The repeal of Regulation 2022/30 marks the transition from the RED Delegated Act to the CRA. The RED Delegated Act remains applicable until 11 December 2027.
The European Commission adopted Delegated Regulation (EU) 2026/339 on 16 February 2026, which repeals the delegated regulation related to the Radio Equipment Directive (RED DA). The regulation was published in the Official Journal of the European Union on 29 April 2026. It enters into force on the twentieth day after publication, but the repeal itself only takes effect on 11 December 2027.
This establishes an orderly transition from the RED DA requirements to the Cyber Resilience Act (CRA). Until 10 December 2027 the RED Delegated Act remains fully applicable; from 11 December 2027 it will be replaced without a gap by the CRA.
Why the Commission repeals the RED Delegated Act
The reason is regulatory consistency. Recital 3 of the repeal regulation states that the fundamental cybersecurity requirements set out in Annex I of the Cyber Resilience Act cover all elements of the essential requirements referred to in Article 3(3)(d), (e) and (f) of the RED. Simultaneous application of both frameworks would address the same protection objectives twice but via different assessment routes, harmonized standards and conformity assessment procedures.
Recital 4 makes the consequence explicit: to ensure legal certainty and avoid double regulation, the RED Delegated Act is repealed as of the date on which the CRA applies in full.
What applies until 11 December 2027
During the transition period the RED Delegated Act remains fully applicable. Manufacturers of radio equipment falling within the scope of Regulation 2022/30 must continue to meet the three protection objectives in Article 3(3) of the Radio Equipment Directive:
- letter d: protection against harmful effects on the network or network services
- letter e: protection of personal data and the privacy of users and subscribers
- letter f: protection against fraud
As the technical operationalization, the harmonized standard series EN 18031 (parts -1, -2, -3) provides the presumption of conformity since its application date of 1 August 2025. Manufacturers placing products on the market before 11 December 2027 will continue to assess and document against that route.
Recital 5 is important: the repeal does not affect market surveillance and conformity checks for radio equipment that was placed on the market between 1 August 2025 and 10 December 2027. For that stock, RED requirements therefore continue to serve as the benchmark for market surveillance measures even after 11 December 2027.
What applies from 11 December 2027
From the CRA entry into force, Annex I of the Cyber Resilience Act and the related annexes on vulnerability handling will govern the cybersecurity of radio equipment with digital elements. The central assessment dimensions (network protection, data protection, fraud protection) remain conceptually intact but are embedded in the broader CRA requirement set, which additionally covers topics such as secure default settings, update mechanisms, SBOM, vulnerability management and reporting obligations.
Technical operationalization is taken over by the forthcoming horizontal standard series EN 40000. In particular, EN 40000-1-4 addresses the cybersecurity requirements that previously fell under the RED Delegated Act and EN 18031. Manufacturers of radio equipment with digital elements will thus move to a standards path that conceptually builds on the existing EN 18031 structures but is embedded in the CRA conformity assessment regime.
Implications for manufacturers
For manufacturers already working toward EN 18031 compliance today, the repeal regulation is not a reason to stop the ongoing project. Until December 2027 EN 18031 is the only harmonized route, and products placed on the market in this phase must use it. At the same time, a forward-looking view is advisable: the structures, artifacts and processes developed for an EN 18031 assessment are largely reusable under EN 40000-1-4.
Concretely, consider an NB‑IoT sensor with cloud connectivity used in facility management. Today it is placed on the market under RED and meets protection objectives d, e and f by assessment against EN 18031-1 and EN 18031-2. If the same sensor is placed on the market again or remains on the market unchanged from 11 December 2027 onwards, it will fall within the scope of the CRA and the applicable cybersecurity requirements from Annex I must be demonstrated, for example by EN 40000-1-4. For existing products there is no automatic carry‑over of conformity assessment; the ordinary CRA transitional provisions apply.
From a product strategy perspective this means: investments in vulnerability processes, cryptographic concepts, authentication logic and secure defaults made for EN 18031 are not lost — they will transition under the CRA and find their place within a broader set of requirements.
