RED and CRA overlap for connected radio products: 2025-2027 transition
RED Delegated Act 2022/30 and CRA overlap for connected radio products — the 2025-2027 transition, EN 18031 coverage, gap to CRA Annex I Part II, dual obligations.
By Vladimír Vician
If you sell a Wi-Fi, Bluetooth, cellular, Thread or Zigbee product into the EU, you now face two overlapping cybersecurity frameworks. The Radio Equipment Directive (RED), through Commission Delegated Regulation (EU) 2022/30, already pulls connected radio equipment into Article 3(3)(d), (e) and (f) of Directive 2014/53/EU. On top of that, the Cyber Resilience Act (Regulation (EU) 2024/2847) becomes generally applicable on 11 December 2027 and brings horizontal essential cybersecurity requirements for all products with digital elements. Both regimes will sit on the same product, at the same time.
This article maps the overlap — what each instrument covers, what EN 18031 buys you under RED, where the CRA goes further (especially Annex I Part II vulnerability handling), and how to plan a technical file that survives both regulators. It is a comparison-style companion to our deeper walkthroughs on the RED Delegated Act and EN 18031 and CRA Annex I.
What RED already requires (and from when)
Directive 2014/53/EU is the Radio Equipment Directive. Article 3(3) lists nine essential requirements that the Commission can activate for specific categories or classes of radio equipment by delegated act. The final paragraph of Article 3(3) is explicit:
"The Commission shall be empowered to adopt delegated acts in accordance with Article 44 specifying which categories or classes of radio equipment are concerned by each of the requirements set out in points (a) to (i) of the first subparagraph of this paragraph."
The Commission used that power in Commission Delegated Regulation (EU) 2022/30 to activate three of those essential requirements for connected radio products.
Article 3(3)(d) — network protection
Article 3(3)(d) of the RED requires that "radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service". Article 1(1) of Delegated Regulation 2022/30 extends that requirement to "any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment". That is a broad sweep — anything from a smart light bulb to a 5G router falls inside.
Article 3(3)(e) — personal data and privacy
Article 3(3)(e) of the RED requires that "radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected". Article 1(2) of 2022/30 extends this requirement to four categories: internet-connected radio equipment, radio equipment "designed or intended exclusively for childcare", radio toys covered by Directive 2009/48/EC, and wearable radio equipment — in each case where the equipment can process personal data, traffic data or location data.
Article 3(3)(f) — fraud protection
Article 3(3)(f) of the RED requires that "radio equipment supports certain features ensuring protection from fraud". Article 1(3) of 2022/30 extends this requirement to "any internet-connected radio equipment, if that equipment enables the holder or user to transfer money, monetary value or virtual currency". That captures payment terminals, NFC-enabled smartphones, hardware wallets and any IoT device that initiates value transfer.
Application date
The application date for these new RED obligations was originally 1 August 2024 and was postponed by a year. From 1 August 2025, every covered radio product placed on the EU market must comply with the activated essential requirements. The route to presumption of conformity is the EN 18031 family of harmonised standards (EN 18031-1, -2 and -3, mirroring (d), (e) and (f)).
What the CRA adds on top
The Cyber Resilience Act is a horizontal cybersecurity regulation. Unlike RED, it does not start from radio technology — it covers all "products with digital elements" placed on the EU market.
Timing under Article 71
Article 71(1) of Regulation (EU) 2024/2847 follows the standard EU formula: the Regulation enters into force on the twentieth day following its Official Journal publication. The Commission's Cyber Resilience Act policy page confirms entry into force on 10 December 2024.
Article 71(2) then staggers application: Chapter IV on notified bodies (Articles 35 to 51) applies from 11 June 2026, the Article 14 reporting obligations apply from 11 September 2026, and the rest of the Regulation — including Annex I essential requirements, conformity assessment and the Article 13 manufacturer obligations — applies from 11 December 2027. See our dedicated CRA timeline guide and the September 2026 reporting checklist.
Annex I Part I — product cybersecurity properties
CRA Annex I Part I sets out the essential cybersecurity requirements for the product itself: an appropriate level of cybersecurity based on risks, delivery without known exploitable vulnerabilities, secure-by-default configuration, protection of confidentiality and integrity of stored, transmitted and processed data, and minimisation of attack surfaces, among others. The Commission's own CRA policy page summarises these as the product-side requirements. Read our Annex I deep dive for the full taxonomy.
