LOG IN

Greece CRA risk-based approach: REDCA 50th Meeting News

Back
  • List Item #1
  • By Sebastian Medranda
  • November 10, 2025

CRA Developments and Regulatory Complexity Discussed in Athens

In Greece, the REDCA 50th meeting held in Athens on November 5th and 6th, 2025, highlighted critical updates on the European Union’s Cybersecurity Resilience Act (CRA) and changes in the regulatory environment for radio equipment. This summary outlines the comprehensive details shared during the sessions, focusing particularly on the CRA’s risk-based approach and the transition from the Radio Equipment Directive (RED).

Key Definitions under the CRA risk-based framework

The CRA remains the most discussed and complex regulatory development in the EU’s cybersecurity and conformity landscape. One of the most technically significant topics involved clarifying scope and definitions. The CRA defines what constitutes “digital elements,” with clear exemptions for items not placed on the market, such as open-source software and Software as a Service (SaaS) online platforms.

The CRA introduces new product categories that extend beyond the scope of RED. These new definitions guide manufacturers in determining whether the CRA applies to their products.

Risk Assessment and Conformity Structure

The CRA adopts a fundamentally risk-based approach that differs from RED’s traditional Conformity Assessment Procedure (C.A.P.). REDCA meeting participants emphasized several structural differences:

  • Manufacturers must assess risks against essential requirements and intended product use, aligning with the New Legislative Framework (NLF).
  • The CRA specifies different conformity procedures depending on the product’s criticality.
  • Products fall into three categories: Class 1, Class 2, and Default.
  • Class 1 and 2 products require a Notified Body (NB) assessment regardless of Harmonized Standards.
  • The Default category allows self-declaration but requires detailed specification analysis. NB involvement remains optional.

Manufacturers producing routers, gateways, and smart meters must follow defined certification pathways under the CRA.

Implementation Timeline and Transition Provisions

The CRA’s implementation roadmap and interaction with RED formed another focal point. Meeting participants confirmed several key dates:

  • December 11, 2025: CRA implementation date.
  • 2026: Vulnerability reporting requirements take effect.
  • 2027: Full CRA compliance becomes mandatory.

The Commission clarified, via Article 69, that RED and CRA will not overlap. A product compliant with RED is not automatically compliant with the CRA. Manufacturers must conduct new conformity assessments. Products placed on the market before December 11, 2025, need only meet vulnerability handling requirements.

Standardization and Guidance Status

The Commission acknowledged challenges in finalizing Harmonized Standards before the CRA becomes fully applicable:

  • Standardization bodies will prioritize standards for Important and Critical products.
  • Vertical and horizontal standards should be available by October 2026.

Regulators plan to issue additional guidance, including:

  • Clearer definitions for product categories.
  • Delegated acts on delayed notifications.
  • A reporting platform by ENISA (due by 2027), which will not publish vulnerability reports.
  • CRA-specific guidance documents prior to implementation.
  • Possible exceptions or guidance for SMEs.

Expanding Regulatory Scope for Radio Products

A growing number of regulations now apply to radio products. REDCA participants noted that a single product may need to comply with more than ten regulatory instruments, including:

  • Electromagnetic Compatibility (EMC)
  • Low Voltage Directive (LVD)
  • Resource Efficiency (ROS)
  • Eco design requirements
  • Cybersecurity frameworks
  • Digital Product Passport (DPP)

This proliferation increases the complexity of compliance for manufacturers.

State of RED Harmonized Standards and Related Developments

The most recent RED Harmonized Standards update was published in May 2025. The next update is expected around May 2026. Meanwhile, RED-related topics under discussion included:

  • The ongoing development of the Common Charging Solution, focusing on language requirements and information sheets.
  • Labeling updates for radio equipment aligning with Eco design requirements, particularly for external power supplies.

Technical Guidance Notes and Notified Body Updates

Several Technical Guidance Notes (TGNs) help standardize regulatory applications among Notified Bodies. Highlights from the meeting included:

  • TGN xx: Cybersecurity requirements under RED Articles 3(3)(d), (e), and (f)
  • TGN 01: Cybersecurity guidance for radio modules
  • TGN 20: SAR (Specific Absorption Rate) guidance
  • TGN 29: EU-TEC updates for Notified Bodies
  • TGN 30: Manufacturer risk assessments under Annex III of Directive 2014/53/EU
  • TGN 33: Application of RED to vehicles

Market Surveillance Observations

The ADCO RED session identified current industry challenges through market surveillance reports:

  • Refurbished Products: Authorities struggle to define and enforce rules around “substantial modifications.” Neither the Blue Guide nor RED Guide address this adequately, suggesting a need to update the NLF.
  • Standards Deficiencies: In Intelligent Transport Systems (ITS, subclass 13G), spectrum access standards led to contradictions and a withdrawn standard.
  • EMC Compliance and Performance: Questions were raised about whether current EMC standards meet essential requirements. Manufacturer flexibility may reduce effectiveness.
  • Non-Conformity Cases: Issues included missing CE marks and non-functional DoC website links. RED allows simplified DoC via web links, but much fail to guide users to valid documentation.
  • Future Initiatives: The revised RED Guide is delayed to mid-2026. The DPP may improve traceability but is not yet applicable to RED, pending an NLF update.

Liaison with International Organizations and Further Updates

On Day 2, participants shared updates from international regulatory bodies:

  • EU activities regarding Specific Absorption Rate (SAR)
  • TCB Council (USA) insights on FCC topics
  • Japan’s regulatory updates from the Ministry of Internal Affairs & Communications (MIC)
  • Cybersecurity discussions with CEN/CENELEC
  • Standardization updates from IEC and CISPR

These exchanges highlight the growing global interdependence in regulatory and compliance frameworks.

For continuous tracking and expert interpretation of global compliance frameworks like CRA, RED, and related regulations, explore our dedicated services at Entirety.biz

Menu

Instagram