NI smart device security rules start 16 Dec 2025

If you teach with tablets, run a robotics club, or buy smart toys at home, new rules in Northern Ireland will soon matter to you. The Radio Equipment (Amendment) (Northern Ireland) Regulations 2025 update the 2017 law so connected devices such as IoT kits, toys and wearables must meet security and privacy safeguards. The instrument has been laid and comes into force 21 days after being made, which government materials indicate as 16 December 2025. These changes give effect to the EU’s cybersecurity Delegated Regulation for radio equipment under the Windsor Framework, keeping NI aligned with EU consumer protections.

What’s actually changing is simple to state and important to teach. A new rule-regulation 6A-says internet‑connected radio equipment must be built so it can’t damage networks or hog network resources; devices that let you move money must include features to protect users from fraud; and any covered device that can process personal, traffic or location data must include safeguards for users’ privacy. This sits inside the existing Radio Equipment Regulations 2017, so manufacturers still have to follow the same conformity checks-now with these extra requirements included.

Who’s in scope? The EU’s wording covers radio kit that can communicate over the internet by itself, directly or through another device. That captures phones and tablets, smart speakers, routers and modems, classroom microcontrollers with Wi‑Fi or Bluetooth, trackers, connected toys, and most wearables. The law also singles out childcare devices, toys regulated under the EU Toy Safety Directive, and anything designed to be worn on the body or attached to clothing.

Why these safeguards now? Lawmakers point to very real risks seen in schools and homes: devices with default passwords, unencrypted set‑ups, microphones and cameras collecting audio and video, and sensors logging heart rate or sleep. Without basic protections, that data can leak or be misused. The EU’s official text spells out those examples and requires privacy‑by‑design for such equipment.

Network resilience is part of the lesson too. Unsecured gadgets can be hijacked and used in attacks that flood networks, knock services offline and degrade performance for everyone on campus or at home. That’s why the regulation requires devices not to harm networks or misuse resources in ways that cause unacceptable service degradation.

Money matters get special treatment. If a device enables payments or transfers of monetary value or virtual currency-think contactless on a smartwatch-it must include features that protect users from fraud. That obligation is now explicit in the amended rules for Northern Ireland.

There are boundaries to avoid double‑regulation. Equipment already governed by specific EU regimes-like medical devices, aviation equipment or certain in‑vehicle systems-sits outside these new radio‑equipment duties because those sectors have their own safety and cybersecurity rules.

Timelines can be confusing, so here’s the clear version you can share. Across the EU, the cybersecurity requirements under Delegated Regulation (EU) 2022/30 apply from 1 August 2025 after a one‑year postponement agreed in 2023. In Northern Ireland, the UK instrument that embeds these duties in the domestic 2017 Regulations takes effect on 16 December 2025, ensuring local enforcement aligns with that EU framework.

How compliance is checked hasn’t been reinvented. The amendment updates regulation 41 so the existing conformity assessment routes under the Radio Equipment Directive point to the new 6A requirements as well. In short: same testing architecture, more to test for.

What should you look for when buying? In Northern Ireland, CE marking remains the route to show a product meets EU rules; if a UK body carried out mandatory third‑party assessment, you’ll see CE alongside the UKNI indication. UKCA on its own isn’t valid for NI. This matters for school purchasing and family gifts-choose products that declare conformity correctly.

Practical classroom and home tips don’t change, but they matter more now. Update device firmware, change default passwords, turn off location sharing unless you really need it, and check the privacy settings on apps used by pupils. The legal duties sit with manufacturers and importers; choosing compliant products and using them wisely is how we share the load.

For context, NI already implemented the EU’s common‑charger rules in 2024, requiring USB‑C for many devices and clearer charging information, with laptops following from April 2026. Together with the new cybersecurity duties, this is a push for clearer, safer consumer tech-useful framing for a digital citizenship lesson.