with the additional essential requirements, update the technical documentation, and update the EU Declaration of Conformity.
That is why Article 3.3 affects more than compliance wording. It changes scope, documentation, and launch readiness for connected products.
Which Products Should Pay Close Attention
A closer review is usually needed when the product:
communicates over the internet, directly or through other equipment
processes personal, traffic, or location data
includes a companion app or backend service
supports remote access, remote control, or updates
enables payment, stored value, or virtual currency transfer
The Commission and the UK government both describe the scope in terms of internet-connected radio equipment, and for Article 3(3)(e), certain childcare, toy, and wearable products that process the relevant data.
What This Means for Scoping and Documentation
Article 3.3 is where many teams realize the device alone is not the full compliance boundary. The review often needs to cover device, app, backend, account handling, data flows, update mechanisms, and supporting security processes. Manufacturers will usually need:
a clear scope definition
identification of the relevant Article 3.3 requirements
documented system boundaries
requirement mapping
updated technical documentation
an updated EU Declaration of Conformity
supporting evidence tied to the product and its controls
For a deeper look at documentation structure, see EN 18031 requirements and evidence checklist.
How EN 18031 connects to Article 3.3
The EN 18031 standards provide a recognized technical route manufacturers can use to support conformity with the RED cybersecurity requirements. The UK government factsheet states thatEN 18031-1, EN 18031-2, and EN 18031-3 are officially recognized harmonized standards for radio equipment in scope of Regulation (EU) 2022/30, while use of these standards remains voluntary
That means the practical workflow often looks like this:
determine whether Article 3.3 applies
identify which part of EN 18031 is relevant
define scope across the product ecosystem
map requirements and prepare evidence
Cyberexpert helps teams work through this — from assessing whether Article 3.3 applies, to defining scope and structuring documentation. If you're at that stage, the RED cybersecurity requirements page explains what the next steps typically look like.
If you're working through what Article 3.3 means for your specific product, the RED cybersecurity requirements page walks through the next steps, including how EN 18031 fits in and what documentation manufacturers typically need.
Related Articles
