In March 2026, Portugal's ANACOM fined Fnac Portugal 95,625 euros and ordered the forfeiture of 17 radio devices to the state. The charge sheet reads like a compliance checklist gone wrong: four models missing the CE marking, five with no type, batch or serial identification, seven sold without Portuguese instruction manuals, and ten models for which Fnac could not produce a valid EU declaration of conformity when ANACOM asked. Across the border in Germany, the Bundesnetzagentur's 2025 market surveillance sweep flagged 7.7 million individual non-compliant devices, up from 5.3 million in 2024, and its customs cooperation blocked more than 359,000 items at the border after finding 89% of flagged consignments non-compliant.

Those enforcement numbers are the backdrop to a busier regulatory calendar than usual. The Radio Equipment Directive's cybersecurity delegated act has been fully applicable for less than a year, the Cyber Resilience Act's first hard deadline lands on September 11, 2026, and a rewritten set of RoHS lead exemptions became applicable on July 1, 2026, just weeks before this article. None of these regimes are optional extras: they sit on top of the CE marking every radio, telecom and electrical device already needs to move across the EU, the UK and Switzerland.

For a compliance team managing SKUs across all three markets, 2026 is the year three separate clocks converge on one product line at once.

Which regulators actually enforce RF and electrical equipment compliance in Europe?

No single EU agency polices radio and electrical equipment; each member state runs its own market surveillance authority against the same harmonised rules. In France, the Agence Nationale des Frequences (ANFR) inspects retailers and online listings under the Code des postes et des communications electroniques, and can issue a mise en demeure (formal notice to comply) before escalating to an administrative fine, currently capped at 7,500 euros for a legal entity and 15,000 euros for concurrent breaches. Germany's Bundesnetzagentur runs the equivalent function for the Radio Equipment Directive (2014/53/EU) and the EMC Directive (2014/30/EU), checking both online listings and physical retail. Portugal's ANACOM, as the Fnac case shows, follows the same escalation logic: identify the non-conformity, demand corrective action, and fine only if the operator does not comply.

Outside the EU, the United Kingdom's Office for Product Safety and Standards oversees the Radio Equipment Regulations 2017, while Switzerland's OFCOM administers the Ordinance on Telecommunications Installations (FAV) and the Ordinance on Electromagnetic Compatibility (OEMC). Because each authority acts on national law transposing (or mirroring) the same EU directives, a single non-compliant SKU can trigger parallel investigations in multiple countries at once, exactly the kind of cross-jurisdiction pattern that is easy to miss without per-country monitoring. Obsidian's regulatory monitoring tracks ANFR, Bundesnetzagentur, ANACOM, OPSS and OFCOM as separate tier-0 sources rather than a single blended "EU" feed, because their enforcement thresholds and procedures are not identical.

What actually triggers a fine, and how large can it get?

The Fnac Portugal file shows the pattern that recurs across enforcement actions in this sector: missing CE marking, missing product identification, and missing Portuguese-language documentation combined with a failure to act once notified. ANACOM's decision explicitly notes that in four cases the distributor did not take corrective measures after being asked to. In France, the ceiling is lower in absolute terms, 7,500 euros for a company under Article L.43 II bis of the CPCE, but ANFR's playbook is identical: a first-level correction request for minor issues, a formal mise en demeure with market withdrawal for repeat or serious issues, and only then an administrative fine or a criminal referral to the public prosecutor, since placing a non-compliant radio device on the French market is itself classified as a fifth-class criminal contravention.

The German experience shows the scale problem is structural, not incidental: Bundesnetzagentur checked nearly 2,100 equipment types in 2025 and still found 1,266 non-compliant types being sold online alone. A separate EU-funded testing campaign (JACOP 2025) run by the European Commission's DG GROW tested 173 electronic products for hazardous substances and CE documentation; 91 of them, 53%, failed on either the RoHS substance limits or missing/illegible CE marking. For a compliance officer, the lesson is less about the size of any single fine and more about the base rate: roughly half of tested consumer electronics fail some part of this checklist, which makes the marking and documentation review look less like paperwork and more like the highest-yield compliance activity available.

Is the RED cybersecurity delegated regulation still active, and for how long?

Yes, and it has real teeth today. Commission Delegated Regulation (EU) 2022/30, which switches on the Radio Equipment Directive's cybersecurity essential requirements under Article 3(3)(d), (e) and (f), has been applicable since August 1, 2025 to internet-connected radio equipment, childcare and wearable devices, and equipment handling monetary value. Implementing Decision (EU) 2025/138, published January 30, 2025, listed the harmonised standards EN 18031-1, -2 and -3:2024 with restrictions attached: a product that lets a user skip setting a password, for example, loses the presumption of conformity on that clause and needs a notified body's involvement instead of self-declaration.