There is substantial conceptual overlap with EN 18031-1 (network) and EN 18031-2 (personal data). For many connected radio products, the same technical control — say, mutual authentication on a Bluetooth pairing — satisfies both regimes' product-side expectations.
One email at launch · cancel any time
Annex I Part II — vulnerability handling
This is where the regimes diverge. CRA Annex I Part II imposes a vulnerability handling process on the manufacturer that has no parallel in RED. The required components include: identification and documentation of vulnerabilities and components contained in the product (the software bill of materials — SBOM); addressing and remediating vulnerabilities without delay, including by providing security updates; and publicly disclosing information about fixed vulnerabilities so users can identify the products affected.
Article 14 of the CRA layers on top a 24-hour notification duty to ENISA for actively exploited vulnerabilities and severe incidents (see our ENISA 24-hour reporting guide). EN 18031 has nothing equivalent. A connected radio product compliant with EN 18031-1, -2 and -3 will still need a whole new internal process to satisfy CRA Annex I Part II from 11 December 2027.
Penalties
Article 64 of the CRA sets a three-tier penalty structure. Article 64(2) provides "administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher" for breaches of Annex I essential requirements and the Article 13 and 14 obligations. Article 64(3) sets "administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher" for other specified obligations. Article 64(4) sets up to "EUR 5 000 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher" for incorrect or misleading information supplied to notified bodies or market surveillance authorities.
These are orders of magnitude larger than the RED penalty regime, which is delegated to national legislation.
Where the two overlap — and where they don't
| Topic | RED 2022/30 + EN 18031 (from 1 Aug 2025) | CRA (from 11 Dec 2027) |
|---|---|---|
| Network protection | Article 3(3)(d) + EN 18031-1 | Annex I Part I |
| Personal data and privacy safeguards | Article 3(3)(e) + EN 18031-2 | Annex I Part I |
| Fraud / financial protection | Article 3(3)(f) + EN 18031-3 | Annex I Part I (overlap) |
| SBOM | Not required | Annex I Part II — required |
| Vulnerability remediation duty | Not required as a process | Annex I Part II — required |
| Public disclosure of fixed vulnerabilities | Not required | Annex I Part II — required |
| 24-hour incident notification to ENISA | Not required | Article 14 — from 11 Sept 2026 |
| Conformity assessment | Internal control (Module A) for most | Module A, B+C or H depending on Annex III classification |
The pattern is clear. RED via EN 18031 covers the product-side cybersecurity slice. The CRA covers the same product-side slice plus a process-side slice (vulnerability handling, reporting, transparency) that did not exist before.
Practical sequencing for manufacturers
If you are placing a connected radio product on the EU market today, the practical sequence is:
- By 1 August 2025: be compliant with RED Article 3(3)(d), (e) and (f) as activated by 2022/30. Use EN 18031-1, -2, -3 for presumption of conformity. Update your Declaration of Conformity and technical file accordingly.
- By 11 June 2026: be aware that CRA notified bodies start operating. Important products in Annex III Class II and critical products in Annex IV may require notified body involvement — see when you need a notified body and the important products list.
- By 11 September 2026: have a CRA Article 14 reporting process in place — actively exploited vulnerabilities and severe incidents to ENISA within 24 hours of becoming aware. Walk through our September 2026 reporting checklist.
- By 11 December 2027: full CRA conformity. SBOM in place, vulnerability handling process operational, public disclosure mechanism live, conformity assessment completed under the right Module A through H — and Declaration of Conformity updated to cite Regulation (EU) 2024/2847. See our December 2027 readiness guide.
Common mistakes
- Treating EN 18031 as enough for CRA. It is not. EN 18031 has no SBOM, no vulnerability handling process, no public disclosure duty. You need a separate CRA programme.
- Assuming RED exemptions carry to CRA. Article 2 of 2022/30 carves out medical, aviation, vehicle and toll equipment from the new RED requirements. The CRA has its own scope and exclusions — do not assume a RED carve-out translates.
- Forgetting the EU Authorised Representative. Non-EU manufacturers placing connected radio products on the EU market need an EC REP under both RED and the CRA. The CRA explicitly names the authorised representative role.
- Single point-in-time conformity thinking. RED has historically been a "ship and forget" model. The CRA is continuous — you must maintain vulnerability handling for the product's support period. Build the operational capability now, not in late 2027.
