EU extends cybersecurity deadline for wireless devices
The publication of harmonised standards and clear testing criteria is expected to simplify the compliance process, particularly for smaller manufacturers that may lack extensive in-house regulatory expertise
The European Commission has extended the deadline for mandatory cybersecurity requirements targeting wireless and connected devices sold within the EU. Under the Delegated Act (2022/30) of the Radio Equipment Directive, manufacturers must embed robust security features to guard against risks such as unauthorised access and data breaches. The rules will now take effect from 1 August 2025.
A broad range of products will be affected, including mobile phones, tablets, cameras, and telecommunications devices using radio signals.
Internet of things (IoT) items, such as baby monitors, smartwatches, fitness trackers, and connected industrial machinery, also fall within the scope. Any device capable of transmitting or receiving data wirelessly may be subject to the new requirements.
The deadline extension aims to give manufacturers additional time to adopt harmonised standards and integrate cybersecurity into product design. The Commission emphasised the importance of early action to avoid compliance issues when the rules become binding.
Despite the extension, manufacturers are strongly encouraged to begin preparations immediately, reviewing product development cycles and addressing potential vulnerabilities early to avoid costly redesigns and compliance issues once the rules become binding.
