The European Commission has adopted a Delegated Regulation repealing Delegated Regulation (EU) 2022/30 – the so-called RED Delegated Regulation on cybersecurity – with effect from 11 December 2027.

The decision aligns the treatment of cybersecurity requirements for radio equipment with the incoming Cyber Resilience Act (Regulation (EU) 2024/2847), which becomes fully applicable on the same date.

Why the change?

Delegated Regulation (EU) 2022/30 made the cybersecurity-related essential requirements in Article 3(3)(d), (e) and (f) of the Radio Equipment Directive mandatory for certain categories of connected radio equipment from 1 August 2025.

These provisions address

• Protection of networks
• Protection of personal data and privacy
• Protection against fraud

With the adoption of the Cyber Resilience Act in October 2024, the EU introduced a horizontal cybersecurity framework for products with digital elements. The essential cybersecurity requirements in Annex I of the Act cover the same substantive elements as those in Article 3(3)(d), (e) and (f) of the RED.

The Commission has therefore acted to avoid regulatory duplication and legal uncertainty by repealing the RED Delegated Regulation once the Cyber Resilience Act applies in full.

Transitional position

The repeal does not take effect until 11 December 2027.

This means:

• Between 1 August 2025 and 10 December 2027, applicable radio equipment must comply with the RED cybersecurity provisions as required under Delegated Regulation (EU) 2022/30.
• From 11 December 2027, cybersecurity obligations for relevant radio equipment will instead fall under the Cyber Resilience Act framework.

Market surveillance authorities retain the power to assess compliance with the RED requirements for products placed on the market during the transition period.

What this means for manufacturers

For manufacturers of connected devices – including IoT, consumer electronics and radio-enabled products – the regulatory landscape is consolidating rather than expanding.

However, this should not be mistaken for simplification.

The Cyber Resilience Act introduces:

• Mandatory cybersecurity risk assessments
• Secure-by-design and secure-by-default obligations
• Vulnerability handling and reporting requirements
• Technical documentation and conformity assessment duties
• Ongoing lifecycle security responsibilities

While the duplication between RED and CRA is being removed, the depth and breadth of cybersecurity compliance obligations will increase.

Strategic implications

Manufacturers currently preparing for RED Article 3(3)(d), (e) and (f) compliance must now ensure their approach is aligned with the broader and more prescriptive requirements of the Cyber Resilience Act.

Key considerations include:

• Ensuring technical documentation supports CRA essential requirements
• Reviewing supply chain and software component risk management
• Preparing for updated conformity assessment pathways
• Anticipating enhanced scrutiny from notified bodies and market surveillance authorities

The 11 December 2027 deadline may appear distant, but design cycles, certification timelines and product lifecycles mean preparation cannot wait.

Regulatory certainty – but rising expectations

The Commission’s action provides welcome clarity by removing parallel cybersecurity regimes for radio equipment.

At the same time, the transition reinforces a clear policy signal: cybersecurity for connected products is moving from targeted sectoral obligations to a unified, high-standard regulatory regime.

For manufacturers operating in the EU market, strategic preparation for the Cyber Resilience Act is now central to maintaining market access.

SafeShark continues to work closely with manufacturers and partners to support practical, end-to-end compliance planning across RED and CRA requirements, ensuring businesses move from uncertainty to structured, defensible conformity.

Get in touch today.