EU Cybersecurity CRA to Replace RED Requirements by 2027

CRA Cybersecurity Compliance: A Draft Roadmap for EU Digital Products

The European Comission is undergoing a major regulatory change with CRA cybersecurity compliance set to replace the cybersecurity obligations under the Radio Equipment Directive (RED). Based on a draft Delegated Regulation, from 11 December 2027, all radio equipment with digital elements entering the EU market must comply with the Cyber Resilience Act (CRA), marking a shift away from RED Article 3(3)(d)-(f) requirements.

Understanding the Shift to CRA Cybersecurity Requirements

From RED to CRA: What’s Changing?

The draft repeal of Delegated Regulation (EU) 2022/30 requires manufacturers to prepare for the horizontal CRA cybersecurity compliance framework. This transition introduces a comprehensive compliance system, new vulnerability management processes, and updated documentation and assessment requirements.

Products particularly impacted include wireless medical devices, industrial IoT sensors, smart home devices, and vehicle connectivity modules.

Key Deadlines for CRA Cybersecurity Implementation

Immediate Actions (2024–2026)

Manufacturers should stop development of RED-specific solutions, perform a gap analysis comparing RED and CRA requirements, and adjust their quality management systems accordingly.

2027 Milestones

In the first quarter of 2027, final CRA implementing acts are expected. By 11 December 2027, CRA cybersecurity compliance will be mandatory for all new products.

Preparing for CRA Cybersecurity Compliance

Technical Documentation Updates

Manufacturers will need to reformat technical files, conduct updated risk assessments, include vulnerability disclosure documentation, and use updated EU Declaration of Conformity templates.

Organizational Changes

Companies must train engineering teams, introduce vulnerability reporting procedures, update compliance tracking systems, and consider third-party audits.

How We Can Help

Ensuring CRA compliance is crucial. Our Product Certification Service supports companies by conducting readiness assessments, reviewing technical documentation, developing compliance roadmaps, and training engineering and compliance teams.

Impact Assessment:

Technical Standards? ✅ Yes
Type Approval & Market Access? ❌ No
Imports, Customs, Trade, or Market Surveillance? ❌ No
Spectrum Management? ✅ Yes

CRA Cybersecurity Compliance: A Draft Roadmap for EU Digital Products

Understanding the Shift to CRA Cybersecurity Requirements

From RED to CRA: What’s Changing?

Key Deadlines for CRA Cybersecurity Implementation

Immediate Actions (2024–2026)

2027 Milestones

Preparing for CRA Cybersecurity Compliance

Technical Documentation Updates

Organizational Changes

How We Can Help

Impact Assessment:

Sources & Documents

Related articles

Cambodia Launches Online Type-Approved Equipment Lists

New Zealand Radio Standards Update 2025

Mexico Dissolves IFT as CRT Takes Over Telecom Regulation

Locations

Phone number

Email

Regulatory Updates

Entirety

EU Cybersecurity CRA to Replace RED Requirements by 2027

CRA Cybersecurity Compliance: A Draft Roadmap for EU Digital Products

Understanding the Shift to CRA Cybersecurity Requirements

From RED to CRA: What’s Changing?

Key Deadlines for CRA Cybersecurity Implementation

Immediate Actions (2024–2026)

2027 Milestones

Preparing for CRA Cybersecurity Compliance

Technical Documentation Updates

Organizational Changes

How We Can Help

Impact Assessment:

Sources & Documents

Related articles

Cambodia Launches Online Type-Approved Equipment Lists

New Zealand Radio Standards Update 2025

Mexico Dissolves IFT as CRT Takes Over Telecom Regulation

Menu

New Zealand Radio Standards Update 2025