Is the cybersecurity part of the Radio Equipment Directive applicable for my product?

Commission delegated regulation (EU) 2022/30 defines the applicability of articles 3.3 (d ), (e) and (f) to internet-connected devices, which itself can communicate over the internet.

The essential requirement set out in Article 3.3 (d), of Directive 2014/53/EU shall apply to any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment (‘internet-connected radio equipment’).

The manufacturer has to define the intended use of its radio equipment. Especially when the radio equipment is part of a system, consisting of radio equipment and non-radio equipment. The product documentation (user manual and risk assessment) have to clearly state this intended use. When the intended use of the radio equipment is that it can generate or receive personal data, traffic or location over the internet (by itself or via other equipment), than the radio equipment is considered to be internet-connected.

Hence, for internet connected devices, articles 3.3 (d ), (e) and (f) are applicable to the radio equipment. For example a wireless sensor, whose data can be accessed on the internet via a gateway.

When the manufacturer clearly declares the radio equipment is not internet connected (directly or via any other equipment), then articles 3.3 (d ), (e) and (f) are not applicable. In this case it is essential that the product documentation (risk assessment and user manual) is written in line with the declared (point-to-point) usage. For example a wireless sensor which is coupled to a dedicated local monitoring panel which is not connected to internet.