EU to Repeal RED Cybersecurity Delegated Regulation as CRA Takes Over in 2027
The European Commission has announced that the RED Cybersecurity Delegated Regulation (EU) 2022/30 will be repealed on 11 December 2027, aligning with the full application of the Cyber Resilience Act (CRA). This shift is intended to eliminate overlapping cybersecurity requirements and move toward a single, consistent EU-wide framework for digital product security.
Why This Matters?
The CRA introduces broad, horizontal cybersecurity obligations that already cover the same areas addressed by the RED cybersecurity provisions. Consolidating these requirements under the CRA creates greater regulatory clarity for manufacturers and ensures a more unified approach to cybersecurity across all products with digital elements. Until 10 December 2027, radio equipment placed on the EU market must still comply with the existing RED cybersecurity rules.
What Happens After 11 December 2027?
From this date forward, the CRA becomes the primary legal framework for cybersecurity requirements in the EU. Radio equipment previously covered under RED cybersecurity rules will fall fully under the CRA’s expanded obligations, which include secure‑by‑design principles, vulnerability handling processes, updated technical documentation, and lifecycle‑long security responsibilities.
What Manufacturers Should Do Now?
- Assess and categorize your product portfolio to understand whether each device falls under RED requirements during the transition or will be regulated under CRA obligations.
- Update compliance processes, such as risk assessments, documentation, and security-by-design practices to align with CRA standards.
- Follow upcoming EU guidance, implementing acts, and harmonized standards, which will shape the practical roadmap to CRA compliance leading up to 2027.
For any questions, clarifications, or further information regarding this consultation, please contact: Sofilyx Compliance
