Regulation (EU) 2022/30: factsheet
Updated 1 August 2025
Additional mandatory cybersecurity essential requirements for certain categories of radio equipment placed on the market from 1 August 2025.
Applies to Northern Ireland
From 1 August 2025, there are additional essential requirements for radio equipment made available in Northern Ireland (NI). Mandatory cybersecurity requirements are applied to certain categories of radio equipment.
The factsheet provides information on:
- Key points about Regulation (EU) 2022/30
- An outline of the new requirements
- Scope of the Regulation
- What this means for businesses
- Enforcement
- Where to find the Regulation
- CE Marked radio equipment placed on the Great Britain (GB) market from 1 August 2025
Regulation (EU) 2022/30 in NI from 1 August 2025
Commission Delegated Regulation (EU)2022/30 supplements the Radio Equipment Directive which is the EU’s regulatory framework for placing radio equipment on the EU market. The Regulation applies further essential requirements that manufacturers must meet before placing certain categories of radio equipment on the EU market. The Regulation applies from 1 August 2025 in NI under the Windsor Framework in order to facilitate NI’s dual market access to the UK internal market and the EU single market.
Regulation (EU) 2022/30 at a glance
The Regulation applies further essential requirements that manufacturers must meet before placing certain categories of radio equipment on the EU market. The regulation becomes applicable on 1 August 2025.
The Regulation requires that internet-connected radio equipment (that is any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment) – such as connectable consumer electronics and smart devices – must be constructed so that it:
- does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service
- incorporates safeguards to ensure that the personal data and privacy of the user and the subscriber are protected (if the equipment is capable of processing personal data, traffic data or location data)
- supports certain features ensuring protection from fraud (if the equipment enables the holder or user to transfer money, monetary value or virtual currency)
Additionally, radio equipment which is capable of processing personal data, traffic data or location data that is:
- designed or intended exclusively for childcare
- covered by the EU’s Toy Safety Directive (2009/48/EC) or
- designed or intended to be worn, strapped to or hung from parts of the human body or clothing
must also be constructed so that it protects user/subscriber personal data and privacy, whether internet connected or not.
The EU has officially recognised harmonised standards (EN 18031-1, EN 18031-2, and EN 18031-3) that address cybersecurity requirements for radio equipment in scope of (EU) 2022/30 through technical specifications. Use of these standards for conformity assessment is voluntary.
Scope of the Regulation
None of the cybersecurity essential requirements apply to radio equipment covered by Regulation (EU) 2017/745 (The Medical Devices Regulation) or Regulation (EU) 2017/746 (The In Vitro Diagnostic Medical Devices Regulation).
The essential requirements to incorporate safeguards to ensure that the personal data and privacy of the user and the subscriber are protected, and support certain features ensuring protection from fraud, do not apply to radio equipment covered by:
- Regulation (EU) 2018/1139 (Common Rules in the Field of Civil Aviation)
- Regulation (EU) 2019/2144 (Type Approval of Vehicles, Systems and Components)
- Directive (EU) 2019/520 (Interoperability of Electronic Road Toll Systems and for Facilitating Cross-Border Exchange of Information on the Failure to Pay Road Fees in the Union)
What this means for businesses supplying radio equipment in NI from 1 August
Manufacturers placing radio equipment in scope of Regulation (EU) 2022/30 on the NI market from 1 August 2025 will need to ensure that it has been designed and manufactured in accordance with the additional essential requirements.
Manufacturers will need to carry out the appropriate conformity assessment process. Three standards (EN 18031-1, EN 18031-2, and EN 18031-3) that address cybersecurity requirements for radio equipment are recognised. Use of these standards for conformity assessment is voluntary.
Manufacturers must update the technical documentation and update the EU Declaration of Conformity referencing compliance with the additional essential requirements. Manufacturers must ensure CE marking is affixed visibly, legibly and indelibly and that proper documentation is in place before placing the product on the NI market.
Importers who place these products on the NI market and distributors who make them available on the NI market, will also need to ensure that manufacturers have complied with their responsibilities for the additional essential requirements.
Products in scope of the Radio Equipment Directive which are made available for supply in NI are excepted from compliance with the UK’s Product Security and Telecommunications Infrastructure regime (see Regulation 6 and Schedule 3 of the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. Read more about Regulations for Consumer Connectable Product Security (PSTI Regime).
Enforcement
The additional requirements will come into force in NI from 1 August 2025. The Government intends to put in place, later this year, the measures necessary to provide for their enforcement.
In line with the Regulators’ Code, enforcement will continue to be proportionate, risk-based and intelligence-led, minimising disruption to compliant UK businesses. Businesses are obliged to cooperate with Market Surveillance Authorities and comply with any actions taken by a Market Surveillance Authority. Authorities continue to have an initial focus on providing effective advice and support for UK businesses, helping them to understand and meet any new obligations they may have, and applying their discretion as businesses adapt.
Where to find this Regulation
The Regulation can be found at: Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive.
Note: When first published, Delegated Regulation (EU) 2022/30 included an applicability date of 1 August 2024 but this was extended by a year to 1 August 2025.
CE marked radio equipment placed on the GB market from 1 August 2025
CE marked radio equipment placed on the GB market will need to meet these requirements:
Compliance with Regulation (EU) 2022/30:
Radio equipment must meet the Radio Equipment Directive essential requirements, including those made applicable by (EU) 2022/30, and the manufacturer must:
- provide updated technical documentation covering the further essential requirements
- provide EU Declaration of Conformity covering the further essential requirements
- affix CE marking
Compliance with the UK’s PSTI regime:
Radio equipment in scope of the UK’s PSTI regime must also meet the base line PSTI security requirements:
- banning universal default and easily guessable passwords
- publishing information on how to report security issues
- publishing information on minimum security update periods
The manufacturer must also provide a Statement of Compliance.
Manufacturers will continue to be able to place EU-compliant CE marked radio equipment on the GB market from 1 August 2025. Such products will be deemed to have met the essential requirements of the UK Radio Equipment Regulations 2017.
Read more about Placing manufactured goods on the market in GB.
Manufacturers, importers, and distributors placing or making available CE marked radio equipment on the Great Britain market will continue to have specific responsibilities. These responsibilities include ensuring that these products comply with the baseline security requirements set out in the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) and PSTI Regulations 2023, where applicable.
Read more about the Regulations for Consumer Connectable Product Security (PSTI Regime).
In line with the Government’s commitment to ensuring NI traders have unfettered access to the rest of the UK internal market, these measures will not have an impact on the movement of qualifying NI goods from NI to GB. Such goods will continue to benefit from the market access principles set out in the United Kingdom Internal Market Act 2020 and will be subject to unfettered access.
Contact us
If businesses have a specific enquiry about compliance or wish to contact us regarding an enquiry about this Regulation, please email OPSS.enquiries@businessandtrade.gov.uk.