With cybersecurity becoming a top priority for the EU, the Cyber Resilience Act (Regulation 2024/2847) and Delegated Regulation 2022/30 are pivotal regulations shaping the future of digital security. Both aim to enhance the cybersecurity framework for IoT devices, software, and hardware, but they differ in scope, focus, and timelines.
Understanding these differences and preparing for compliance is essential for manufacturers, importers, and distributors (Economic operators) of digital products across the EU.
What Is the EU Cyber Resilience Act?
The Cyber Resilience Act (CRA), published on November 21, 2024, introduces horizontal cybersecurity requirements for all products with digital elements, whether directly or indirectly connected to the internet. This regulation ensures that manufacturers integrate cybersecurity into the product lifecycle, from design to end-of-life.
Key Features of the CRA:
- Comprehensive Scope: Covers all digital products, including IoT devices, embedded software, and hardware components.
- Lifecycle Security: Mandates secure design, vulnerability management, and regular updates to address emerging threats.
- Conformity Assessments: Products are classified based on risk (e.g., “important” or “critical”) and subject to stricter assessments for higher-risk categories.
- CE Marking: All compliant products must display the CE marking to access the EU market.
- Compliance: Compliance to the regulation shall apply from December 11, 2027. (*However, article 14 shall apply from 11 september 2026 and Chapter IV (articles 35 to 51) shall apply from 11 June 2026.
What Is Delegated Regulation 2022/30?
Delegated Regulation 2022/30, which amends the Radio Equipment Directive (RED 2014/53/EU), is a targeted regulation focusing on internet-connected devices. Effective from August 1, 2025, it ensures that IoT products comply with cybersecurity requirements for:
- Network security (Article 3.3(d)).
- Data privacy (Article 3.3(e)).
- Fraud prevention (Article 3.3(f)).
Key Features of Delegated Regulation 2022/30:
- Sector-Specific: Targets IoT devices such as smart home products, wearables, and connected appliances.
- Interoperability Standards: Ensures devices meet network and privacy standards.
- Immediate Application: Requires manufacturers to comply two years earlier than the CRA.
Key Differences Between the CRA and Delegated Regulation 2022/30
| Aspect | Cyber Resilience Act (CRA) | Delegated Regulation 2022/30 |
|---|---|---|
| Legal Form | Regulation (directly applicable across the EU) | Delegated Regulation |
| Scope | All products with digital elements | Internet-connected devices under RED |
| Focus | Lifecycle cybersecurity management | Network safety, privacy, and fraud prevention |
| Timeline | Fully applicable from December 11, 2027* | Effective August 1, 2025 |
| CE Marking Requirements | Mandatory for all digital products | Extends RED compliance to IoT devices |
| Lifecycle Coverage | Comprehensive, from design to decommissioning | Focused on device security during operation |
Preparing for Compliance: Best Practices
- Understand Applicability:
- Determine if your product falls under Delegated Regulation 2022/30, the CRA, or both.
- Integrate Secure Design:
- Implement secure-by-design principles, including encryption, secure updates, and risk management.
- Document Compliance:
- Prepare detailed technical documentation to meet conformity assessment requirements.
- Adopt (non)-Harmonized Standards:
- Leverage EU-approved standards to simplify compliance with both regulations.
- Monitor Regulatory Updates:
- Stay informed about regulatory changes and updates to harmonized standards.
FAQ: Your Questions Answered
1. What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (Regulation 2024/2847) is an EU regulation requiring all products with digital elements to meet horizontal cybersecurity requirements. It emphasizes secure design, vulnerability management, and CE marking compliance to protect consumers and businesses.
2. What is Delegated Regulation 2022/30?
Delegated Regulation 2022/30 amends the Radio Equipment Directive (RED) and targets internet-connected devices. It ensures network security, data protection, and fraud prevention for IoT devices like smart home products and wearables.
3. How do the CRA and Delegated Regulation 2022/30 differ?
The CRA applies to all digital products, while Delegated Regulation 2022/30 focuses on IoT devices connected to the internet. Additionally, the CRA enforces lifecycle security, whereas Delegated Regulation 2022/30 prioritizes immediate network and data protection.
4. What products are covered under the CRA?
The CRA covers all products with digital elements, including hardware, software, IoT devices, and embedded systems, whether directly connected to the internet or not.
5. When do these regulations take effect?
Delegated Regulation 2022/30 will be enforceable starting August 1, 2025, while the Cyber Resilience Act becomes fully applicable on December 11, 2027.
6. What is CE marking, and how does it relate to these regulations?
CE marking indicates compliance with EU regulations, including the CRA and Delegated Regulation 2022/30. It ensures that products meet safety, health, and environmental standards required for sale in the EU.
7. How can manufacturers prepare for the Cyber Resilience Act?
Manufacturers should:
- Integrate cybersecurity into product design.
- Document compliance with technical specifications.
- Conduct vulnerability assessments and ensure regular software updates.
8. Are open-source products covered under these regulations?
The CRA applies to open-source software only if it is monetized or integrated into commercial products. Delegated Regulation 2022/30 covers any internet-connected device regardless of software origin.
9. What are the penalties for non-compliance?
Non-compliance with either regulation can lead to product recalls, market restrictions, fines, and reputational damage. It’s crucial to align with these requirements to avoid disruptions.
How IoT Consulting Partners Can Help
At IoT Consulting Partners, we specialize in guiding manufacturers through the complexities of IOT EU regulatory compliance and cybersecurity regulations. Whether preparing for the immediate requirements of Delegated Regulation 2022/30 or the comprehensive scope of the Cyber Resilience Act, our experts provide tailored solutions to:
- Achieve CE marking compliance.
- Simplify conformity assessments.
- Align with the applicable (non)-harmonized standards.
|
Do You Have Questions? Schedule a Free Consultation Now! |
|
Final Thoughts
The Cyber Resilience Act and Delegated Regulation 2022/30 are transformative steps in the EU’s cybersecurity framework. Together, they aim to safeguard the digital ecosystem by ensuring that products are secure from design to disposal.
With compliance deadlines approaching, early preparation is key. Start aligning your products today to avoid market disruptions and penalties.
Need assistance? Contact us to ensure your products meet the latest EU cybersecurity standards. Visit our blog for more insights and updates.
