ComparisonEU

CRA and RED Cybersecurity comparison for connected products

Separate the Cyber Resilience Act from the RED cybersecurity delegated act before assigning CE, technical-file, and vulnerability-handling work.

This page focuses on grounded differences for products with digital elements and radio equipment; it keeps unsupported comparison details out of the public guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
May 25, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated May 25, 2026
Overview

The EU Cyber Resilience Act (CRA) and the RED cybersecurity delegated act both affect connected products, but they do different jobs. The CRA is the horizontal cybersecurity regime for products with digital elements. Delegated Regulation (EU) 2022/30 applies selected Radio Equipment Directive cybersecurity requirements to categories of radio equipment. For wireless products that are also products with digital elements, timing and scope determine which evidence file has to prove what.

Side-by-side comparison

CRA vs RED cybersecurity delegated act

Use this matrix to separate the CRA's horizontal product-cybersecurity duties from the RED delegated act's radio-equipment cybersecurity scope.

Review all sources
First framework
Cyber Resilience Act

Horizontal EU cybersecurity regulation for products with digital elements, including software, hardware, covered components, and covered remote data processing.

Second framework
RED cybersecurity delegated act

Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive, applying cybersecurity-related essential requirements to certain radio equipment.

Comparison row 1

Scope boundary

Cyber Resilience Act

Covers products with digital elements placed on the EU market, including software or hardware products and covered remote data-processing solutions.

RED cybersecurity delegated act

Covers categories of radio equipment specified in Delegated Regulation (EU) 2022/30, through RED Article 3(3)(d), (e), and (f).

Operational implication

Classify radio-equipment status and product-with-digital-elements status separately. A product can be both, but one conclusion does not prove the other.

Comparison row 2

Covered actors

Cyber Resilience Act

CRA generally applies from 11 December 2027, with Article 14 reporting from 11 September 2026 and notified-body provisions from 11 June 2026.

RED cybersecurity delegated act

For categories covered by Delegated Regulation (EU) 2022/30, the Commission FAQ describes a RED cybersecurity window for products placed on the market from 1 August 2025 through 10 December 2027.

Operational implication

For a radio product, keep the market-placement date in the release file. The applicable cybersecurity route can turn on whether the product is placed before or after 11 December 2027.

Comparison row 3

Trigger

Cyber Resilience Act

CRA duties include cybersecurity risk assessment, essential cybersecurity requirements, effective vulnerability handling during the support period, technical documentation, conformity assessment, EU declaration of conformity, CE marking, user instructions, and cooperation with market-surveillance authorities.

RED cybersecurity delegated act

The RED delegated act makes RED cybersecurity essential requirements applicable to covered radio equipment; evidence should stay tied to the RED conformity route and applicable radio-equipment standards or tests.

Operational implication

A RED technical file is not automatically a complete CRA file. Check whether it also covers support-period rationale, vulnerability-handling processes, CRA technical documentation, and Article 14 reporting readiness.

Comparison row 4

Core obligations

Cyber Resilience Act

Products with digital elements placed on the market before 11 December 2027 are generally subject to CRA requirements only if substantially modified from that date, but Article 14 reporting applies to in-scope products.

RED cybersecurity delegated act

If covered radio equipment was placed on the EU market during the RED cybersecurity window, later repeal of the delegated act would not undo RED market-surveillance treatment for that period.

Operational implication

Do not retrofit every pre-11 December 2027 product into full CRA documentation solely because the CRA starts applying. Do keep Article 14 reporting readiness and preserve RED evidence for radio equipment placed during the RED window.

Comparison row 5

Evidence record

Cyber Resilience Act

CRA harmonised standards are being developed under a CRA standardisation request and must address the CRA's own essential cybersecurity requirements.

RED cybersecurity delegated act

RED delegated-act standards work, including the EN 18031 context described by the Commission FAQ, can inform CRA standards and evidence where requirements overlap.

Operational implication

Reuse mappings, tests, and controls only after identifying which CRA requirement and which RED requirement each item supports.