- Wrong Declaration of Conformity update timing. When the Commission amends a directive or delegated act you already cite, the Declaration must be updated and re-issued. The 2022/30 transition is a textbook trigger.
How Cenitia helps
Cenitia is built around exactly this overlap. Our compliance vault maps your connected radio product against every RED Article 3(3) activation, every EN 18031 clause, and every CRA Annex I Part I and Part II requirement in one place. When you upload your SBOM, the platform highlights the components that drive CRA Annex I Part II evidence (vulnerability documentation, security update process, public disclosure entry points). When the European Commission amends 2022/30 or publishes implementing acts under the CRA, the regulation watcher flags every Declaration of Conformity that is affected.
For the dual-obligation window from 1 August 2025 through 11 December 2027 onwards, Cenitia generates a single technical file that satisfies both regimes — RED EN 18031 test evidence in one section, CRA Annex I Part I product properties in another, and CRA Annex I Part II vulnerability handling in a third — with citations to the underlying Official Journal articles in every section.
One email at launch · cancel any time
Frequently asked questions
When does the RED Delegated Act 2022/30 actually start to apply?
Article 1 of Commission Delegated Regulation (EU) 2022/30 extends RED Article 3(3)(d), (e) and (f) to connected radio products. The application date was postponed once and is now 1 August 2025. From that date, every Wi-Fi, Bluetooth, cellular, Thread or Zigbee product that places radio equipment on the EU market must meet the cybersecurity, personal data and fraud-protection essential requirements specified for its category in 2022/30.
What does CRA Article 71 actually say about timing?
Article 71(1) of Regulation (EU) 2024/2847 provides that the Regulation enters into force on the twentieth day following its Official Journal publication — which was 10 December 2024. Article 71(2) then staggers application: Chapter IV on notified bodies (Articles 35 to 51) applies from 11 June 2026, Article 14 reporting obligations from 11 September 2026, and the rest of the Regulation from 11 December 2027.
Is EN 18031 enough for CRA compliance?
No. EN 18031-1, -2 and -3 are RED harmonised standards built around Article 3(3)(d), (e) and (f). They cover network protection, personal data and privacy safeguards, and fraud protection. CRA Annex I Part II adds a separate set of vulnerability handling duties — drawing up a software bill of materials, addressing and remediating vulnerabilities without delay through security updates, and publicly disclosing information about fixed vulnerabilities — that are not in scope of EN 18031.
Do I need two Declarations of Conformity for the same Wi-Fi product?
Until the European Commission clarifies lex specialis between RED and CRA, the safe planning assumption is that a connected radio product placed on the market after 11 December 2027 needs both RED conformity (citing Directive 2014/53/EU including the Article 3(3) extensions) and CRA conformity (citing Regulation (EU) 2024/2847). In practice this can be one Declaration listing both legal instruments, but the underlying conformity assessment evidence is two separate streams.
How big are the CRA fines compared with RED?
CRA Article 64(2) sets administrative fines for breaches of the Annex I essential requirements and the manufacturer obligations in Articles 13 and 14 at up to EUR 15 000 000 or 2.5 percent of total worldwide annual turnover, whichever is higher. Article 64(3) sets up to EUR 10 000 000 or 2 percent for other specified obligations, and Article 64(4) sets up to EUR 5 000 000 or 1 percent for supplying incorrect or misleading information to notified bodies or market surveillance authorities. RED enforcement is left to national legislation under Directive 2014/53/EU and is generally lower in stated maxima.
What about radio equipment used as a medical device?
Article 2 of Commission Delegated Regulation (EU) 2022/30 exempts radio equipment subject to Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices from the new RED Article 3(3)(d), (e) and (f) requirements. That exemption is RED-specific. The CRA has its own scope rules and exclusions — connected radio products that are medical devices need a separate CRA scope analysis.
Related from the Library
- RED Delegated Act and EN 18031 walkthrough
- CRA Annex I explained
- CRA timeline and reporting obligations
- CRA December 2027 readiness
Further reading
- Directive 2014/53/EU — Radio Equipment Directive (EUR-Lex)
- Commission Delegated Regulation (EU) 2022/30 (EUR-Lex)
- Regulation (EU) 2024/2847 — Cyber Resilience Act (EUR-Lex)
- Directive 2009/48/EC — Safety of toys (EUR-Lex)
- European Commission — Cyber Resilience Act policy page
- Regulation (EU) 2017/745 — Medical Devices Regulation (EUR-Lex)
- Regulation (EU) 2017/746 — In Vitro Diagnostic Medical Devices Regulation (EUR-Lex)
Last reviewed: 5 July 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.
