IOT Consulting Partners
IOT Consulting Partners
IOT Consulting Partners

From RED Cybersecurity Requirements to the Cyber Resilience Act: What Changes on 11 December 2027

24 February 2026, by Michel Wouters
IoT device undergoing 4G, 5G and LTE-M certification testing for global compliance.

Background

Under the Radio Equipment Directive (RED) 2014/53/EU, cybersecurity-related requirements were introduced via Delegated Regulation (EU) 2022/30. This delegated act made the essential requirements of Article 3.3 (d), (e) and (f) applicable to certain categories of radio equipment, covering:

  • protection of networks,protection of personal data and privacy;
  • protection of personal data and privacy;
  • protection against fraud.

These requirements have applied since 1 August 2025.

In October 2024, the European Union adopted the Cyber Resilience Act (CRA), establishing a horizontal cybersecurity framework for products with digital elements.

To avoid double regulation, the European Commission decided to repeal Delegated Regulation (EU) 2022/30.

Repeal of Delegated Regulation (EU) 2022/30

Delegated Regulation (EU) 2022/30 is repealed with effect from:

11 December 2027;

This date aligns exactly with the moment the Cyber Resilience Act becomes fully applicable.

Click for the publication on Eur-Lex.

Which rules apply, and when?

Products placed on the EU market before 11 December 2027

Products placed on the market between 1 August 2025 and 10 December 2027 must comply with:

  • the Radio Equipment Directive 2014/53/EU, and
  • the cybersecurity requirements of Article 3.3 (d), (e) and (f) as applied by Delegated Regulation (EU) 2022/30;
  • Market surveillance authorities may continue to assess compliance under these rules for products placed on the market during this period.

Products placed on the EU market from 11 December 2027 onwards

  • From 11 December 2027, Delegated Regulation (EU) 2022/30 no longer applies;
  • Products with digital elements, including radio equipment, placed on the EU market on or after this date must comply with the Cyber Resilience Act (EU 2024/2847);
  • The cybersecurity objectives previously covered under RED Article 3.3 (d), (e) and (f) are fully addressed under Annex I of the Cyber Resilience Act (EU 2024/2847).

Key takeaway for manufacturers

  • There is no overlap or dual applicability after 11 December 2027;
  • The decisive factor is the date of placing on the market, not the design, manufacturing, or shipment date;
  • Manufacturers should already align new product developments with Cyber Resilience Act requirements to ensure continuity beyond 2027.

Status of harmonised standards after 11 December 2027

Harmonised standards developed under Directive 2014/53/EU in support of the cybersecurity requirements of Article 3.3 (d), (e) and (f) provide a presumption of conformity only as long as those requirements apply under the RED.

Following the repeal of Delegated Regulation (EU) 2022/30 with effect from 11 December 2027, the European Commission has indicated that references to RED cybersecurity-related harmonised standards will be removed from the Official Journal.

From that date:

  • RED harmonised standards no longer provide a presumption of conformity for cybersecurity requirements;
  • Cybersecurity compliance must be demonstrated against the Cyber Resilience Act and its applicable (harmonised) standards, once cited;
  • The use of former RED cybersecurity standards may remain technically informative, but no longer has legal standing for presumption of conformity;
  • Manufacturers should therefore plan a transition from RED-based cybersecurity standards to harmonised standards developed under the Cyber Resilience Act framework.

What should manufacturers do now?

Although the Cyber Resilience Act becomes fully applicable on 11 December 2027, product development cycles, certification planning, and cybersecurity architecture decisions are already being made today.

Manufacturers should:

  • assess which existing and future products will fall under the Cyber Resilience Act;
  • map current RED cybersecurity compliance against upcoming CRA requirements;
  • plan the transition of technical documentation, risk assessments, and conformity strategies;
  • avoid last-minute redesigns or market access delays.

Early planning is key to maintaining uninterrupted EU market access beyond 2027.

How IoT Consulting Partners can support

IoT Consulting Partners supports manufacturers, product developers, and certification teams in navigating the transition from RED cybersecurity requirements to the Cyber Resilience Act.

We help organisations:

  • interpret regulatory scope and applicability;
  • define a practical CRA transition roadmap;
  • align product design, cybersecurity measures, and technical documentation;
  • prepare for future conformity assessment and market surveillance expectations.

If you would like to start a structured transition plan or discuss how the Cyber Resilience Act affects your products, contact IoT Consulting Partners to schedule an initial consultation.

John Roording
Rick wesselink

Related articles

EU Cyber Resilience Act compliance for IoT devices – secure CE mark, cybersecurity by design, deadline 2027

How Not to Be Afraid of the CRA

The Cyber Resilience Act sets new EU-wide standards for IoT devices. Non-compliance could mean blocked sales, fines, and lost trust—are you ready?

Cookie preferences

Before we start, could you tell us your cookies preferences?
You can always update your preferences at a later stage on the cookie policy page.