Northern Ireland has now put EU radio equipment cybersecurity duties into domestic law. The Radio Equipment (Amendment) (Northern Ireland) Regulations 2025 were made on 25 November 2025 and start on 16 December 2025, updating the 2017 framework that applies in NI under the Windsor Framework. For firms selling IoT, wearables, toys and payment‑enabled devices into NI, these requirements move from guidance to legal obligation.

What changes in law is precise. A new regulation 6A is added to the Radio Equipment Regulations 2017 for NI. Internet‑connected radio equipment must be designed so it does not harm networks or misuse network resources; devices that let users transfer money, monetary value or virtual currency must include anti‑fraud measures; and internet‑connected gear, plus childcare devices, toys and wearables that process personal, traffic or location data, must include safeguards for user privacy. Where other EU laws already set equivalent rules, exemptions apply. These definitions mirror Commission Delegated Regulation (EU) 2022/30.

In plain terms, this captures smartwatches and fitness bands, baby monitors, connected toys with cameras or microphones, and any radio‑equipped product that can talk to the internet, directly or via another device. If that device handles card data, e‑money or crypto transfers, extra fraud‑resistance is required. Routers and access points are in scope for the network‑protection duty. Manufacturers, importers and retailers should assume coverage unless a clear legal exemption applies.

Timing matters. Across the EU, the Delegated Regulation applies from 1 August 2025 following a one‑year postponement by the Commission; NI’s enforcement point is 16 December 2025 via this UK statutory instrument. Businesses placing products on the NI market from that date should expect market surveillance against these new essential requirements. (Earlier NI changes on USB‑C ‘common charger’ took effect in December 2024, with laptops from April 2026.)

On conformity assessment, Brussels listed the new EN 18031 series as harmonised standards for RED cybersecurity on 30 January 2025, but with restrictions. Where a manufacturer fully applies the relevant EN 18031 parts, they can generally rely on presumption of conformity; if they do not apply them, or only apply them in part, a Notified Body assessment may be required for the cybersecurity elements. Build this decision into your test plan and Declaration of Conformity.

This sits alongside the UK’s consumer connectable product security regime (PSTI), which has applied UK‑wide since 29 April 2024. PSTI covers baseline measures such as unique passwords, clear statements on security updates and a vulnerability disclosure channel. In NI, many consumer devices will need both PSTI compliance and the Radio Equipment privacy, network and anti‑fraud duties set out above.

Market access mechanics also tighten. Under the EU Market Surveillance Regulation 2019/1020, products offered to NI consumers need a responsible economic operator based in NI or the EU whose contact details appear on the product, packaging or documentation. For NI, CE marking remains the default. Using an EU Notified Body avoids the UKNI mark; if a UK‑based body is used for modules that require third‑party assessment, CE+UKNI apply for NI only.

Enforcement in NI is split: Ofcom covers spectrum matters; District Councils handle safety and the broader product compliance checks. Authorities can require corrective action, withdrawals or recalls, and NI operates the RED safeguard process that notifies the European Commission when unsafe or non‑compliant CE‑marked products are removed. Retailers should expect more document spot‑checks.

For an SME example, think of a Belfast baby‑monitor brand. The product already meets PSTI with unique passwords and a disclosure policy. To sell in NI from 16 December, the team maps data flows, implements privacy protections for video and location features, documents network‑resource protections, and tests against EN 18031‑2 for privacy and EN 18031‑1 for network protection. Where a clause is out of scope or restricted, they seek a Notified Body opinion and update the EU Declaration of Conformity to cite regulation 6A and the applied standards.

Importers and retailers have homework too. Before accepting shipments for NI, they should request a refreshed technical file and Declaration of Conformity referencing regulation 6A and, where used, EN 18031. Packaging should show the NI/EU responsible economic operator’s details, and CE marking must be present. Practical due diligence now will prevent winter recalls and protect shelf space during peak trading.