Northern Ireland will apply EU‑style cybersecurity, privacy and anti‑fraud requirements to internet‑connected radio equipment from 16 December 2025. The statutory instrument, made on 25 November, amends the Radio Equipment Regulations 2017 by inserting a new regulation 6A; by rule it takes effect 21 days after being made, per legislation.gov.uk.

This change reflects the Windsor Framework commitment to align with specific EU product rules. The Department for Business and Trade is giving effect to Commission Delegated Regulation (EU) 2022/30, which introduces additional “essential requirements” for radio equipment: protect networks from harm or resource misuse; introduce anti‑fraud features where equipment transfers money or virtual currency; and safeguard personal data and privacy for internet‑connected devices, childcare products, toys and wearables when such devices can process personal, traffic or location data.

In practical terms, this captures a wide spread of consumer and SME kit: smart speakers and home hubs, connected doorbells, fitness bands and watches, kids’ smartwatches and toys, GPS trackers and any radio module that routes over Wi‑Fi or cellular. The legal trigger is functionality, not branding; if the device communicates over the internet and processes user data, the privacy and network‑protection duties apply.

Manufacturers now have a clearer standards route. On 30 January 2025 the European Commission listed the EN 18031 series in the Official Journal, creating a presumption of conformity for the RED cybersecurity, privacy and anti‑fraud requirements-though the listing includes restrictions. Where a restriction bites, expect a Notified Body assessment before CE marking.

There are carve‑outs. The EU text excludes radio equipment already fully covered by the medical devices regulations and, for certain obligations, by civil aviation, motor vehicle safety and electronic road‑tolling frameworks. Sector‑specific rules take precedence for those products.

This sits alongside the UK‑wide Product Security and Telecommunications Infrastructure regime, in force since 29 April 2024, which bans weak default passwords, mandates a public vulnerability disclosure route and requires manufacturers to declare a minimum security‑update period. Many brands will find the cheapest path is one build that meets both PSTI and the RED delegated act to avoid split SKUs across NI and GB.

For placing goods on the NI market, CE remains the gateway. If a UK Notified Body is used, the UKNI indication must sit alongside the CE mark, and some products also need an EU or NI‑based responsible economic operator under the EU Market Surveillance Regulation. The government’s NI guidance sets this out plainly.

Retail impact is about checks, not lab work. Distributors must verify CE marking, ensure required documentation is in English and hold back non‑conforming stock. Keep dated purchase orders and invoices to evidence when goods were ‘placed on the market’-stock already placed before 16 December isn’t retrospectively caught under the usual product‑law approach.

Two adjacent rules are worth bundling into the same compliance sprint. NI has already implemented the EU ‘common charger’ package: USB‑C and information requirements apply to phones, tablets and other categories placed on the NI market from 28 December 2024, extending to laptops from 28 April 2026. The 2025 instrument also signposts “common charger radio equipment” in the essential‑requirements list.

What to do now if you make or import connected devices: update the technical file and EU Declaration of Conformity to cite EN 18031 where applicable, or obtain a Notified Body opinion where the OJ listing places restrictions; refresh threat models and implement secure‑by‑default network behaviour, privacy‑by‑design controls and anti‑fraud features on payment‑enabled devices; and set a clean NI SKU plan for Q4/Q1 so post‑16 December shipments don’t trip distributor checks. Our read: a single UK specification that meets both RED (for NI) and PSTI (UK‑wide) will save re‑work at peak season.

Enforcement remains familiar. In NI, Ofcom handles spectrum‑related breaches, while district councils enforce safety and other aspects of the Radio Equipment Regulations. With EN 18031 now published and PSTI live, the path is defined-the operational challenge is coordinating engineering changes with packaging, documentation and channel readiness.