Published on: February 27, 2025
Estimated reading time: 6 minutes
Two major EU cybersecurity regulations are coming, and manufacturers need to prepare:
RED Delegated Act (RED DA) – Deadline: August 1, 2025.
Cyber Resilience Act (CRA) – Deadline: December 2027, with some requirements kicking in as early as 2026.
While both laws are important, RED DA is especially urgent. If your product falls under its scope, you must comply in a few months to continue selling in the EU. The good news? Standards are already available to guide you through the process (See also New RED Standards Published: Is Your Business Ready for Compliance?).
Security Pattern helps Device Manufacturers Navigate the Complex Landscape of Regulations
For both RED DA and CRA, compliance is essential to affix the CE marking to your product. By affixing the CE marking the manufacturer declares on their sole responsibility that the product conforms to all applicable Union legislative requirements.
In this post, we address:
Which products are in scope?
What happens to products already in stock?
Do I need to obtain certification?
Are my products in scope for RED DA and CRA?
Understanding whether your product falls under the RED DA and/or the CRA can be tricky. While RED DA has a more specific focus, CRA applies more broadly. Let’s break it down.
RED DA: Internet-connected radio devices
RED DA applies to radio equipment that is capable itself to communicate over the internet, whether directly or through another device. This means the device itself must be capable of exchanging data with the internet, even if it uses intermediate equipment to get online.
But what does “communicates itself” mean? This is where things get a bit unclear. Let’s look at two examples:
Not in scope: a Bluetooth headset only ever connects locally (e.g., to a laptop). Even if the laptop sends audio over a Teams call, the headset itself is not internet-connected as it would never attempt to send data by itself.
In scope: a Wi-Fi-enabled thermostat connects to a remote server to send data. Even though it relies on a home router, modem, and ISP to reach the internet, the thermostat itself initiates the communication, so it falls under RED DA.
These examples are not exhaustive, of course. More generally, here are some questions you can start asking yourself about your device to quickly determine if it is in scope:
Does the device implement a TCP/IP protocol, either through its radio interface or not? If yes, then the answer is clearly in scope.
If not, it means that the device has a non-IP based radio interface (e.g., Bluetooth). Then, is it designed to initiate communication with the internet (e.g. cloud) in some way, such as via an app, a gateway, or a router? If yes, then we would still consider it in scope.
If all answers are NO, it becomes harder to generalize, and a more detailed analysis may be needed to reach a conclusion.
In general, if your device actively initiates data exchange with the internet, it falls within the scope of RED DA. However, this does not cover all possible cases, and borderline situations may need to be assessed individually.
Still in doubt? Reach out to us for an Applicabiliry Assessment
CRA: Digital products
Unlike RED DA, CRA covers all products with digital elements that connect to another device or network, either directly or indirectly. This includes both hardware and software unless specifically excluded (e.g., some open-source software or products already regulated, like medical devices).
Key difference? Internet connectivity isn’t even required: if your product has digital components that interact with other systems, it’s covered by CRA.
You might avoid RED DA, but you can’t escape CRA
The scope of RED DA can be confusing, especially for borderline cases. But even if your product isn’t covered by RED DA, CRA will almost certainly apply, so cybersecurity compliance isn’t something you can ignore.
Therefore: If you’re making any kind of connected device, it’s time to start preparing.
Do RED DA and CRA apply to already manufactured products?
The answer might not be what you’re hoping for.
The Blue Guide, a key European reference, explains how EU laws apply based on when a product is manufactured and sold. Let’s break it down.
The applicability rule
“Products must be in compliance with the legislation applicable at the time of placing on the market.”
But what does placing on the market mean?
“A product is placed on the market when it is made available for the first time on the Union market. A product is made available on the market when supplied for distribution, consumption, or use in the Union market in the course of a commercial activity, whether in return for payment or free of charge.”
Does this apply to a product model or each individual unit?
“Placing on the market refers to each individual product, not to a type of product. Even though a product model or type has been supplied before new Union harmonisation legislation laying down new mandatory requirements entered into force, individual units of the same model or type, which are placed on the market after the new requirements have become applicable, must comply with these new requirements.”
Still confused? Let's give an example.
Example of applicability
Day 1: A manufacturer has 100 units of a product in stock.
Day 2: The manufacturer supplies 20 units (Batch 1) to a retailer. Batch 1 is now placed on the market as it is made available for the first time.
Day 3: A new EU legislation takes effect, for which the product is in scope. Batch 1 is not affected since it was already placed on the market.
Day 4: The retailer sells a unit from Batch 1 to an end user. No change in obligations. Batch 1 remains outside the new law’s scope.
Day 5: The manufacturer supplies 30 more units (Batch 2) to another retailer. Batch 2 is placed on the market after the law has taken effect, so it must be compliant.
So, if you’re supplying a product after August 1, 2025, even if you have already sold the same model before, it must comply with RED DA.
Can I do a self-assessment for compliance?
Good news: in many cases, yes, a self-assessment is enough.
For RED DA, you can perform a self-assessment using the EN 18031 standards, unless your device fails certain restrictions (see Cybersecurity standards EN 18031 are now harmonized).
In short, the only impactful restriction applies if your internet-connected radio equipment enables monetary transfers. In this case, the European Commission states that EN 18031 does not always confer a presumption of conformity. Since no clear alternative compliance instructions are provided, involving a Notified Body is almost always required in this case.
Additionally, if you choose self-assessment and your device fails any applicable EN 18031 tests, self-assessment is no longer an option, and you can choose to consult a Notified Body for further evaluation.
For CRA, self-assessment is also possible in most cases, but we still don’t know which standards will apply or the exact requirements. However, some high-risk device categories must go through a Notified Body, including firewalls, secure elements, and tamper-resistant microprocessors and microcontrollers.
Of course, even if not strictly required, you can still choose to go through a Notified Body. Alternatively, we can assist you with technical guidance to help navigate compliance requirements.
Concluding Remarks
Both the RED DA and CRA introduce critical cybersecurity requirements for manufacturers, but they apply differently depending on the nature of your products. Understanding whether your products fall under one or both regulations is crucial for timely compliance. With deadlines fast approaching, now is the time to take action, ensure your products meet the necessary requirements, and avoid any disruptions to your market access in the EU.
How Security Pattern can help
We offer various consultancy services and training modules to support your organization with cybersecurity challenges.
Compliance GAP analysis
Discover our Compliance Gap Analysis for RED DA, EN 18031, and CRA.
IoT Security Checkup
The Security Checkup quickly and effectively highlights the threat exposure level of a platform and defines which countermeasures can be implemented to prevent cyberattacks.
Threat Modeling and Risk Assessment
Threat modeling and risk assessment are critical activities in cybersecurity, aimed at identifying, evaluating, and prioritizing potential threats to assets.
Penetration Testing
We can perform the functional EN 18031 tests as well as other types of tests such a penetration and fuzz testing.
Security Pattern’s cybersecurity experts have been supporting Device Manufacturers since 2017.
Comments