The European Commission has formally adopted a Delegated Regulation repealing Delegated Regulation (EU) 2022/30, commonly referred to as the RED Cybersecurity Delegated Regulation.
The repeal will take effect on 11 December 2027, the same date on which the Cyber Resilience Act (Regulation (EU) 2024/2847) becomes fully applicable.
This development marks a significant structural shift in how cybersecurity requirements for connected products will be regulated in the European Union.
Background: RED Cybersecurity Requirements
Delegated Regulation (EU) 2022/30 supplemented the Radio Equipment Directive (Directive 2014/53/EU – RED) by making certain cybersecurity-related essential requirements applicable to specific categories of radio equipment.
Specifically, it rendered applicable the essential requirements under Article 3(3)(d), (e), and (f) of the RED, which relate to:
Protection from harm to the network
Protection of personal data and privacy
Protection from fraud
These requirements became applicable from 1 August 2025 to certain categories of radio equipment.
Why the Regulation Is Being Repealed
On 23 October 2024, the European Parliament and Council adopted the Cyber Resilience Act (Regulation (EU) 2024/2847).
The CRA establishes horizontal cybersecurity requirements for “products with digital elements.” According to the Commission’s explanatory memorandum, the essential cybersecurity requirements in Annex I of the CRA include all elements previously covered under Article 3(3)(d), (e), and (f) of the RED.
To avoid regulatory duplication and ensure legal certainty, the Commission determined that Delegated Regulation (EU) 2022/30 must be repealed once the CRA becomes fully applicable.
Key Dates and Transitional Period
| Date | Regulatory Position |
|---|---|
| 1 August 2025 | Red cybersecurity requirements under Delegated Regulation (EU) 2022/30 apply to certain radio equipment |
| 10 December 2027 | Last day RED cybersecurity delegated requirements remain applicable |
| 11 December 2027 | Delegated Regulation (EU) 2022/30 repealed; CRA becomes fully applicable |
Importantly, the repeal does not affect market surveillance and control for radio equipment placed on the Union market between 1 August 2025 and 10 December 2027. During that window, compliance with the RED cybersecurity requirements remains enforceable.
What This Means for Manufacturers
Until 10 December 2027, manufacturers of in-scope radio equipment must continue complying with the cybersecurity-related essential requirements under the RED as implemented by Delegated Regulation (EU) 2022/30.
From 11 December 2027 onward, cybersecurity compliance will transition fully to the Cyber Resilience Act framework for products with digital elements.
This regulatory change is designed to:
Prevent overlapping cybersecurity obligations under RED and CRA
Improve legal clarity for manufacturers and market surveillance authorities
Consolidate EU cybersecurity requirements under a single horizontal framework
For more information, access the official European Commission’s page about this initiative below.
How C-PRAV Can Help
At C-PRAV, we support manufacturers in navigating EU regulatory transitions, including compliance under the Radio Equipment Directive (RED) and the upcoming Cyber Resilience Act (CRA). Our services include regulatory gap assessments, conformity strategy planning, technical documentation support, and coordination with EU Notified Bodies and testing laboratories to ensure continued market access.
For further clarification on this update and how it may affect your product portfolio, please contact our team.