All comparisons

Cyber Resilience Act (CRA)

VS

Radio Equipment Directive (RED)

CRA vs. Radio Equipment Directive (RED)

How the Cyber Resilience Act replaces the cybersecurity requirements of the Radio Equipment Directive

New Horizontal Cybersecurity Regime

Comprehensive cybersecurity requirements for all products with digital elements — replaces the three RED delegated acts on cybersecurity

Existing Radio Equipment Law

Governs radio spectrum, EMC, and health protection — the cybersecurity aspects (Art. 3(3)(d)(e)(f)) are taken over by the CRA

The RED remains in force for radio aspects. But for cybersecurity, only the CRA will apply going forward. Existing RED cyber certificates have a transitional period.

2 Covered0 Partial6 Not covered

You comply with RED — what changes with the CRA?

The RED cybersecurity requirements under Art. 3(3)(d), (e), and (f) are fully replaced by the CRA. If you have already implemented these, you have a solid starting point — but the CRA goes significantly further.

206
CRA RequirementCoverage by Radio Equipment Directive
RED Art. 3(3)(d)(e)(f) cybersecurity requirements
Covered

The CRA fully replaces these. Your existing implementation of RED cybersecurity requirements forms a direct foundation for CRA conformity.

Existing EU type-examination certificates
Covered

Certificates issued under RED cybersecurity remain valid for a transitional period — the exact duration depends on the certificate type.

Broader cybersecurity scope beyond RED
Not covered

The RED addresses only three specific cybersecurity aspects. CRA Annex I covers significantly broader requirements: security by design, attack surface minimization, secure default configuration, and more.

SBOM obligation
Not covered

The RED has no SBOM requirement. The CRA requires a machine-readable Software Bill of Materials for every product.

Structured vulnerability management
Not covered

The RED requires no ongoing vulnerability handling. The CRA demands systematic vulnerability management throughout the entire support period (minimum 5 years).

ENISA reporting platform
Not covered

The RED contains no reporting obligations. The CRA requires reporting actively exploited vulnerabilities to ENISA within 24 hours.

Support period
Not covered

The RED requires no declared support duration. The CRA obliges defining and communicating a support period with free security updates.

Updated conformity assessment modules
Not covered

The CRA conformity assessment (Annex VIII) differs from RED modules and requires a realignment of the assessment process.

01

Background and regulatory context

The RED was extended with cybersecurity via three delegated acts: Art. 3(3)(d) network protection, (e) privacy, (f) fraud protection. The CRA fully absorbs and extends these.

  • CRA Recital 30: CRA requirements encompass all elements of RED Art. 3(3)(d), (e), and (f)
  • Grandfathering: Existing EU type-examination certificates remain valid for a transitional period
  • Extension: CRA goes significantly further with SBOM, vulnerability management, and ENISA reporting
02

Impact on product manufacturers

The CRA replaces the three RED delegated acts with a unified cybersecurity framework. RED radio aspects remain — in practice, two parallel conformity assessments.

  • New CRA obligations: SBOM creation, vulnerability management, ENISA reporting (24h), EU Declaration of Conformity
  • Still RED: Spectrum usage, EMC, and health protection
  • Dividing line: Cybersecurity = CRA, radio aspects = RED
03

Transition period and grandfathering

The transition does not happen abruptly. RED cybersecurity requirements apply until December 11, 2027, then the CRA takes over completely.

  • Timeline: RED Art. 3(3)(d)(e)(f) until 11 Dec 2027, then exclusively CRA
  • Grandfathering: Existing EU type-examination certificates retain transitional validity
  • Recommendation: Use the transition period strategically — build CRA processes (SBOM, vulnerability management, ENISA reporting) in time
04

Affected product categories

All radio equipment with digital elements is affected. Products classified under CRA Annex III deserve particular attention.

  • Affected devices: WiFi routers, Bluetooth devices, smart home (Zigbee/Z-Wave/Thread), connected toys, smart speakers, IoT sensors, mobile phones, drones
  • Class I (Annex III): Routers and firewalls for private use
  • Potentially Class II: Industrial radio equipment for critical infrastructure

Synergies Between CRA and RED

The combination of CRA and RED offers manufacturers the opportunity to pursue a unified compliance strategy.

Unified CE Marking

Both legal acts use the CE marking system — manufacturers can coordinate conformity assessments.

Harmonized Standards

Harmonized standards under both legal acts enable presumptions of conformity and simplify evidence.

Consolidated Documentation

Technical documentation for CRA and RED can be merged into an integrated documentation package.

Your Next Steps

1High priority

Extend cybersecurity scope

Go beyond the three RED cybersecurity articles and implement the comprehensive CRA Annex I requirements: security by design, access control, data integrity, attack surface minimization.

