EU and Cybersecurity

Whether you design industrial sensors, smart appliances, medical devices, payment terminals, wearables, gateways, toys, or city infrastructure, the new Cyber Resilience Act (CRA) and updated Radio Equipment Directive (RED) introduce obligations that will reshape product development for years to come. These frameworks mandate that manufacturers ensure their devices are secure by design, protect user data, and remain resilient throughout their lifecycle.

This guide explains what RED and CRA really mean in practice — and how to prepare without unnecessary complexity.

The Radio Equipment Directive (RED) is a cornerstone of European Union legislation governing the placement of radio equipment on the EU market. It ensures that devices utilizing the radio spectrum—such as Wi-Fi, Bluetooth, cellular, and RFID—are safe, do not interfere with other equipment, and meet essential EU requirements.

Historically, RED focused primarily on the safety and electromagnetic compatibility of radio signals. A delegated act adopted in 2022 expanded the directive to include cybersecurity requirements for radio equipment and related software. These requirements were set to apply from August 1, 2025, at which point the transition period was due to end and the obligations would become mandatory for products placed on the EU market.

This update introduced three critical articles:

• Article 3.3(d): Protection of the network
  Device does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service.
• Article 3.3(e): Protection of personal data and privacy
  Devices incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected.
• Article 3.3(f): Protection from fraud
  Devices must support certain features that prevent cybersecurity-related fraud.

To support compliance, the EU has published three harmonized standards — effectively the technical “checklists” manufacturers can follow. These standards translates articles’ legal requirements into technical requirements. When a product conforms with requirements defined in the harmonized standards it also conforms essential requirements defined in the directive.

Each standard correspond to one of the articles:

• EN 18031-1: Security requirements for internet-connected radio equipment (Article 3.3(d))
• EN 18031-2: Security requirements for equipment processing personal or location data (Article 3.3(e))
• EN 18031-3: Security requirements for equipment enabling monetary or virtual currency transfers (Article 3.3(f))

Depending on the device’s functionality and use case, manufacturers must ensure compliance with one or more of these standards to legally market their products in the EU.

The Cyber Resilience Act (CRA) is another pivotal EU regulation aimed at strengthening cybersecurity across digital products. Entering into force on December 10, 2024, the CRA introduces mandatory cybersecurity requirements that will eventually be reflected in the CE marking of products.

Manufacturers are responsible for ensuring cybersecurity throughout the entire lifecycle of their products. A 36-month transition period—ending on December 11, 2027—gives companies time to adapt their design, development, and production processes for CRA requirements. For organizations acting as notified bodies, the transition period is shortened to 18 months.

Key CRA requirements include:

• Products must be free of known exploitable vulnerabilities.
• Secure-by-default configurations must be provided, with reset capabilities.
• Vulnerabilities must be addressable via timely security updates, preferably automatic.
• Unauthorized access must be prevented through robust authentication and access control.
• Data confidentiality and integrity must be protected using state-of-the-art encryption and validation mechanisms.
• Only necessary data should be processed (data minimization).
• Essential functions must remain available even after incidents, with resilience against denial-of-service attacks.
• Attack surfaces must be minimized through secure design and development.
• Security-related activity must be monitored and logged, with opt-out options for users.
• Users must be able to permanently and securely remove all data and settings.

CRA also introduces product classification based on cybersecurity risk. For example a simple password manager or a socially interactive toy (which is connected to internet) is classified as important product (class I), while Tampered-resistant microprocessor is classified as important product (class II). The regulation also defines critical product as their own class. An example of such a product would be a smartcard or similar devices, including secure elements.

The Cyber Resilience Act (CRA) excludes certain IT solutions from its scope. These include pure cloud-based SaaS platforms without installable components, non-commercial open-source software, and products already regulated under sector-specific laws such as medical, automotive, and aviation systems. Defense-related solutions for national security or military use are also exempt, as are identical spare parts and standalone services without digital components. Additionally, legacy products placed on the market before December 2027 remain outside CRA unless substantially modified.

