Cyber Resilience Act Consolidates Radio Equipment Cybersecurity Rules

Binding ActsRegulations

Published:

Reading time: 1 min.

The 2022 delegated regulation that first imposed cybersecurity requirements on connected radio equipment is repealed with effect from 11 December 2027, right when the Cyber Resilience Act enters full application. From that date, the CRA is the single governing framework for connected device security.

The Commission published Delegated Regulation (EU) 2026/339 on 29 April 2026, formally repealing Delegated Regulation (EU) 2022/30, which first imposed Cyber Resilience Act-aligned radio equipment cybersecurity requirements on connected devices, with effect from 11 December 2027. That is the same day the Cyber Resilience Act itself enters full application. The repeal enters into force on the twentieth day following publication.

Delegated Regulation (EU) 2022/30 was adopted in October 2021 and applied from 1 August 2025, extending three cybersecurity essential requirements from the Radio Equipment Directive 2014/53/EU to smartphones, tablets, connected wearables, and similar devices. The three requirements covered network protection, data and privacy protection, and fraud prevention; and was the EU’s first product-specific cybersecurity mandate through delegated legislation.

The Cyber Resilience Act (Regulation (EU) 2024/2847) establishes a horizontal cybersecurity framework for all products with digital elements. Its requirements cover the same ground as the three 2022 radio equipment rules, and then some. From December 2027, any device covered by Delegated Regulation (EU) 2022/30 also falls under the CRA.

Running both frameworks simultaneously would create dual compliance obligations covering identical cybersecurity properties, with potentially divergent conformity assessment procedures. The Commission’s decision to repeal 2022/30 eliminates this overlap, leaving a single framework, with just one set of requirements, and one conformity route.

The 2022 rules remain in full force until 10 December 2027. Products placed on the EU market between 1 August 2025 and 10 December 2027 stay subject to those requirements for market surveillance and enforcement purposes, even after the formal repeal. Manufacturers cannot treat the repeal as a retroactive exemption.From 11 December 2027, the Cyber Resilience Act is the single cybersecurity framework for connected radio equipment. Manufacturers currently building CRA compliance programmes can now confirm the architecture with certainty. There is no need to maintain parallel 2022/30 compliance tracks beyond that date. The transition is clean, but the timeline is firm.

Javier Iglesias
Javier Iglesiashttp://theunionreport.eu
Javier Iglesias holds an MA in International Studies and a BA in History, graduating with Honours from the University of Santiago de Compostela, Spain. He has previously worked in Brussels, at the International Office of the CEU Foundation, where he worked parallel to the work of the Union's institutions, most notably parliament. He also worked at the Spanish Embassy in Ankara, where he was involved in regulatory and political monitoring and reporting. He founded The Union Report in January 2026 while preparing for the Spanish diplomatic corps entrance examination, originally as a structured way to build and organise his own knowledge of EU regulatory output. What began as personal study notes has since grown into a publication open to anyone, including students, legal practitioners, or simply citizens trying to make sense of what Brussels actually produces.

Related articles

Recent articles

spot_img