What's Changing in Electronics Compliance: RED Cybersecurity, RoHS, FCC, and APAC Updates

RED Cybersecurity Requirements - Articles 3.3(d)(e)(f) Now Mandatory

From 1 August 2025, all radio equipment placed on the EU market must comply with cybersecurity requirements under Articles 3.3(d), (e), and (f) of the Radio Equipment Directive (RED 2014/53/EU), activated by Delegated Regulation (EU) 2022/30. Harmonised standards EN 18031-1, EN 18031-2, and EN 18031-3 were published in January 2025 and provide the conformity pathway. Article 3.3(d) addresses network non-interference; 3.3(e) addresses personal data and user privacy; 3.3(f) addresses protection against fraud, particularly for payment-capable devices.

The practical consequence is that any manufacturer with Wi-Fi, Bluetooth, cellular, Zigbee, or other radio-equipped products that are still being placed on the EU market must have updated their Declaration of Conformity and Technical Construction File to include the cybersecurity assessment. CE marking issued before August 2025 that does not include the cybersecurity provisions is technically incomplete for products that continue to be placed on the market. These requirements will be superseded by the broader Cyber Resilience Act when it becomes fully applicable on 11 December 2027.

RoHS Exemptions 6(a) and 6(b) Not Renewed

The European Commission adopted renewal decisions for key RoHS Annex III exemptions in September 2025 (including Delegated Directive EU 2025/2364), entering into force 11 December 2025. Exemption 6(a) - lead as an alloying element in steel for machining and galvanised steel - was not renewed, and expires 11 December 2026 for EEE categories 1-7 and 10. Exemption 6(b) - lead in aluminium - was not renewed in its general form: 6(b)-I (recycled scrap aluminium) expires 11 December 2026, and 6(b)-II (machining aluminium) expires 11 June 2027.

Manufacturers using these materials in affected product categories must complete reformulation or material substitution before the relevant expiry date. Applications for renewal of exemptions expiring 31 December 2027 must be submitted by 30 June 2026 under Article 5(5) of the RoHS Directive - missing this window closes the renewal route entirely.

WEEE Directive Evaluation and German National Amendments

The European Commission published a formal WEEE Directive evaluation in July 2025, examining whether the framework remains fit for purpose. A revision process is anticipated but no formal proposal has been published. In the interim, Germany has amended its national WEEE Act (ElektroG): manufacturers must mark takeback collection points with the Annex 3a label by 1 January 2026, and distributors must display the symbol at store entrances and near EEE sales areas by 30 June 2026. These national requirements apply immediately and independently of any EU-level revision.

CE Marking Accepted for GB Market - No End Date Currently

As of 2024, the UK government has indefinitely extended recognition of the CE mark for Great Britain. CE marking is legally equivalent to the UKCA mark for products subject to relevant UK regulations, with no announced end date. Manufacturers can currently place CE-marked products on the GB market without separately obtaining UKCA marking, provided the underlying UK technical requirements are met - which in most cases align with EU harmonised standards. Northern Ireland continues to require CE marking under the Windsor Framework. Manufacturers planning long-term GB market access should nonetheless maintain UKCA-compatible technical documentation in case the government's position changes.

UK RoHS and UK WEEE - Independent Enforcement from EU

UK RoHS (SI 2012/3032 as amended) is enforced independently by the Office for Product Safety and Standards (OPSS). The restricted substance list and concentration limits broadly mirror EU RoHS, but exemptions may diverge over time as the UK and EU regulatory pathways separate. UK WEEE obligations run in parallel - producers must register with an approved compliance scheme, meet collection targets, and comply with UK producer responsibility requirements. Dual registration is required for manufacturers selling into both EU and GB markets.

PSTI Act 2022 - Consumer Product Cybersecurity Requirements Active

The Product Security and Telecommunications Infrastructure (PSTI) Act 2022 has imposed minimum cybersecurity requirements on consumer connectable products sold in the UK since April 2024. The three baseline requirements are: no default passwords (each device must have a unique password or require users to set one at setup); a published vulnerability disclosure policy; and transparency on minimum security update periods. These requirements apply to manufacturers, importers, and distributors of connectable consumer products. The UK's product cybersecurity framework is separate from the EU's RED Article 3.3 pathway and the forthcoming CRA - compliance with one does not automatically satisfy the other.

