The End of Delegated Regulation (EU) 2022/30: What Manufacturers Must Know Before December 2027

Over the past years, the Delegated Regulation (EU) 2022/30 has played a central role in shaping the cybersecurity obligations for radio equipment placed on the European market. Together with the Radio Equipment Directive 2014/53/EU (RED) and the harmonized EN 18031 standards, it formed the technical backbone of compliance for connected, radio-equipped devices.

However, with the Cyber Resilience Act (CRA) taking full effect from 11ᵗʰ December 2027, the Delegated Regulation (EU) 2022/30 will be withdrawn, marking a fundamental change in the compliance landscape for such products.

Today's cybersecurity regime for connected radio-equipped products is based on the following rules:

• RED is the regulatory framework for conformity of radio equipment.
• Delegated Regulation (EU) 2022/30, supplementing Directive 2014/53/EU for certain cybersecurity aspects
• EN 18031 series of standards with presumption of conformity to Directive 2014/53/EU Article 3 (3) d)-f) (with some restrictions)

This compliance regime with reliance on the harmonized EN 18031 series of standards forms a familiar CE pathway to declare conformity with the legal requirements for cybersecurity, focusing on safeguards for network protection, protection of personal data, and fraud prevention.

What will change after 11ᵗʰ December 2027?

The RED will remain applicable, but the Cyber Resilience Act (CRA) will fully replace (EU) 2022/30. The European Commission published the final version of the Delegated Regulation repealing Delegated Regulation (EU) 2022/30 on 16ᵗʰ February 2026 (link). Publication in the Official Journal of the European Union (OJEU) will follow shortly.

With the repeal of (EU) 2022/30, the EN 18031 series of standards will also lose the presumption of conformity upon removal from the Official Journal of the European Union. Though the standards may remain harmonized and useful, they no longer guarantee compliance with the RED.

However, the EN 40000 series of standards as horizontal standards for all categories of products with digital elements will incorporate the EN 18031 series of standards, which “only” is applicable to radio equipment. The aim of the EN 40000 series of standards is to structure and clarify the requirements formulated in the CRA and to create a uniform reference framework for interpreting the CRA requirements, particularly regarding risk assessment and security principles.

What does this mean for daily work of manufacturers?

A fundamentally more comprehensive, lifecycle‑oriented compliance framework needs to be implemented, including:

• Mandatory cybersecurity risk assessments
• Secure-by-design and secure-by-default requirements
• Obligations for continuous vulnerability handling
• Mandatory free security updates – until min. 5 years after EOL
• 24‑hour reporting of actively exploited vulnerabilities
• Long-term storage requirements for documentation with 10 years retention, not just pre‑market technical evidence

This shift moves compliance from a “test at launch” perspective to a “maintain security throughout the lifecycle” mindset. Whether it is a stationary industrial or residential energy storage system, an EV charging station, a battery management system, or any other product with digital elements and remote data processing: Under CRA, even products not categorized as radio equipment need to prove sufficient protection against cybersecurity threats has been achieved. Risk analysis, robust architecture and compelling documentation all contribute to a sufficient risk mitigation in the development cycle.

What can you do to be prepared?

• Conduct a RED → CRA GAP Assessment to identify what parts of today’s compliance remain valid and where CRA introduces new obligations.
• Update the product development processes where needed, since embedding cybersecurity early avoids costly redesigns later.
• Build or update CRA‑compliant technical documentation, including cybersecurity risk assessments, secure‑by‑design evidence, update strategies, and vulnerability handling plans.
• Prepare conformity assessment and CE updates, especially for products that may be categorised as important or critical under the CRA.
• Integrate post‑market duties such as incident management, reporting obligations and software updates into organisational processes, to be ready to respond quickly to vulnerabilities and incidents.
• Bear in mind from the outset that cybersecurity-related updates must be provided and distributed long after a product has been discontinued.

Acting early will secure you a smoother conformity assessment process, avoid redesign costs, and a stronger market position in a cybersecurity-driven regulatory environment.

Final Thoughts

If you are developing connected products for the EU market and want to understand what CRA readiness means for your organization, feel free to reach out – or leave a comment below. We work closely with your development teams to stay one step ahead and compliant to standards under development and translate the regulatory obligations into practical, efficient engineering processes.

‍