FAQ
Frequently asked questions
When does the RED Delegated Act 2022/30 actually start to apply?
Article 1 of Commission Delegated Regulation (EU) 2022/30 extends RED Article 3(3)(d), (e) and (f) to connected radio products. The application date was postponed once and is now 1 August 2025. From that date, every Wi-Fi, Bluetooth, cellular, Thread or Zigbee product that places radio equipment on the EU market must meet the cybersecurity, personal data and fraud-protection essential requirements specified for its category in 2022/30.
What does CRA Article 71 actually say about timing?
Article 71(1) of Regulation (EU) 2024/2847 provides that the Regulation enters into force on the twentieth day following its Official Journal publication — which was 10 December 2024. Article 71(2) then staggers application: Chapter IV on notified bodies (Articles 35 to 51) applies from 11 June 2026, Article 14 reporting obligations from 11 September 2026, and the rest of the Regulation from 11 December 2027.
Is EN 18031 enough for CRA compliance?
No. EN 18031-1, -2 and -3 are RED harmonised standards built around Article 3(3)(d), (e) and (f). They cover network protection, personal data and privacy safeguards, and fraud protection. CRA Annex I Part II adds a separate set of vulnerability handling duties — drawing up a software bill of materials, addressing and remediating vulnerabilities without delay through security updates, and publicly disclosing information about fixed vulnerabilities — that are not in scope of EN 18031.
Do I need two Declarations of Conformity for the same Wi-Fi product?
Until the European Commission clarifies lex specialis between RED and CRA, the safe planning assumption is that a connected radio product placed on the market after 11 December 2027 needs both RED conformity (citing Directive 2014/53/EU including the Article 3(3) extensions) and CRA conformity (citing Regulation (EU) 2024/2847). In practice this can be one Declaration listing both legal instruments, but the underlying conformity assessment evidence is two separate streams.
How big are the CRA fines compared with RED?
CRA Article 64(2) sets administrative fines for breaches of the Annex I essential requirements and the manufacturer obligations in Articles 13 and 14 at up to EUR 15 000 000 or 2.5 percent of total worldwide annual turnover, whichever is higher. Article 64(3) sets up to EUR 10 000 000 or 2 percent for other specified obligations, and Article 64(4) sets up to EUR 5 000 000 or 1 percent for supplying incorrect or misleading information to notified bodies or market surveillance authorities. RED enforcement is left to national legislation under Directive 2014/53/EU and is generally lower in stated maxima.
What about radio equipment used as a medical device?
Article 2 of Commission Delegated Regulation (EU) 2022/30 exempts radio equipment subject to Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices from the new RED Article 3(3)(d), (e) and (f) requirements. That exemption is RED-specific. The CRA has its own scope rules and exclusions — connected radio products that are medical devices need a separate CRA scope analysis.
Continue reading
Related guides
reference
ETSI EN 303 645 — the 13 consumer IoT controls explained
The 13 high-level provisions of ETSI EN 303 645 v2.1.1 (June 2020) and v3.1.3 (September 2024) explained, with the TS 103 701 conformance assessment mapping.
11 min read
reference
RED Annex IV path: when radio equipment needs a Notified Body
RED Annex IV path — when radio equipment requires Notified Body full quality assurance (Module H), versus Module A self-assessment under Article 17(2).
9 min read
reference
EN 18031-1 vs -2 vs -3: which part applies to your radio product
EN 18031-1, -2 and -3 compared — scope, mechanism families, and a decision tree for RED Article 3(3)(d), (e) and (f) under Delegated Regulation 2022/30.
13 min read
guide
RED Delegated Act + EN 18031 — the self-assessment walkthrough for radio products
Step-by-step walkthrough of RED Delegated Act 2022/30 cybersecurity self-assessment under EN 18031-1, -2, -3 — scope, process, tests, and CRA overlap.
14 min read
Put this into practice
Free tools & references
- Do I need a Notified Body?Find out, per regulation, whether a Notified Body is required.Open tool →
- EU Directive SelectorDescribe your product and find which EU directives and regulations apply.Open tool →
New to the terminology? Browse the compliance glossary — plain-English, citation-backed definitions of every term above.