The RED cyber DA is repealed: the CRA takes over on 11 December 2027

Why this delegated regulation was anticipated

Since the RED cybersecurity requirements entered into force on 1 August 2025, radio equipment manufacturers subject to Delegated Regulation (EU) 2022/30 have faced an unanswered question: from 11 December 2027, the date of full CRA application, would they simultaneously be required to comply with RED Article 3(3)(d)(e)(f) requirements and the CRA Annex I requirements? The two sets of rules partly cover the same ground: network protection, data protection, anti-fraud on the RED side; horizontal cybersecurity on the CRA side.

Commission Delegated Regulation (EU) 2026/339, adopted on 16 February 2026 and published in the Official Journal on 29 April 2026, provides the answer. DA 2022/30 is repealed with effect 11 December 2027. There will be no regulatory double-obligation.

What Delegated Regulation 2026/339 does

Article 1 of Regulation 2026/339 is remarkably concise: "Delegated Regulation (EU) 2022/30 is repealed with effect from 11 December 2027." Article 2 states that the regulation itself enters into force twenty days after its publication (i.e., 19 May 2026) but that the repeal only takes effect on the date of full CRA application.

Recital 4 of Regulation 2026/339 explains the logic: "in order to ensure legal certainty and to prevent radio equipment covered by Delegated Regulation (EU) 2022/30 from being simultaneously subject to requirements also concerning cybersecurity laid down in Regulation (EU) 2024/2847, it is necessary to repeal Delegated Regulation (EU) 2022/30 with effect from the date on which Regulation (EU) 2024/2847 fully applies." The Commission explicitly confirms that the essential requirements of CRA Annex I cover the entirety of the requirements of RED Article 3(3)(d), (e) and (f).

Recital 5 addresses products already placed on the market during the August 2025 – December 2027 window: the repeal "does not affect the Union market surveillance and control, under Directive 2014/53/EU, of the compliance of radio equipment" placed on the market during that period. Radio equipment placed on the market in October 2026 remains subject to RED requirements for any post-repeal market surveillance action. ANFR retains competence for those controls.

What this means concretely for manufacturers mid-way through EN 18031 compliance

For a manufacturer of radio alarm systems, IoT gateways, or home automation equipment that has been working on EN 18031 compliance since 1 August 2025: that project remains valid, required, and must be completed. The EN 18031-1, EN 18031-2 and EN 18031-3 standards are the harmonised standards for RED Article 3(3)(d)(e)(f) requirements. They cover respectively network protection (EN 18031-1), protection of personal data and privacy (EN 18031-2), and anti-fraud protection (EN 18031-3). Until 10 December 2027 inclusive, this is the framework applicable to radio products covered by DA 2022/30.

From 11 December 2027, the CRA applies in full. Connected radio products falling within the CRA's scope, essentially all equipment subject to DA 2022/30, must satisfy CRA Annex I requirements. DA 2022/30 is no longer the applicable framework for products placed on the market from that date.

There is no additional transition period. No double marking. No dual technical file. The cutover is clean.

What the repeal does not resolve: the CRA delta

The repeal of DA 2022/30 resolves the overlap between the two regimes. It does not resolve the delta between what EN 18031 covers and what the CRA requires.

EN 18031 standards cover RED requirements (d)(e)(f): network protection, confidentiality, anti-fraud. These are design requirements, what the product must do at the time of market placement. The CRA requires all of this and, in addition, lifecycle obligations that EN 18031 does not cover:

• Post-market vulnerability management (CRA Article 14 and Annex I Part II): identifying, analysing, notifying and remediating vulnerabilities throughout the support period. Complete EN 18031 compliance gives no capacity for the 24-hour notification required by Article 14 if the internal infrastructure has not been built in parallel;
• SBOM (CRA Annex VII §3f): structured inventory of the product's software components, in a format usable for EUVD monitoring;
• CVD policy (CRA Annex I Part II point 1): public vulnerability reporting channel, operational before market placement;
• Documented support period (CRA Article 13(8)): a public and formal commitment to the duration during which the manufacturer will address security patches.

A manufacturer that has completed EN 18031 compliance has accomplished a substantial part of the technical work required by the CRA for design requirements. What remains is building the lifecycle dimension, and that is the aspect representing the deepest organisational change for most radio equipment manufacturers.

Sequencing the transition

The August 2025 – December 2027 window is an opportunity to build, not merely a RED compliance period.

Manufacturers with ongoing EN 18031 projects must complete them, that is the immediate obligation, and it is the foundation of the CRA technical file for design requirements. The effective strategy is to layer CRA-specific work onto the ongoing EN 18031 project rather than deferring it to 2027: SBOM design in parallel with EN 18031 risk analysis, CVD policy drafting during the validation phase, PSIRT coordinator designation and training before EN 18031 file finalisation.

Manufacturers whose products are not within DA 2022/30's scope but fall within the CRA's scope, some connected industrial equipment, some non-radio IoT products, do not benefit from this continuity. For them, the CRA is a starting point without a direct regulatory predecessor. EN 18031 standards can serve as a technical reference for design requirements, even without a RED legal obligation.

What remains unchanged: ANFR as the competent authority for both regimes

The repeal of DA 2022/30 does not change the allocation of competences. ANFR has been the market surveillance authority for the RED directive since its inception. It will be the surveillance authority for the CRA under French law, by virtue of Article 32 of the DDADUE bill, whose entry into force for the mission is set for 11 September 2026.

For a manufacturer of connected radio products, the same administrative counterparty manages RED controls since August 2025 and will manage CRA controls from September 2026 onwards. Continuity of the counterparty also means continuity of method: ANFR will apply the same investigative logic (technical file, maturity assessment, Article 14 as a trigger) across both regimes.

Products placed on the market between 1 August 2025 and 10 December 2027 remain subject to RED cyber requirements for any market surveillance action, even after CRA enters into force. ANFR retains competence for those controls under the RED directive.