RED Directive: The Cybersecurity Compliance Countdown – Part 7

Tags:

Closeup women eye being futuristic vision for biometric authentication to unlock security, digital technology screen over the eye vision background, security and command in the accesses. Surveillance and safety concept

24 Jun 2025

Future-Proof your Products by Bridging RED and the Cyber Resilience Act

While RED compliance is a crucial step, it’s just the beginning of a broader regulatory shift. The Cyber Resilience Act (CRA), with incident reporting requirements taking effect in 2026 and the requirements fully enforced in 2027, will impose even stricter cybersecurity requirements. Manufacturers who align with both RED and CRA now will gain a competitive advantage, reducing future compliance costs, and avoiding rushed last-minute adjustments.

RED vs. CRA: What’s the Difference?

While RED focuses on cybersecurity requirements for radio equipment, CRA extends to all connected products, regardless of radio functionality. Additionally, CRA introduces:

Stronger Software Supply Chain Requirements: Manufacturers must provide a Software Bill of Materials (SBOM) to improve transparency.
Incident Response Obligations: Companies must report exploited vulnerabilities within 24 hours.
Lifelong Security Maintenance Expectations: CRA mandates that manufacturers must provide product security support throughout its expected lifespan though it does not specify a minimum support period.

How to Prepare for CRA Now

Implement SBOM Management
The CRA will require manufacturers to maintain an SBOM, documenting every software component in their devices. Using standardized formats like SPDX or CycloneDX can help streamline compliance.
Strengthen Security Testing Practices
Since CRA builds on RED’s security requirements, manufacturers should integrate penetration testing and risk assessments into their regular development cycles rather than treating them as one-time checks.
Train Teams on CRA Reporting Rules
CRA mandates a 24-hour reporting time for serious incidents and actively exploited vulnerabilities. Manufacturers should establish internal workflows to detect, assess, and report security breaches efficiently.

Final Thought

Preparing for CRA while meeting RED compliance ensures long-term regulatory success. Early adoption of CRA principles will future-proof cybersecurity strategies and minimize disruptions.

Joakim Mark

Technical Manager

Joakim Mark joined Intertek in 2021 as the Technical Manager for the Common Criteria Lab in Kista, Sweden, progressively expanding his role as lab manager and member of the IoT cybersecurity team in Kista, Sweden. Overall, Joakim brings more than 30 years of IT industry experience spanning both technical and strategic roles.