Comparison row 6

Application window

Cyber Resilience Act

The CRA applies in full from 11 December 2027, with earlier Article 14 reporting from 11 September 2026 and Chapter IV from 11 June 2026.

RED cybersecurity delegated act

The RED cybersecurity delegated act applies to covered radio equipment placed on the market from 1 August 2025 and is described by the Commission as a transition measure until 10 December 2027.

Operational implication

Use the product's first EU market-placement date to decide whether the file needs RED transition evidence, CRA evidence, or both.

Comparison row 7

Evidence handoff

Cyber Resilience Act

Under the CRA, the technical file must support conformity assessment, CE marking, the EU declaration of conformity, and market-surveillance responses for products with digital elements.

RED cybersecurity delegated act

Under the RED delegated act, the evidence file must support compliance with the RED cybersecurity requirements for the covered radio-equipment category and the standards used for that route.

Operational implication

Keep one file structure, but split the legal basis. A shared test report can sit in both files only if each file says exactly what it proves.

Comparison row 8

Overlap control

Cyber Resilience Act

The CRA can still apply to a wireless product even when the product also falls within the RED cybersecurity scope.

RED cybersecurity delegated act

The RED delegated act can still govern radio-equipment cybersecurity for the same product during the transition window.

Operational implication

Treat overlap as an evidence-management problem, not as a choice between regimes. Decide which obligations come from the CRA and which come from the RED route.

Comparison row 9

Decision rule

Cyber Resilience Act

If the product is a product with digital elements, apply the CRA analysis for the unit or software version being placed on the market.

RED cybersecurity delegated act

If the product is covered radio equipment under Delegated Regulation (EU) 2022/30, apply the RED delegated-act analysis for the same market-placement event.

Operational implication

Use the same release record to answer both questions, then file the CRA and RED conclusions separately so the compliance team can see which regime is doing which job.

Practical decision rule

How to decide which route applies

  • Record whether the product is radio equipment, a product with digital elements, or both.
  • Record the first EU market-placement date for the unit or software version being assessed.
  • For 1 August 2025 through 10 December 2027, check RED delegated-act coverage for radio equipment and keep RED cybersecurity evidence where applicable.
  • For 11 December 2027 onward, check CRA duties for products with digital elements, including support period, vulnerability handling, technical documentation, CE marking, and reporting readiness.
  • Where one evidence artifact is reused, state exactly which CRA requirement and which RED requirement it supports.
Regulation (EU) 2024/2847, Cyber Resilience ActSources 1European Commission CRA FAQs, version 1.2Sources 2Commission Delegated Regulation (EU) 2022/30Sources 3
Section 1

The core difference

The CRA defines a product with digital elements as a software or hardware product, including covered remote data-processing solutions and separately placed software or hardware components. It then imposes product lifecycle duties on manufacturers, including cybersecurity risk assessment, vulnerability handling, support-period planning, technical documentation, conformity assessment, EU declaration of conformity, CE marking, user information, and market-surveillance cooperation.

The RED cybersecurity delegated act is narrower. It supplements Directive 2014/53/EU by applying the essential requirements in Article 3(3)(d), (e), and (f) to certain radio equipment. Those RED requirements address network harm and misuse of network resources, personal data and privacy, and fraud.

  • Use CRA analysis when the item is software, hardware, or a covered component or remote processing solution placed on the EU market as a product with digital elements.
  • Use RED delegated-act analysis only when the item is radio equipment in a category covered by Delegated Regulation (EU) 2022/30.
  • A wireless product can need both analyses during the transition period; a non-radio software product does not become a RED product merely because it is connected.
Recommended next step

Check which evidence file your connected product needs

Use Sorena to compare a specific product, market-placement date, and radio-equipment status against the CRA and RED cybersecurity sources, then keep the cited scope and evidence conclusion with the release record.

Research workflow
Open Research Copilot

Ask a cited CRA and RED cybersecurity question for a specific product, unit date, or release plan.

