On 1 August 2025, the cybersecurity requirements of the Radio Equipment Directive (RED) came into force across the EU.
From that date, any internet-connected product had to demonstrate compliance before entering the market.
But even with the deadline behind us, uncertainty remains. Many manufacturers are still unsure whether their products fall within scope, how to demonstrate compliance, or what standards apply.
This confusion isn’t just a RED issue — it’s a signal of what’s to come under the Cyber Resilience Act (CRA).
RED was just the beginning
The RED Delegated Act introduced mandatory protections in three key areas:
– Safeguarding networks (Article 3.3(d))
– Protecting personal data and privacy (Article 3.3(e))
– Preventing financial fraud (Article 3.3(f))
In practice, this meant that any product with direct or indirect internet connectivity — via wi-fi, Bluetooth, Zigbee, or similar — could be in scope.
From smart home devices to connected toys and wearables, the breadth of application caught many manufacturers off guard.
But CRA goes further. It doesn’t just apply to products — it applies to processes.
That means software development, supply chain security, vulnerability handling, applications, cloud services, and lifecycle management will all come under scrutiny.
What RED taught us — and what CRA demands
Lesson 1: Clarity is critical
RED showed us that manufacturers need clear guidance on scope, standards, and documentation. CRA will expand this need, requiring even more transparency and traceability across the product lifecycle.
Lesson 2: Compliance is continuous
RED compliance didn’t end at launch. Software updates, feature changes, and evolving threats required ongoing monitoring. CRA formalises this with mandatory vulnerability handling processes and incident reporting.
Lesson 3: Testing must evolve
Traditional point-in-time testing won’t be enough. CRA demands built-in security, meaning testing must be integrated into development pipelines. Automation, repeatability, and real-time monitoring will be essential.
How SafeShark is responding
At SafeShark, we’re already adapting our testing approach to meet CRA’s demands:
– Automated compliance tooling to support continuous assurance
– Intercept platform for post-deployment monitoring
– End-to-end support from scoping to certification, including Notified Body coordination
We’re also actively involved in standards development through ETSI and CEN/CENELEC, giving us early insight into CRA’s evolving requirements.
The way forward
RED compliance was a wake-up call. CRA is the next chapter—and it will require a shift in mindset across the industry. Compliance can no longer be a box-ticking exercise at the end of development, it must be built in, automated, and maintained.
If you’re still navigating RED, now is the time to start preparing for CRA. SafeShark is here to guide you through both — with clarity, confidence, and future-proof solutions.
