Introduction
EU cybersecurity rules are expanding quickly—and broadly. Since 1 August 2025, all radio and wireless IoT devices must comply with the RED Delegated Regulation (EU) 2022/30. But that’s just the beginning. Starting December 2027, the Cyber Resilience Act (CRA) will enforce robust cybersecurity standards across all products with digital elements, not just radio-equipped devices. Understanding this transition is key—especially for manufacturers using or delivering open source components.
RED Delegated Regulation (EU) 2022/30 — Effective from 1 August 2025
This regulation amends the Radio Equipment Directive (RED) by adding mandatory cybersecurity requirements for wireless devices sold in the EU, think smartwatches, baby monitors, and other connected gadgets. Manufacturers must integrate cybersecurity early in design and documentation to qualify for CE marking compliance.
Cyber Resilience Act (CRA) — Full Scope from 11 December 2027
Regulation (EU) 2024/2847—commonly known as CRA—became law on 23 October 2024 and applies from 11 December 2027. It mandates lifecycle-spanning cybersecurity measures (e.g., secure-by-design, incident and vulnerability reporting, automatic updates, robust documentation) across all products with digital elements, including hardware, software, and related remote services.
Key CRA timeline:
- Entered into force: 23 October 2024
- Vulnerability reporting begins: 11 September 2026
- Full compliance required: 11 December 2027
How the Two Regulations Differ & Complement Each Other
| Regulation | Scope | From When | Key Focus |
|---|---|---|---|
| RED Delegated Act (2022/30) | Radio-connected devices (IoT) | 1 Aug 2025 | Network security, privacy, fraud prevention |
| Cyber Resilience Act (CRA) | All digital products (hardware/software) | 11 Dec 2027 | Life-cycle cybersecurity: design, reporting, updates |
If your products already meet the RED Delegated Act, you’re ahead—but not future-proof yet. CRA extends cybersecurity expectations beyond connectivity, emphasizing lifecycle risk management and broader product categories.
Impact on Open Source: Who’s Obligated Under CRA?
- Commercial integrators who incorporate OSS into their products are subject to CRA obligations—reporting, documentation, and security management.
- Non-commercial OSS contributors remain exempt.
- OSS stewards (e.g., foundations) face a tailored, lighter-touch regime—no CE marking, but with responsibility for supporting secure development and coordination.
Why This Matters to You
- If you’re already RED-compliant: CRA is still a broader game—covering software and non-connected devices, with deeper requirements.
- If you rely on OSS: Technical compliance must be accompanied by proper component tracking, vulnerability policy, and documentation.
- If you’re preparing now: You can map current RED compliance to CRA and close any gaps—especially around lifecycle updates and incident readiness.
Next Steps — Cybersecurity Strategy for IoT and Beyond
- Audit your product lineup: Identify which products fall under RED only vs. CRA.
- Align processes: Sync RED cybersecurity workflows with CRA lifecycle requirements.
- Integrate OSS risk management: Track OSS dependencies and vulnerability handling.
- Document and train: Ensure technical files and teams are CRA-ready.
Take the Next Step with IoT Consulting Partners Group
IoT Consulting Partners assists clients by providing expert guidance on the Cyber Resilience Act. Additionally, our team supports the entire compliance strategy, ensuring your documentation and implementation align seamlessly with regulatory standards and industry best practices.
Ensuring compliance with global standards for radio, wireless, and electrical equipment is a complex but essential process. IoT Consulting Partners Group is here to guide you through every step, from bringing your wireless idea to life, testing and debugging to certification and market access.
Contact us today or schedule a free consultation to learn how we can help bring your product to market successfully.
|
Do You Have Questions? Schedule a Free Consultation Now! |
|
