CRA and RED are two EU regulations on cybersecurity with different focuses. Learn how manufacturers should handle them.
The CRA, with its broad scope, covers products with digital elements and aims to ensure a high level of cybersecurity. In contrast, the RED together with its Delegated Act focuses on internet-connected devices, with a specific emphasis on security requirements. Although both target product cybersecurity, their overlap is not complete. For example, requirements 3.3 d and e of the RED are covered by the CRA, while requirement 3.3 f, protection against fraud, remains outside its scope.
This partial overlap raises the question of how manufacturers should navigate this landscape, especially during the transition periods when there will likely be some degree of choice between the regulations. What may at first glance look like an opportunity for strategic flexibility carries the risk of a later regulatory dilemma.
The recommendation is therefore clear and direct: manufacturers should engage intensively with the CRA now. Its requirements go beyond those of the RED and thus provide a more robust foundation for future-proofing products. Where compliance with the RED is unavoidable, it makes sense to carefully analyse the overlaps between the two regulations. The aim is to avoid costly rework or adjustments later and instead promote considered, forward-looking product development.
In this complex regulatory environment it is crucial not only to follow the letter of the law but also to understand the spirit behind it. The cybersecurity landscape is dynamic and calls for an equally dynamic approach to product development. By engaging early with the CRA and carefully analysing the overlaps with the RED, manufacturers can not only overcome regulatory hurdles but also make their products safer in an increasingly connected world.