2High priority

Implement SBOM creation

Integrate automated SBOM generation into your build process for all software components of your radio equipment.

3High priority

Build ENISA reporting process

Define internal workflows for reporting actively exploited vulnerabilities to the central ENISA platform within the 24-hour deadline.

4Medium priority

Replan conformity assessment

Prepare the transition from RED conformity assessment to CRA conformity assessment. Consider CRA product classification (Annex III/IV).

Frequently Asked Questions

Does the CRA fully replace the Radio Equipment Directive (RED)?
No. The CRA replaces only the cybersecurity requirements of the RED, namely the delegated acts under Art. 3(3)(d), (e), and (f). All other RED requirements — particularly regarding radio spectrum, electromagnetic compatibility (EMC), health protection, and electrical safety — remain fully in force. Radio equipment with digital elements will need conformity under both legal acts going forward: RED for radio aspects and CRA for cybersecurity.
What happens to existing EU type-examination certificates for RED cybersecurity?
Existing EU type-examination certificates issued by notified bodies under the RED cybersecurity requirements (Art. 3(3)(d), (e), (f)) remain valid for a transitional period; the exact duration depends on the certificate type. This gives manufacturers a buffer beyond the CRA application date of December 11, 2027, to transition their conformity assessment to CRA requirements.
Will WiFi routers and Bluetooth devices need dual conformity assessment?
Yes, but with clear delineation. WiFi routers and Bluetooth devices must demonstrate RED conformity for radio aspects (spectrum usage, EMC, health protection) and CRA conformity for all cybersecurity aspects. The previous RED cybersecurity assessment is eliminated in return. Overall, the effort for cybersecurity assessment will increase, as the CRA imposes significantly more extensive requirements than the previous RED delegated acts.
What specifically changes for manufacturers of IoT devices with wireless interfaces?
Four key changes apply to IoT manufacturers: (1) SBOM creation for all software components becomes mandatory, (2) vulnerability management throughout the entire support period (minimum 5 years) must be implemented, (3) actively exploited vulnerabilities must be reported to ENISA within 24 hours, and (4) security by design per CRA Annex I must be embedded in the development process. These requirements go far beyond the previous RED cybersecurity requirements.
How should manufacturers prepare for the transition?
Manufacturers should actively use the transition period until December 2027: First, conduct a gap analysis between current RED cybersecurity measures and the more comprehensive CRA requirements. Second, implement processes for SBOM creation and management. Third, establish systematic vulnerability management including monitoring and patching processes. Fourth, prepare ENISA reporting procedures. Fifth, transition internal documentation to the CRA Declaration of Conformity. Companies that have already implemented comprehensive RED cybersecurity measures have a solid starting point — but must supplement the additional CRA obligations.
What role do harmonized standards play in the RED to CRA transition?
Harmonized standards (hENs) will play a key role. For RED cybersecurity, harmonized standards such as EN 18031-1/2/3 have already been developed. For the CRA, dedicated harmonized standards are being developed that, when applied, establish a presumption of conformity. Manufacturers working according to future CRA harmonized standards can provide simplified conformity evidence. Until these standards are published, the general CRA requirements from Annex I serve as the benchmark.
Which products are exempt from the CRA?
Not all products with digital elements fall under the CRA. Explicitly exempt are: medical devices and in vitro diagnostics (MDR/IVDR), motor vehicles and their type-approval (UN ECE R155/R156), aviation products, products for national security or defense, and certain open-source software not made available in the course of a commercial activity. If your product falls under one of these exemptions, the respective sector-specific cybersecurity requirements apply instead of the CRA.

Further Reading

Official Sources

CRA Full Text (EUR-Lex)

Regulation (EU) 2024/2847 — Cyber Resilience Act in the Official Journal of the EU

RED Full Text (EUR-Lex)

Directive 2014/53/EU — Radio Equipment Directive in the Official Journal of the EU

EU Commission — RED and Delegated Acts

EU Commission information page on the RED with references to cybersecurity delegated acts

More on Kunnus

CRA Knowledge Base

All CRA articles, recitals, and annexes in full text with search functionality

Recital 30 — Relationship to the RED

CRA Recital 30 explains the replacement of RED cybersecurity requirements

Consumer IoT Industry

CRA requirements for consumer IoT devices — WiFi cameras, smart home, wearables

Telecom & Networking

CRA compliance for routers, switches, and network infrastructure

CRA & CE Marking

How the CRA extends CE marking with cybersecurity requirements

CRA vs. ETSI EN 303 645

From voluntary IoT standard to binding EU law: CRA and ETSI compared

Manage dual compliance efficiently

Kunnus supports radio equipment manufacturers with parallel CRA and RED conformity. SBOM management, vulnerability monitoring, and conformity documentation in one platform.

Learn more