FCC Part 15 - SDoC and Full Certification Requirements

FCC 47 CFR Part 15 regulates all electronic devices emitting radiofrequency energy in the 9 kHz to 3,000 GHz range. Unintentional radiators - devices that generate but do not intentionally transmit RF, such as computers, displays, and power supplies - require a Supplier's Declaration of Conformity (SDoC) based on testing by an accredited laboratory, with no pre-approval from the FCC. Intentional radiators - Wi-Fi, Bluetooth, cellular, and similar - require full FCC certification through an FCC-recognised Telecommunications Certification Body (TCB) and are assigned an FCC ID that must be permanently affixed to the product. Class B, the more stringent classification, applies to consumer products. The FCC and CE frameworks are entirely separate - there is no mutual recognition between them, and products require both to access both markets.

CPSC and California-Specific Compliance Obligations

The Consumer Product Safety Commission (CPSC) enforces testing and certification requirements for children's electronics and electronic toys under the Consumer Product Safety Improvement Act (CPSIA), covering lead content, phthalates, and flammability. California's Proposition 65 requires consumer warnings for products containing listed chemicals including lead, cadmium, and certain flame retardants. California's Electronic Waste Recycling Act imposes take-back and fee obligations on covered devices sold in the state. Federal FCC and CPSC compliance does not satisfy California-specific obligations - both must be addressed independently for the California market.

FCC Cyber Trust Mark - Voluntary IoT Cybersecurity Labelling

The FCC's Cyber Trust Mark programme, launched in 2024 and based on NIST cybersecurity criteria, provides voluntary cybersecurity labelling for consumer IoT devices including smart home products, wearables, fitness trackers, and appliances. While voluntary at federal level, major retailers and government procurement programmes are increasingly referencing Cyber Trust Mark status in vendor and product qualification processes. Unlike the EU's mandatory RED cybersecurity requirements and forthcoming CRA, US federal IoT cybersecurity requirements remain largely voluntary for consumer products as of early 2026. Manufacturers targeting both EU and US markets should plan for the mandatory EU pathway first and assess whether voluntary US Cyber Trust Mark certification makes commercial sense for their product categories.

China: CCC Mandatory, China RoHS Updated Under GB 26572-2025

China Compulsory Certification (CCC) is mandatory before IT equipment, audio/video equipment, and specified electrical products can be imported, sold, or used in China - no market access is possible without it. The certification process requires testing by a CNCA-designated laboratory and factory inspection, typically taking 3-6 months for established product categories. China RoHS compliance under GB 26572-2025 applies to products outside the CCC catalogue: an FAQ document published in November 2025 clarified product scope, implementation dates, and labelling requirements. Non-CCC products may also require hazardous substance labelling under SJ/T 11364.

South Korea: KC Certification and USB Type-C Mandate from November 2026

South Korea requires mandatory KC (Korea Certification) marking for safety and EMC compliance across a broad range of electrical and electronic products, administered by the National Radio Research Agency (RRA) for radio equipment and bodies such as the Korea Testing Laboratory (KTL) for safety. From 5 November 2026, new consumer devices - smartphones, tablets, cameras, headphones, and portable speakers - must use USB Type-C charging ports under MSIT Notice 2025-56, modelled on EU Directive 2022/2380. India requires mandatory BIS (Bureau of Indian Standards) registration under the Electronics and Information Technology Goods Order for smartphones, laptops, tablets, power banks, and specified peripherals.

Japan VCCI and Australia-New Zealand RCM

Japan's VCCI mark is technically voluntary but commercially essential for IT equipment - major distributors and retailers require it, making market access practically impossible without compliance. VCCI Class B applies to products used in home and office environments; Class A to industrial use. Australia and New Zealand use the mandatory RCM (Regulatory Compliance Mark), which combines electrical safety and EMC certification and replaces the former C-Tick and A-Tick marks. RCM is mandatory for prescribed electrical equipment, and registration with the Electrical Equipment Safety System (EESS) database is required for certain product categories.