Both EU regulations the Radio Equipment Directive Delegated Act (RED DA) and Cyber Resilience Act (CRA) address digital product security. While their goal at first glance seems to bethe same they are fundamentally different in scope and focus.
The RED DA addresses security of radio equipment with radio interfaces that can communicate with the Internet. The focus of the RED DA is to protect networks (Article 3.3 d), personal data (Article 3.3 e) and financial data or transactions (Article 3.3 f). The priority here is not even the product security but to ensure that the product has the capabilities to ensure networks, user data and financial data or transactions are safeguarded.
The CRA supersedes RED DA and targets all products that have programmable components or connectivity capabilities including hardware and software regardless if they can connect to the Internet or not. This, for CRA, also includes “remote data processing” functionality at a distance for which the software is designed and developed by the manufacturer, or under manufacturer’s responsibility, and absence of which would prevent the product from performing one of its functions. The focus of the CRA is to ensure the products placed on the EU market are secure and maintain their security over their lifetime. The security risk assessment combined with appropriate processes is selected as the main tool to achieve that.
Assets
Another aspect that is different between the RED DA and CRA is what asset classes are required to be protected. RED DA requires protection of specific asset classes that reflect well all three articles (Article 3.3 d, e and f) that the RED DA activated:
- Security assets
- Network assets
- Privacy assets
- Financial assets
In contrast to the RED DA, the CRA requires protection of any asset that, when compromised, may introduce a risk that can not be tolerated and has to be mitigated. Therefore, identification of all product related assets and execution of the security risk assessment for each of the identified assets is required.
Processes
Another fundamental difference between the RED DA and CRA is that RED DA does not set any process related requirements. The RED DA only specifies capabilities that a product is required to have at the time of placement on the EU market.
In contrast, CRA extends the manufacturer responsibility to the entire product life cycle. The focus of CRA is on processes that ensure that security risk assessment of the product and the mitigation of identified risks is performed on regular basis over the product lifetime.
Product assessment and compliance
The harmonized standards such as EN 18031-1/2/3 allow, with some exceptions, for self-declaration under the RED DA.
The CRA may require more rigorous assessment depending on the product’s classification. Important or critical products listed by the CRA may require third party assessment of an accredited test lab (Notified Body).
Manufacturers that have already performed the product assessment for the RED DA are expected to extend the scope of their assessment to cover all obligations of manufacturers defined by the CRA including not only the product security or capabilities but also consider process related requirements.
The timeline
The RED DA is enforced from 1st of August 2025 but is already expected to be repealed the day the CRA is enforced which is 10th of December 2027.