Explore next step
Talk to Sorena
Talk through implementation

Review product scope, transition timing, and evidence gaps before a release or market-surveillance response.

Explore next step
Section 2

Timing for radio equipment during the transition

The Commission CRA FAQ states that the RED cybersecurity requirements made applicable by Delegated Regulation (EU) 2022/30 apply to covered radio-equipment categories placed on the market on or after 1 August 2025.

The same FAQ says the Commission aims to repeal the RED delegated act from 11 December 2027 for legal clarity. If that happens, covered radio equipment placed on the market from 1 August 2025 through 10 December 2027 remains subject to the RED cybersecurity essential requirements, while the same products placed on the market on or after 11 December 2027 are subject to the CRA cybersecurity requirements. The FAQ also says repeal would not undo RED market-surveillance treatment for products placed on the market during the RED period.

  • For covered radio equipment placed on the EU market from 1 August 2025 to 10 December 2027, keep RED cybersecurity evidence.
  • For products with digital elements placed on the EU market from 11 December 2027, prepare CRA conformity evidence unless an exclusion or specific coordination rule applies.
  • For products placed on the market before 11 December 2027, CRA Article 69 limits full CRA product duties unless there is a substantial modification, but Article 14 reporting applies to in-scope products.
Section 3

Evidence differences

A CRA file needs to show the cybersecurity risk assessment and how the product and vulnerability-handling processes meet the CRA's essential cybersecurity requirements. Annex VII names technical-documentation elements such as product description, design and production information, vulnerability-handling process details, software bill of materials where applicable, coordinated vulnerability disclosure policy, secure-update approach, support-period rationale, standards or technical specifications used, test reports, and the EU declaration of conformity.

For RED delegated-act work, the evidence should stay tied to radio-equipment conformity under the RED cybersecurity essential requirements and the standards or test evidence used for that route. The CRA standardisation request confirms that CRA harmonised standards should build on work under the RED delegated regulation where possible, but also says CRA-specific requirements must be addressed.

  • Do not treat a RED EN 18031 mapping as a complete CRA file unless it also covers CRA risk assessment, support-period, vulnerability-handling, documentation, and reporting duties.
  • Do not duplicate engineering evidence unnecessarily; reuse test results or control mappings only after the CRA and RED legal bases are separately identified.
  • Keep the market-placement date and product category conclusion with the evidence, because the transition turns on when the individual product is placed on the market.
Section 4

Practical classification questions

Start with product facts, not labels. Identify whether the item is radio equipment, whether it is a product with digital elements, whether remote data processing is part of the product function, and when each unit or software version is first placed on the EU market.

For a connected radio product, record the conclusion as CRA, RED delegated act, both during transition, or neither for the specific cybersecurity question. That conclusion should point to the source and evidence file supporting it.

  • Is the product software, hardware, or a component placed on the market as a product with digital elements?
  • Is it radio equipment in a category covered by Delegated Regulation (EU) 2022/30?
  • Was the relevant unit or version placed on the market before 1 August 2025, between 1 August 2025 and 10 December 2027, or on or after 11 December 2027?
  • Does the planned release substantially modify a pre-11 December 2027 product, or is it only a non-substantial update?
  • Which evidence will prove cybersecurity risk assessment, technical documentation, vulnerability handling, support period, CE marking, and market-surveillance response for the applicable regime?
Primary sources

References and citations

European Commission CRA FAQs, version 1.2
ec.europa.eu
Referenced sections
  • Supports the RED transition checks and market-surveillance treatment for covered radio equipment.
"placed on the market between 1 August 2025 and 10 December 2027"
Related guides

Explore more topics

CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Legacy Products FAQ | Pre-11 December 2027 Products
Cyber Resilience Act FAQ on products placed on the market before 11 December 2027, Article 14 reporting, substantial modification, distributor stock, spare parts, and records.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Security Updates vs Functionality Updates FAQ
Cyber Resilience Act FAQ on classifying security updates, functionality updates, support-period duties, automatic updates, user notices, and substantial-modification review.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.