RED vs CRACybersecurity

EU Radio Equipment Directive (RED) RED vs Cyber Resilience Act

One security program, two legal outputs.

Use this page to align evidence and avoid duplicated testing and documentation.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

Teams often ask whether CRA compliance removes the need for RED cybersecurity. The safer answer is that you likely need both, but you should not run two separate security evidence programs. Run one engineering and evidence backbone, then generate RED and CRA compliance outputs from it.

Section 1

What each instrument is trying to do

RED is radio-equipment-specific and focuses on essential requirements for making radio equipment available on the EU market.

CRA is horizontal and sets cybersecurity requirements for products with digital elements across many product categories.

  • RED: radio equipment market access + CE marking evidence; cybersecurity essential requirements activated for defined equipment via (EU) 2022/30
  • CRA: horizontal cybersecurity requirements (secure by design, vulnerability handling, updates, and information obligations)
  • If your product is both a radio device and a product with digital elements, plan for both compliance outputs
Section 2

Where RED cybersecurity overlaps with CRA

The overlap is engineering reality: controls and evidence you build for one can usually support the other, if structured correctly.

The trick is traceability: map the same control/test evidence to two legal requirement sets without copying and pasting.

  • Secure configuration and hardening: reducing attack surface
  • Authentication, access control, and secure communications
  • Security updates and change control
  • Vulnerability intake and remediation processes
  • Security verification and repeatable test evidence
Section 3

Where they differ (don't mix these up)

The differences are legal scope and what you need to prove.

RED cybersecurity activation is tied to radio equipment categories defined by (EU) 2022/30; CRA obligations apply via its own scope and classification logic.

  • RED output: CE technical file module + EU DoC references for RED and any activated delegated acts
  • CRA output: CRA-specific documentation and obligations tied to CRA categories and requirements
  • RED focus areas (EU 2022/30): network protection, privacy/personal data, fraud protection
  • CRA focus: broader lifecycle and vulnerability-handling obligations across products with digital elements
Section 4

A practical architecture: one evidence backbone

Build one security evidence vault and index it by product variant and release.

Then generate RED cybersecurity module and CRA compliance pack views from the same artifacts.

  • One threat model per product family + variant deltas
  • One verification plan with test results per release
  • One update and vulnerability management process with logs and evidence
  • Two mappings: evidence -> RED Article 3(3)(d)(e)(f) and evidence -> CRA requirements
Recommended next step

Use EU Radio Equipment Directive (RED) RED vs Cyber Resilience Act as a cited research workflow

Research Copilot can take EU Radio Equipment Directive (RED) RED vs Cyber Resilience Act from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on EU Radio Equipment Directive (RED) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU Radio Equipment Directive (RED) RED vs Cyber Resilience Act

Start from EU Radio Equipment Directive (RED) RED vs Cyber Resilience Act and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU Radio Equipment Directive (RED)

Review your current process, evidence gaps, and next steps for EU Radio Equipment Directive (RED) RED vs Cyber Resilience Act.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Conformity Assessment and CE Marking | EU RED 2014/53/EU | Technical Documentation, EU DoC, Notified Bodies
A practical guide to RED conformity assessment and CE marking under Directive 2014/53/EU.
Essential Requirements | EU Radio Equipment Directive (RED) 2014/53/EU | Safety, EMC, Spectrum, Cybersecurity (EU) 2022/30
A practical RED essential requirements guide for Directive 2014/53/EU: map Article 3 requirements to product features and verification evidence for safety.
Harmonised Standards and Test Plans | EU RED 2014/53/EU | Presumption of Conformity, OJ References, Verification Strategy
A practical guide to harmonised standards under the EU Radio Equipment Directive (RED) 2014/53/EU: how presumption of conformity works.
RED Applicability Test | Is My Product in Scope of the EU Radio Equipment Directive (RED) 2014/53/EU?
A structured RED applicability test for Directive 2014/53/EU: determine if your product is radio equipment, whether any exclusions apply.
RED Compliance Checklist | EU Radio Equipment Directive 2014/53/EU | CE Marking Evidence Pack
An audit-ready RED compliance checklist for Directive 2014/53/EU: scope and classification, essential requirements mapping (safety/health, EMC, spectrum).
RED Compliance Program | EU Radio Equipment Directive 2014/53/EU Implementation Playbook
A practical RED compliance program playbook for Directive 2014/53/EU: set up governance, map essential requirements to standards and tests.
RED Conformity Assessment Template | CE Technical File Structure for Directive 2014/53/EU
A practical RED conformity assessment template for Directive 2014/53/EU: a CE technical file structure with sections for scope memo.
RED Cybersecurity Delegated Act Guide | Implement Delegated Regulation (EU) 2022/30 (Applies 1 Aug 2025)
Step-by-step implementation guide for the RED cybersecurity delegated act.
RED Cybersecurity Requirements | Delegated Regulation (EU) 2022/30 (Applies 1 Aug 2025) | Article 3(3)(d)(e)(f)
A practical RED cybersecurity requirements guide: Delegated Regulation (EU) 2022/30 activates Article 3(3)(d) network protection.
RED Deadlines and Compliance Calendar | Directive 2014/53/EU Key Dates (2016-2026) | Cybersecurity 2025, Common Charger 2024/2026
A practical RED deadlines and compliance calendar: core RED dates (transposition by 12 Jun 2016; measures apply from 13 Jun 2016.
RED FAQ | EU Radio Equipment Directive 2014/53/EU Questions | Scope, CE Marking, Cybersecurity (EU) 2022/30, Standards
A practical RED FAQ for Directive 2014/53/EU: what is radio equipment, what is in scope, what happened in the 2016/2017 transition.
RED Penalties and Enforcement | EU Radio Equipment Directive 2014/53/EU | Market Surveillance, CE Documentation Risk
A practical RED enforcement and penalties guide for Directive 2014/53/EU: how market surveillance works in practice.
RED Timeline | EU Radio Equipment Directive 2014/53/EU Roadmap | Cybersecurity (EU) 2022/30, Common Charger (EU) 2022/2380
A practical RED timeline and roadmap: the core RED transition dates.
Scope and Classification | EU Radio Equipment Directive (RED) 2014/53/EU | What Is Radio Equipment? Exclusions, Borderline Cases
A practical RED scope and classification guide for Directive 2014/53/EU: what counts as radio equipment, which Annex I exclusions take products out of scope.