The EU’s RED DA – its Radio Equipment Directive Delegated Act – is now actively enforced, with compliance mandatory for all internet-connected radio equipment sold in the EU market. RED DA encapsulates new obligations for network resilience, improved personal data and privacy protection, as well as reduction of monetary fraud. RED DA activates articles 3.3(d), (e), and (f) of the RED with a focus on protecting customers, not only products and the network. If a device supports the IP protocol, it falls under RED DA, so huge numbers of devices are affected. Even device models previously shipped to the EU must comply.

Non-compliance can result in heavy penalties, enforced by individual EU member states. They include market withdrawal or recall of products, with authorities able to ban the sale of non-compliant products. In addition, penalties can include product seizure by customs authorities, loss of CE marking validity, meaning that the product can no longer be sold in the EU or European Free Trade Area, and significant fines for non-compliance. To compound the penalties, it is likely that reputational damage will be caused by negative publicity surrounding product recalls. Responsibility for RED DA compliance is with the manufacturer, importer, or distributor that places the product into the EU market.

RED DA is seen as part of a wider move toward the broader Cyber Resilience Act (CRA), which covers all digital products – RED DA focuses only on radio-connected devices. Upcoming milestones include 11 September 2026, when reporting obligations for actively exploited vulnerabilities under the CRA begin, and late 2026, when draft standards for the CRA are expected. The CRA is likely to replace RED DA in late 2027, so manufacturers are using RED DA compliance efforts as a pathway to achieve more robust, long-term security that is compliant with the CRA.

To explain both sets of regulations, a new Quectel Masterclass titled ‘RED DA: What you need to achieve cybersecurity compliance’ has been presented. The Masterclass, presented by Omar Aamer, Cybersecurity Compliance Manager at Quectel, and Vladimir Rakic, Director of R&D, Europe, at Ikotek, sets out how RED DA cybersecurity compliance now builds a direct foundation for CRA readiness.

The Masterclass scopes out the RED DA requirements, emphasising that the focus is on protecting end customers, not just a company’s product. It also clarifies when self-declaration using the EN 18031 harmonized standards is sufficient or when you need a Notified Body.

The Masterclass also examines how RED DA is helping build the foundation for CRA readiness and thereby making early action the smartest approach. The session closes with an examination of what this all means for manufacturers and ODMs in practice. This covers risk analysis, gap assessment, documentation and the next steps to take, and the Masterclass, which can be viewed here, also provided live attendees with an opportunity to ask questions to the speakers.