At the last REDCA meeting this May in Brussels, a representative of the EU Commission verbally stated that the deadline for compliance with the cybersecurity requirements from the Delegated Regulation (EU) 2022/30 will be postponed by 12 months.
This means that only from 01.08.2025 the requirements for cybersecurity of radio products have to be complied with. This applies to all radio products that can be directly or indirectly connected to the Internet. One reason for the postponement is that the required CENELEC standards are delayed by nine months. This means that it is not until mid-2024 that CENELEC is expected to have completed the three cybersecurity standards for the Radio Equipment Directive (RED) 2014/53/EU. A look at the CEN/CLC/JTC 13/WG8 Technical Committee (Cybersecurity and Data Protection) is warranted. The amendment to Delegated Regulation (EU) 2022/30 is to be published in the EU Official Journal by the end of 2023.
Work is to continue on the standards under the RED mandate, even though the Commission is aware that the Cyber Resiliance Act (CRA) is expected to replace the Radio Equipment Directive Delegated Regulation. There is no desire to wait for the CRA to be adopted. The CENELEC standards will then be listed directly under the CRA.
It is already clear that the standards will not cover all radio products. Currently excluded are:
- Smart meters, because national market
- 5G networking equipment, because the standards are created by ETSI
- eIDAS (identification systems), because these are covered by other directives
If you have any questions or need to talk about this topic, our team of experts will be happy to help. Write to us!