IOT Consulting Partners
IOT Consulting Partners
IOT Consulting Partners

From RED Cybersecurity Requirements to the Cyber Resilience Act: What Changes on 11 December 2027

27 February 2026, by Michel Wouters
IoT device undergoing 4G, 5G and LTE-M certification testing for global compliance.

Background

Under the Radio Equipment Directive (RED) 2014/53/EU, cybersecurity-related requirements were introduced via Delegated Regulation (EU) 2022/30. This delegated act made the essential requirements of Article 3.3 (d), (e) and (f) applicable to certain categories of radio equipment, covering:

  • protection of networks,protection of personal data and privacy;
  • protection of personal data and privacy;
  • protection against fraud.

These requirements have applied since 1 August 2025.

In October 2024, the European Union adopted the Cyber Resilience Act (CRA Regulation EU 2024/2847), establishing a horizontal cybersecurity framework for products with digital elements.

To avoid double regulation, the European Commission decided to repeal Delegated Regulation (EU) 2022/30.

Repeal of Delegated Regulation (EU) 2022/30

Delegated Regulation (EU) 2022/30 is repealed with effect from:

11 December 2027;

This date aligns exactly with the moment the Cyber Resilience Act becomes fully applicable.

Click for the publication on Eur-Lex.

Which rules apply, and when?

Products placed on the EU market before 11 December 2027

Products placed on the market between 1 August 2025 and 10 December 2027 must comply with:

  • the Radio Equipment Directive 2014/53/EU, and
  • the cybersecurity requirements of Article 3.3 (d), (e) and (f) as applied by Delegated Regulation (EU) 2022/30;
  • Market surveillance authorities may continue to assess compliance under these rules for products placed on the market during this period.

Products placed on the EU market from 11 December 2027 onwards

  • From 11 December 2027, Delegated Regulation (EU) 2022/30 no longer applies;
  • Products with digital elements, including radio equipment, placed on the EU market on or after this date must comply with the Cyber Resilience Act (EU 2024/2847);
  • The cybersecurity objectives previously covered under RED Article 3.3 (d), (e) and (f) are fully addressed under Annex I of the Cyber Resilience Act (EU 2024/2847).

Key takeaway for manufacturers

  • There is no overlap or dual applicability after 11 December 2027;
  • The decisive factor is the date of placing on the market, not the design, manufacturing, or shipment date;
  • Manufacturers should already align new product developments with Cyber Resilience Act requirements to ensure continuity beyond 2027.

Status of harmonised standards after 11 December 2027

Harmonised standards developed under Directive 2014/53/EU in support of the cybersecurity requirements of Article 3.3 (d), (e) and (f) provide a presumption of conformity only as long as those requirements apply under the RED.

Following the repeal of Delegated Regulation (EU) 2022/30 with effect from 11 December 2027, the European Commission has indicated that references to RED cybersecurity-related harmonised standards will be removed from the Official Journal.

From that date:

  • RED harmonised standards no longer provide a presumption of conformity for cybersecurity requirements;
  • Cybersecurity compliance must be demonstrated against the Cyber Resilience Act and its applicable (harmonised) standards, once cited;
  • The use of former RED cybersecurity standards may remain technically informative, but no longer has legal standing for presumption of conformity;
  • Manufacturers should therefore plan a transition from RED-based cybersecurity standards to harmonised standards developed under the Cyber Resilience Act framework.

What should manufacturers do now?

Although the Cyber Resilience Act becomes fully applicable on 11 December 2027, product development cycles, certification planning, and cybersecurity architecture decisions are already being made today.

Manufacturers should:

  • assess which existing and future products will fall under the Cyber Resilience Act;
  • map current RED cybersecurity compliance against upcoming CRA requirements;
  • plan the transition of technical documentation, risk assessments, and conformity strategies;
  • avoid last-minute redesigns or market access delays.

Early planning is key to maintaining uninterrupted EU market access beyond 2027.

How IoT Consulting Partners can support

IoT Consulting Partners supports manufacturers, product developers, and certification teams in navigating the transition from RED cybersecurity requirements to the Cyber Resilience Act.

We help organisations:

  • interpret regulatory scope and applicability;
  • define a practical CRA transition roadmap;
  • align product design, cybersecurity measures, and technical documentation;
  • prepare for future conformity assessment and market surveillance expectations.

If you would like to start a structured transition plan or discuss how the Cyber Resilience Act affects your products, contact IoT Consulting Partners to schedule an initial consultation.

John Roording
Rick wesselink

Frequently Asked Questions

1. What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (Regulation (EU) 2024/2847) sets horizontal cybersecurity requirements for products with digital elements placed on the EU market, covering lifecycle security, documentation, and compliance.

2. When does the CRA apply, and what are the key dates?

The CRA entered into force in December 2024 and will apply in full from 11 December 2027. Reporting obligations apply earlier (from 11 September 2026).

3. Which products are in scope of the CRA?

The CRA applies to “products with digital elements” made available on the EU market (broadly covering many connected hardware and software products).

4. What obligations does the CRA impose on manufacturers?

Manufacturers must meet essential cybersecurity requirements (Annex I), including secure-by-design expectations and lifecycle measures (e.g., vulnerability handling and product security controls).

5. Does the CRA require CE marking?

Yes. Products will bear the CE marking to indicate compliance with CRA requirements, enforced by market surveillance authorities.

6. What happens to RED Delegated Regulation (EU) 2022/30?

Delegated Regulation (EU) 2022/30 is repealed with effect from 11 December 2027, to avoid overlap with CRA cybersecurity requirements.

7. Which rules apply to radio equipment before 11 December 2027?

For covered radio equipment, Delegated Regulation (EU) 2022/30 applies the RED Article 3.3 (d), (e) and (f) cybersecurity-related requirements (notably for internet-connected/wireless device categories within its scope).

8. Which rules apply to products placed on the EU market from 11 December 2027?

From 11 December 2027, products in scope must comply with the Cyber Resilience Act; the RED delegated cybersecurity act no longer applies.

9. Can RED cybersecurity harmonised standards still be used after 2027?

After 11 December 2027, RED cybersecurity harmonised standards no longer provide presumption of conformity for cybersecurity under the repealed delegated act. CRA compliance should rely on CRA-relevant standards once cited for presumption of conformity.

10. What does “date of placing on the market” mean for compliance?

It’s the moment a product is first made available on the EU market. That date determines whether RED/2022/30 or CRA obligations apply (not design or manufacturing date).

Related articles

EU Cyber Resilience Act compliance for IoT devices – secure CE mark, cybersecurity by design, deadline 2027

How Not to Be Afraid of the CRA

The Cyber Resilience Act sets new EU-wide standards for IoT devices. Non-compliance could mean blocked sales, fines, and lost trust—are you ready?

Cookie preferences

Before we start, could you tell us your cookies preferences?
You can always update your preferences at a later stage on the cookie policy page.