Cyber Resilience Act compliance: why success starts with RED DA

Industrial organisations know that the 2024 Cyber Resilience Act (CRA) requires them to secure digital products sold in the EU. However, the foundation of product security compliance already started with the Radio Equipment Directive (RED) since the Delegated Act back in 2021. RED governs wireless devices on the EU market and imposes strict cybersecurity requirements starting in August 2025. Discover our interpretation of RED and how to leverage its synergies with the CRA.

The cybersecurity requirements under the Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA) differ significantly in scope and timing. The CRA applies broadly to digital products that exchange data with other devices or networks, regardless of how they connect. In contrast, the RED targets a narrower category – products that use wireless interfaces and can communicate with the internet. Crucially, RED’s cybersecurity requirements are mandatory as of August 1, 2025, while the CRA’s obligations will start to apply from 2026 onward. Read more here.

What is the Radio Equipment Directive Delegate Act (RED DA) 2022/30?

The Radio Equipment Directive Delegated Act (RED DA) 2022/30 activates parts of an article in the existing RED and introduces mandatory cybersecurity requirements for wireless devices placed on the EU market after August 1, 2025. These requirements apply to all manufacturers globally who intend to sell relevant products in the EU.

The key goals of RED DA are to ensure that wireless devices:

• Do not harm the network (Article 3.3 d of the Delegated Act)
• Protect personal data (Article 3.3 e)
• Prevent financial fraud (Article 3.3 f)

Notably, none of these goals focus on preserving the product’s own functionality or value proposition against attacks. Instead, RED prioritises safeguarding the customer’s IT environments, their data, and financial integrity. Such an emphasis signals a critical shift that manufacturers should consider from a regulatory standpoint.

Products affected include those with wireless interfaces:

• That communicate directly or indirectly via another device with the internet*
• Examples of such products include toys, childcare equipment, smartwatches, and fitness trackers

Excluded are products already subject to other directives with mostly stricter requirements, such as cars, aircraft, or medical devices.

*Definition of "Communication with the Internet": A device meets this criterion if it can independently establish an internet connection, regardless of whether it uses this connection or not. The condition is fulfilled as soon as the device supports the IP protocol.

How can organisations leverage synergies between CRA and RED?

The RED requirements can be viewed as a subset of the CRA, as the CRA is broader in scope. For example, manufacturers must ensure compliance with CRA regulations throughout a product's support period which is not the case for the RED.

It is advisable to approach RED requirements in conjunction with CRA processes, documentation obligations, and product adjustments. This creates a framework meeting both regulations’ requirements.

How can product conformity be confirmed?

The RED DA was published in early 2022 by the EU. The newly developed standard series EN 18031 was released in mid-2024 and covers the following areas:

• EN 18031-1: Article 3.3 d)
• EN 18031-2: Article 3.3 e)
• EN 18031-3: Article 3.3 f)

Compliance with these harmonised standards now allows for self-declaration. As of February 2025, the relevant standards are harmonised, removing the previous requirement for certification via a Notified Body.

Typical options for declaring compliance include the following: 

• Self-Declaration (once harmonised standards are in place): Manufacturers adhere to harmonised EU standards and issue a conformity declaration. At Zühlke, we expect that most products would fall in this category, allowing manufacturers to perform self-declaration rather than going through heavyweight third-party reviews.
• Declaration via a Notified Body: This process, independent of harmonised standards, involves obtaining type approval from an EU-recognised external entity before declaring product conformity. Adherence to an appropriate standard remains advisable.

If a company is already applying other cybersecurity standards (e.g., IEC 62443, EN 303 645, etc.), it is not mandatory to switch to EN 18031.  But this approach always requires the involvement of a Notified Body, and you must provide a detailed technical justification, demonstrating how your implementation meets the essential requirements of RED DA 2022/30. While this path is generally more complex and potentially more time-consuming than using the harmonised EN 18031 standards, it may be more efficient for companies that already apply other standards, such as EN 62443, within their existing processes.

How to move on with CRA and RED DA requirements

If your product falls under the scope of the RED and is to be sold after August 1, 2025, we recommend adhering to EN 18031 and preparing the supporting evidence. Unfortunately, manufacturers new in this domain often find it hard to interpret requirements and waste significant compliance overhead. However, EN 18031 remains the safest bet towards self-declaration for eventual CRA compliance as the EU standardisation bodies CEN and CENELEC have indicated its significance towards harmonised standards in the CRA.

Are sold products affected?

No, products that are already sold (“placed on the market”) are not subject to the new requirements. However, products of the same type intended for continued sale must comply with current standards.

What’s coming next?

Since the RED already includes many CRA provisions, it is recommended to address them together. Existing and developing products and processes should undergo a risk analysis to identify gaps and implement concrete measures by August 1, 2025. These measures must be validated by a test laboratory (“Notified Body”).

Zühlke is here to support you throughout this process. Our cybersecurity and devices teams offer guidance, analysis, and implementation. With decades of experience in all aspects of product development, we specialise in aligning security requirements with other needs, ensuring solutions tailored to your specific demands.