RED and CRA Regulations – What they mean for connected products security

New EU cybersecurity regulations are changing requirements for connected products. In this newsletter, Razvan Venter and Raluca Viziteu break down the impact of the Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA) on manufacturers, distributors, and integrators. They outline key compliance steps, challenges, and links to broader regulations like NIS2. Whether your company is just starting or refining its approach, their guide will help you prepare.

Many thanks also to Jasper N. and Anna Prudnikova for their contribution to this article.

Major shift in security

Our view: Early movers on CRA will define the future of connected products in Europe. Companies that act now won’t just be compliant—they’ll set the benchmark. CRA is not just another set of requirements. It introduces a shift in how security is approached across the product lifecycle. Those who are ahead of the curve will become the trusted vendors of tomorrow.

If you’re reading this, chances are RED and CRA regulations are already on your radar. Over the past year, these regulations have been widely discussed at industry events and community meetings. But with deadlines approaching, have companies truly grasped the impact on their daily operations?

For product manufacturers, compliance is not just about meeting deadlines. It requires new ways of working—integrating cybersecurity into product development, conducting risk assessments, and working with third parties to validate security. For years, the IoT industry prioritized performance over security, viewing cybersecurity as optional. Now, that mindset must change.

This transition may feel overwhelming, but there is still time to act. Companies that start now will be better positioned to meet the requirements.

Key steps for RED compliance

If Article 3.3 of the Radio Equipment Directive (RED) is news to you, you may have been off the grid. But if you're manufacturing, importing, or selling radio equipment, compliance is required this year.

Secura and Bureau Veritas have worked with industry leaders on risk analysis and testing. Based on this experience, here are two key insights:

1. Transparency is crucial. Understanding the compliance process early prevents unexpected obstacles.
2. Selecting the right standard is critical. A well-chosen approach to RED 3.3 compliance can also serve as a foundation for CRA compliance, reducing future workload.

What to expect from the CRA

The Cyber Resilience Act (CRA) will introduce security requirements for products with digital components. The shift from reactive to proactive security is one of the biggest challenges for manufacturers, distributors, and integrators. Unlike previous regulations, the CRA assigns clear responsibilities, requires vulnerability management, and mandates long-term security support.

The biggest hurdle? The conformity assessment process. While some products will only require self-assessment, critical products will undergo third-party evaluation. The complexity and potential delays in approval may catch businesses off guard. Distributors and integrators will also need to verify compliance across their supply chains.

Companies that act early will gain an advantage. Those who invest in secure development, vulnerability management, and clear documentation will not only meet compliance requirements but also build market trust. Delays could mean fines of up to €15 million or 2.5% of global revenue, loss of market access, and reputational risks.

How CRA and RED connect to other regulations

For many organizations, compliance will not stop at CRA and RED. The NIS2 Directive also introduces cybersecurity obligations, particularly for those in critical industries.

• CRA applies to product security, requiring secure development and vulnerability management.
• NIS2 focuses on broader cybersecurity governance, risk management, and incident response.

Some companies—such as medical device manufacturers, cloud service providers, and automotive firms—will need to comply with both. A unified security approach can help streamline compliance across multiple regulations.

Next steps

Companies should begin with a compliance gap assessment, align security practices with CRA and RED requirements, and integrate these obligations into broader governance frameworks.

At Secura, we work with organizations at different stages of compliance. Whether you are just getting started or refining your approach, our expertise helps companies meet regulatory expectations while strengthening security foundations.

Getting ahead of these regulations isn’t just about meeting legal obligations—it’s about seizing an opportunity. The companies that move first will shape the market, earn customer trust, and build stronger positions in an increasingly regulated landscape. The time to prepare is now. Waiting is not an option.

What do you think?

Do you feel that RED 3.3 and the CRA represent a shift in connected product security? Please leave a comment in the section below.

Want to know more? Watch our RED 3.3 webinar

About the authors

Razvan Venter is the Director of Product Security at Secura / Bureau Veritas Group, where he advises clients on product cybersecurity, conformity assessments, and EU regulatory compliance. He has a strong background in embedded systems and secure development and supports companies in bringing secure, compliant products to market.

Raluca Viziteu is Security Consultant at Secura / Bureau Veritas Group. She specializes in regulatory strategy and product compliance and guides clients through the landscape of EU cybersecurity legislation, including the Cyber Resilience Act and Radio Equipment Directive.

Subscribe now

The cybersecurity world is changing. Subscribe to Cyber Vision to learn more about the changing nature of cybersecurity, and the future of cyber resilience. Or check out our latest news at Secura.com.