The European Commission has extended the deadline for mandatory cybersecurity requirements targeting wireless and connected devices sold within the EU.

Under the Delegated Act (2022/30) of the Radio Equipment Directive, manufacturers must embed robust security features to guard against risks such as unauthorised access and data breaches. The rules will now take effect from 1 August 2025.

A broad range of products will be affected, including mobile phones, tablets, cameras, and telecommunications devices using radio signals.

Internet of Things (IoT) items-such as baby monitors, smartwatches, fitness trackers, and connected industrial machinery-also fall within the scope. Any device capable of transmitting or receiving data wirelessly may be subject to the new requirements.

The deadline extension aims to give manufacturers additional time to adopt harmonised standards and integrate cybersecurity into product design. The Commission emphasised the importance of early action to avoid compliance issues when the rules become binding.

Despite the grace period, businesses are urged to act now by reviewing development cycles and addressing potential vulnerabilities well ahead of the implementation date.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!