By Anna Marton, Safepay Systems
As the EU tightens cybersecurity rules for digital products, an important deadline is approaching for manufacturers of connected devices. The RED Delegated Act (RED-DA) targets wireless equipment with specific cybersecurity requirements starting in August 2025, and from 2027 onward, the Cyber Resilience Act (CRA) will apply to all products with digital elements put on the EU market which can be connected to a device or a network, including their building blocks (i.e., hardware and software).
The RED Delegated Act enters into force on 1. August 2025
The Commission Delegated Regulation (EU) 2022/30, also called RED Delegated Act, supplements the Radio Equipment Directive (RED) by activating essential requirements related to cybersecurity for internet-connected radio devices placed on the EU market. The regulation enters into force on 1. August 2025.
The requirements apply to Articles 3.3 (d), (e), and (f) of the RED, which address network protection, personal data and privacy protection, and fraud prevention, as described in Table 1:
Table 1 – RED articles supplemented with cybersecurity requirements
| RED Article | Focus | Summary |
| 3(3)(d) | Network protection | Ensure network protection: radio equipment does not harm the network or its functioning nor misuse network resources. |
| 3(3)(e) | Privacy | Radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected. |
| 3(3)(f) | Fraud | Radio equipment supports certain features ensuring protection from fraud. |
These articles specifically target connected devices, and the regulation applies to:
- Internet-connected radio equipment (e.g., smart speakers, smart TVs, home automation devices and smart appliances, baby monitors)
- Smart wearable devices
- Children’s toys with wireless features
- Wireless LAN (Wi-Fi) devices
- Wireless card readers and other electronic payment devices
- Smartphones, computers and other IT equipment
From 1. August 2025, manufacturers placing such products on the EU market must ensure:
- Protection against unauthorized access and data breaches
- Privacy-by-design and by-default mechanisms
- Secure communication protocols
- Measures to prevent harm to networks (e.g., from botnets or DDoS attacks)
The RED Delegated Act and the CRA
The main obligations of the Cyber Resilience Act (CRA) will apply from 11 December 2027, and the RED-DA will be withdrawn as soon as the CRA applies. The CRA, setting horizontal rules in the area of cybersecurity, offers a comprehensive cybersecurity framework for all products with digital elements, and therefore, is appropriate to repeal the RED-DA. This legislation exists in draft form at the moment and is publicly available here.
However, the RED-DA activates only limited cybersecurity requirements, while the CRA requires manufacturers of digital products (and services) to ensure cybersecurity for the whole lifecycle of their products. The RED-DA is sector-specific, focusing on wireless equipment, so manufacturers of products falling under the scope of the RED-DA can view these requirements as preparation for their CRA compliance.
Table 2 – Key differences between the RED-DA and the CRA
| Area | RED-DA | CRA |
| Targeted Products | Wireless-connected devices only | All digital products (incl. wired, software-only, cloud-delivered tools) |
| Product Lifecycle | Focuses on placing product on market | Covers entire lifecycle, including post-market support and vulnerability handling |
| Security Domains | Network protection, privacy, fraud prevention | Broad security controls: secure design, updates, secure default settings, documentation, SBOMs, and incident reporting |
| Software Scope | Implicitly included (e.g., for firmware updates) | Explicitly includes standalone software (apps, code libraries, OSes) |
