Global Market Access: Nemko Group AS Testing Services

From RED compliance to CRA compliance in Europe

Written by Nemko | June 2, 2026

                                                                                                                                                                                       The European Cyber Resilience Act (CRA) is now moving toward full applicability. Manufacturers currently aligned with the European Radio Equipment Directive (RED) and the European harmonized standard EN18031 for internet radio equipment may wonder what the practical changes are and what must be done now.

The original RED was introduced in 2014 and made effective in 2017, when the situation was much different from today. Cyber threats have become more aggressive, sophisticated, and ruthless. And the capabilities of Artificial Intelligence (AI) demonstrate that this development is not slowing down anytime soon.

In 2022, the European delegated regulation EU (2022/30) (“RED Cyber”) was introduced and made effective in 2024, introducing the following “essential cybersecurity requirements” for internet-connected radio devices: The equipment must not harm networks or misuse resources,- must safeguard personal data and privacy, and -must be protected against fraud.

The standard EN18031 published early last year provides a basis for presumption of conformity with these regulatory general requirements. Over the last years, manufacturers have invested significantly in ensuring conformity with these requirements.

In the meantime, the EU Cyber Resilience Act (CRA) has also come into force for products with digital elements. So how to meet the new requirements too in an efficient way?

“RED Cyber” introduced cybersecurity requirements for internet-connected radio equipment. The CRA builds on similar principles, but significantly broadens the scope of applicability and depth of obligations.
Equipment being already RED-compliant based on EN 18031, is expected to satisfy the following conditions:

  • A risk-based cybersecurity approach

  • Product-level security requirements embedded by design

  • A technical documentation and conformity assessment processes

  • Some vulnerability considerations

  • Some supply chain considerations

The CRA requires additional operationalization, lifecycle governance, and supply chain maturity.

So far there are no harmonized standards for CRA and Notified Bodies have not yet been appointed. Various standards are currently in different stages of the development process. Elements like a secure SDLC, vulnerability management, and encryption are likely to be covered by horizontal standards which apply broadly across product categories.

Vertical standards are product- or sector-specific standards addressing specific risks in certain product categories/classes, reflecting the importance of the product for cyber security, e.g. smartcards are ‘Critical’, password managers ‘Important Class I’, and consumer electronics typically ‘Default’.

As the deadlines for CRA compliance are approaching fast (the first in September this year for vulnerability handling and the second in December next year for full CRA implementation), manufacturers should determine where they stand and what essential steps to take towards CRA conformity.

A practical guide for this is available at this link.

 

For further information or assistance, please contact Alicja.Halbryt@nemko.com or
Daniel.Breive.Havre@nemko.com

 

(This article is based on an article provided by Alicja Halbryt; edited by T.Sollie) 

 
View full post