Which rule governs cybersecurity for radio equipment right now?
As of mid-2026, radio equipment placed on the EU market must meet the cybersecurity essential requirements of Article 3(3), points (d), (e) and (f), of the Radio Equipment Directive (2014/53/EU), made applicable by Commission Delegated Regulation (EU) 2022/30. Those requirements have applied to equipment placed on the market since 1 August 2025. The Cyber Resilience Act exists and is in force, but its substantive manufacturer obligations do not bite until 11 December 2027.
Why is this a Directive-plus-delegated-act, not a Regulation?
The cyber duties for radio equipment are essential requirements of the RED — a Directive (2014/53/EU) transposed into each Member State's national law. Delegated Regulation (EU) 2022/30 'switched on' Article 3(3), points (d), (e) and (f), for specified categories and classes of radio equipment. The Cyber Resilience Act, Regulation (EU) 2024/2847, is by contrast a directly applicable Regulation that needs no national transposition. Directive-under-RED versus standalone-Regulation is the core structural difference between the two regimes.
- RED 2014/53/EU — a Directive of 16 April 2014; Art. 3(3)(d) protection of the network and against resource misuse, (e) protection of personal data and privacy, (f) protection against fraud.
- Delegated Regulation (EU) 2022/30 of 29 October 2021 — activates those points for in-scope radio equipment; applies from 1 August 2025.
- CRA — Regulation (EU) 2024/2847 of 23 October 2024; horizontal cybersecurity for 'products with digital elements'.
What dates actually trigger each regime?
- 1 August 2025 — RED cyber requirements (Delegated Reg (EU) 2022/30, as amended by 2023/2444) apply to radio equipment placed on the market.
- 10 December 2024 — the CRA entered into force (the twentieth day following its OJ publication on 20 November 2024).
- 11 June 2026 — CRA Chapter IV (Articles 35 to 51, notification of conformity assessment bodies) applies.
- 11 September 2026 — CRA Article 14 reporting obligations apply.
- 11 December 2027 — the CRA's main manufacturer obligations (including Article 13) apply.
Which regime applies turns on the date the product is placed on the market — defined by the CRA as 'the first making available of a product with digital elements on the Union market'. Radio equipment placed on the market from 1 August 2025 owes the RED cyber duties; products with digital elements placed on the market from 11 December 2027 owe the full CRA.
How is the RED-to-CRA boundary drawn?
The CRA itself draws the line. Its recitals state that the CRA's essential cybersecurity requirements 'include all the elements of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU'. To avoid double regulation, the Commission is to repeal or amend Delegated Regulation (EU) 2022/30 so that it ceases to apply to products that fall under the CRA. Until that happens, a manufacturer of radio equipment with digital elements can be subject to both, and the Commission is to provide transitional guidance to those dual-covered manufacturers.
The CRA's transitional rule (Article 69) sets the handover for stock already on shelves: products placed on the market before 11 December 2027 fall under the CRA only if they are substantially modified on or after that date — with one carve-out, the Article 14 reporting duty, which reaches all in-scope products already on the market. EU type-examination certificates issued under other Union legislation for cybersecurity requirements remain valid until 11 June 2028 unless they expire sooner.
What standards give presumption of conformity?
Harmonised standards confer a presumption of conformity from the date their reference is published in the Official Journal. For the RED cyber requirements, Commission Implementing Decision (EU) 2025/138 of 28 January 2025 (published 30 January 2025) cited the EN 18031 series:
- EN 18031-1:2024 — supports Article 3(3), point (d) (protection of the network).
- EN 18031-2:2024 — supports Article 3(3), point (e) (personal data and privacy); listed with restrictions.
- EN 18031-3:2024 — supports Article 3(3), point (f) (fraud / equipment processing virtual money or monetary value); listed with restrictions.
The restrictions on EN 18031-2 and -3 concern their default-password clauses, which do not confer presumption of conformity, so manufacturers relying on those parts must demonstrate compliance by other means for the restricted clauses. Under the CRA, presumption of conformity will come from harmonised standards developed for that Regulation; the Commission has indicated the EN 18031 standardisation work should feed that effort.