That regime has an expiry date now on the books. The European Commission adopted Delegated Regulation (EU) 2026/339 on February 16, 2026, which repeals (EU) 2022/30 effective December 11, 2027, the exact date the broader Cyber Resilience Act reaches full application. Any manufacturer placing internet-connected radio equipment on the EU market between now and that date is under the RED cybersecurity regime; from December 11, 2027 onward, the same product falls under the CRA instead. Tracking which delegated act governs a given SKU on a given date is precisely the kind of question Obsidian's AI companion can answer against the underlying regulatory text instead of a compliance memo that goes stale the moment a new delegated act publishes.

What does the Cyber Resilience Act's September 2026 deadline actually require?

Article 14 of the Cyber Resilience Act, Regulation (EU) 2024/2847, becomes applicable on September 11, 2026, more than a year before the CRA's main conformity assessment obligations kick in on December 11, 2027. From that date, any manufacturer of a product with digital elements sold in the EU, regardless of where the manufacturer is based, must report actively exploited vulnerabilities and severe incidents on a staged timeline: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within 14 days for vulnerabilities or one month for incidents. Reports go once through ENISA's Single Reporting Platform (SRP), which then routes the notification to the relevant national CSIRT and every other CSIRT in a member state where the product is available.

France's implementation adds a jurisdictional wrinkle worth tracking directly: the DDADUE bill designates ANFR as France's CRA market surveillance authority, with that mission taking effect on September 11, 2026, the same date as the Article 14 duty, while the associated sanctions regime, fines up to 15 million euros or 2.5% of worldwide turnover, only activates on December 11, 2027 alongside full CRA application. The SRP itself is not yet live: ENISA confirmed it will be operational by September 11, 2026, with no API at launch, meaning the first wave of mandatory reports in this sector will be filed manually through a web portal.

RegimeWhat applies now or soonKey date
RED Cybersecurity Delegated Regulation (EU) 2022/30Mandatory essential requirements for internet-connected radio equipment; EN 18031 series with restrictionsApplicable since August 1, 2025; repealed December 11, 2027
Cyber Resilience Act, Article 1424-hour/72-hour/14-day vulnerability and incident reporting via ENISA's SRPApplicable from September 11, 2026
Cyber Resilience Act, full applicationCE marking and conformity assessment for cybersecurity; ANFR sanctions regime in FranceDecember 11, 2027
RoHS Annex III lead exemptions (restructured)Narrower sub-entries replace legacy 6(a)/6(b)/6(c)/7(a)/7(c) exemptions, most expiring 2026-2027Applicable from July 1, 2026
UK CE marking recognition (Radio Equipment Regulations 2017)CE accepted indefinitely on the GB market; UKCA remains optionalIn force since October 1, 2024

Does the RoHS Directive still matter if a device already clears CE marking for RED and EMC?

Yes, and the exemption list a manufacturer relied on last year may no longer be the current one. Three Commission Delegated Directives, (EU) 2025/1802, 2025/2363 and 2025/2364, published November 21, 2025 and entered into force December 11, 2025, replaced the broad legacy Annex III lead exemptions 6(a), 6(b), 6(c), 7(a) and 7(c) of Directive 2011/65/EU with narrower, application-specific sub-entries carrying their own expiry dates, most falling between December 2026 and December 2027. Member states had until June 30, 2026 to transpose, and the new entries became applicable July 1, 2026. Exemption 6(a), covering lead as an alloying element in steel, aluminium and copper, will not be renewed at all and lapses December 11, 2026 for any product category still relying on it.

A manufacturer whose bill of materials still cites the old exemption code on a declaration of conformity is now referencing a provision that either no longer exists or has a firm expiry date attached. That is a documentation problem as much as a chemistry one, and it applies on top of, not instead of, the RED and EMC clearance a product already holds.

What should a compliance team actually check before the next audit?

Start with the same checklist ANACOM used against Fnac: does every SKU carry a visible CE mark, a batch or serial identifier, and a declaration of conformity that a distributor can produce within days of a regulator's request, not weeks. Then map which products fall inside the RED cybersecurity delegated regulation's scope, internet-connected, childcare, wearable, or money-handling radio equipment, and confirm whether the EN 18031 restrictions apply to the implementation, since a password-less default configuration forfeits self-declaration. Finally, check the RoHS bill-of-materials references against the restructured Annex III entries before an old exemption code quietly expires.

Obsidian tracks ANFR, Bundesnetzagentur, ANACOM, OPSS, OFCOM and the European Commission's RED, EMC, RoHS and Cyber Resilience Act instruments as linked tier-0 sources, with alerts when a delegated act like 2026/339 changes a compliance clock or a new implementing decision narrows a harmonised standard's scope. See the plans built for product-compliance and regulatory-affairs teams tracking equipment across multiple European jurisdictions, or connect Obsidian's MCP directly into your own tools if your workflow already runs through an AI assistant.