Jubilee Signet

RED-DA & CRA: A Guide for Manufacturers on EU Rules

Jul 29, 2025 Digital & Product Solutions / Cyber Security
The EU cybersecurity landscape is shaping Europe’s digital future. In a world increasingly driven by interconnectivity, and with over 40 billion IoT devices projected by 2030, strengthening cyber resilience to safeguard our communication and data is an urgent need. To face this challenge, the EU is introducing a combination of legislation, such as the RED Delegated Act (RED-DA) or the Cyber Resilience Act (CRA), aimed to securing our networks, devices and data.
For manufacturers, the race to build compliant and future-proof cybersecurity strategies is already underway. The question is: are you and your products ready for what’s coming?

What’s RED-DA? Understanding the EU’s Game-Changing Directive

The European Commission (EC) introduced a new Delegated Act under the Radio Equipment Directive (RED) (2022/30). Entering into force on August 1st, 2025, this regulation sets important cybersecurity requirements for manufacturers, importers and distributors of radio-enabled devices. Since most IoT products use wireless technologies and networks, such as WiFi, complying with RED-DA requirements will be a must if you want to place your products in the EU market.
The goal of this legislation is clear: to strengthen networks resilience, enhance consumers' security and privacy, and prevent monetary fraud. If you are a manufacturer, figuring out whether your product falls under RED-DA isn’t just a box to check – it’s something you need to address urgently to ensure continued access to the European market.

Are your Products in Scope for RED-DA?

This regulation applies to any radio equipment that can connect to the internet, either directly or through another device, radio equipment that processes personal data, and radio equipment that processes payments. This includes a wide range of connected products found in both consumer and industrial settings. Some examples covered by RED-DA cybersecurity requirements include:
  • Mobile phones, tablets, and other telecommunication devices.
  • IoT connected products that can transmit or receive data.
  • Smart toys and connected child gadgets, such as baby monitors.
  • Wearable devices such as smartwatches or connected hearing aids.
  • Connected smart meters, wireless sensors and more interconnected industrial devices.
Keep in mind, though, that these examples don’t cover every possible case. Products in grey areas often require a closer look to determine whether RED-DA applies, so it’s worth assessing them carefully.
Cybersecurity Services for RED-DA
Discover how DEKRA, a trusted partner in testing and certification, supports manufacturers meet regulatory requirements with confidence.
Learn More

What’s CRA? Navigating the Future of Cybersecurity in Europe

The Eu Cyber Resilience Act (CRA) is a new EU regulation created to enhance the cybersecurity of products with digital components, both hardware and software. It introduces mandatory cybersecurity requirements for manufacturers and retailers covering the planning, design, development, and maintenance of these products. At its core, the CRA reinforces the principle of “security by design”, requiring companies to prioritize cybersecurity throughout the entire product lifecycle. The regulation officially entered into force in December 2024, but its main obligations will apply from December 11th, 2027.

Are your Products in Scope for CRA?

This regulation applies to most products that connect directly or indirectly to another device or network, with a few exceptions. Examples of product’s covered under CRA’s cybersecurity requirements include:
  • Embedded systems such as industrial controllers, sensors and appliances that rely on integrated software.
  • Smart home devices, connected gadgets, and any internet-enabled equipment.
  • Software platforms, including cloud-based services and applications that support remote data processing for businesses, SaaS offerings included.

What’s out of CRA’s Scope?

  • Certain types of open-source software.
  • Products already covered by other EU regulations, such as medical devices, aviation equipment and vehicles.
These exceptions exist because those products are already covered by industry-specific existing rules. Nonetheless, products that do fall under CRA will need to carry the CE marking for demonstrating compliance. This will help customers to make more informed decisions by trusting the cybersecurity of CE-marked products.

Facing RED-DA & CRA: How to Prepare for the Road Ahead

Unlike RED-DA, CRA applies to any product with digital components, hardware or software, that connect to any other device or network, either directly or indirectly. The major difference? CRA doesn’t require internet connectivity. If your product includes digital elements that interact with other systems, then it’s covered by CRA.
Despite the fact that the scope of RED-DA can be complex, CRA will apply almost certainly to your products, so cybersecurity compliance is no longer optional.
At DEKRA we provide cybersecurity testing and certification services to safeguard your digital assets and ensure full compliance with current and upcoming regulations. With over 20 years of experience, our accredited services support global market access and help build trust with your customers.
References:
[1] IoT Analyst, “State of IoT 2024: Number of connected IoT devices growing 13% to 18.8 billion globally”, [Online]. Available: https://iot-analytics.com/wp-content/uploads/2024/09/INSIGHTS-RELEASE-Number-of-connected-IoT-devices-vf.pdf
[2] European Cyber Resilience Act, “Cyber Resilience Act, Updates and Compliance”, [Online]. Available: https://www.european-cyber-resilience-act.com/
[3] European Comission “Cyber Resilience Act”, [Online]. Available: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
[4] Mender Blog “The Scope of EU Cyber Resilience Act”, [Online]. Available: https://mender.io/blog/the-scope-of-eu-cyber-resilience-act-compliance