1. Determine whether your product falls under RED, CRA, or both
2. Identify the correct CRA classification
3. Perform a cybersecurity and process gap analysis
4. Gain capabilities for threat modeling and carry out cybersecurity risk assessments for the products
5. Define roles and responsible personnel in the organization for caring out necessary measures into product and its processes
6. Plan how lifecycle security (updates, vulnerability management, data handling) will be implemented
7. Document everything — CRA places heavy emphasis on evidence of processes

Understanding your product’s classification is essential for determining the applicable requirements and compliance pathway. To better understand your products classification, We can help you out!

As both a software powerhouse and a seasoned hardware design partner, Wapice is uniquely positioned to support companies in meeting the evolving requirements of the Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED). These EU regulations are reshaping the landscape for connected devices, demanding robust cybersecurity practices and lifecycle accountability.

Wapice combines deep expertise in embedded systems, secure software development, and custom electronics design. Our multidisciplinary teams understand the full stack—from silicon to cloud—and can help you ensure your products meet the technical and regulatory demands of CRA and RED.

We offer:

• Security Architecture & Assessment Services
  Our security specialists conduct thorough assessments of your systems, identifying vulnerabilities and compliance gaps. Whether it’s a web application, embedded device, or cloud infrastructure, we help you align with harmonized standards like EN 18031 and IEC 62443.
• Secure Development Lifecycle (SDLC) Coaching
  We guide your teams through secure development practices, ensuring CRA requirements—such as secure-by-default configurations, vulnerability management, and data protection—are embedded throughout the product lifecycle.
• Secure Development Support
  The security expert will participate in the development work, helping in all steps relevant to security. The security expert can, for example, participate in user story creation, facilitate and support threat modeling workshops or support in security test automation.
• Hardware Design with Compliance in Mind
  For products involving radio interfaces or embedded processors, our electronics design team ensures compliance with RED’s cybersecurity provisions. Our areas of expertise includes EMC testing & RF certification support, and environmental validation, including ATEX and SIL standards.
• Lifecycle Management & Update Mechanisms
  CRA mandates long-term security maintenance. Wapice helps you implement secure update mechanisms, incident response strategies, and data erasure protocols that meet regulatory expectations.
• Consulting & Classification Support
  Not sure if your product is Class I, II, or critical under CRA? We help you interpret the regulation, assess your product’s classification, and define the compliance path that fits your business model.

Whether you’re developing a smart wearable, an industrial sensor, or a connected control system, Wapice ensures your product is secure, compliant, and future-proof. Our experience across industries—from energy and automation to healthcare and mobility—means we understand the nuances of your domain and can tailor our support accordingly. Security and compliance are not one-time tasks—they’re ongoing commitments. Wapice continuously updates its products and services to reflect the latest standards and threats. With our proactive approach, you can be confident that your solutions will remain compliant and competitive in the EU market.

Don’t believe us? Read the following chapter to see how we tackle RED and CRA with our own IoT-TICKET® Edge product!

At Wapice, we’ve proactively aligned our IoT-TICKET® Edge SW with the EN 18031-1 standard. This comprehensive IoT edge software solution enables remote monitoring, control, and management, and is designed to integrate seamlessly with IoT-TICKET®, our cloud-based IoT platform. It supports a wide range of system integrations—from legacy protocols to modern standards—and runs on supported gateway devices such as Wapice’s WRM247LTE and Compulab’s IOT-GATE-iMX8.

WRM247LTE is a robust edge device engineered by Wapice for remote management and data acquisition. It features various connectivity technologies such as cellular 4G, WLAN, Ethernet, RS485, and CAN, making it ideal for different industrial IoT applications. Learn more about the WRM247LTE https://wapice.com/products/wrm247.

IoT-TICKET® Edge SW has been developed cyber security in mind for long time. Especially in terms of secure communication (MQTTS and HTTPS), access control, traffic control and secure remote OTA updates. To harden the security event more, we have incorporated following methods and mechanism to ensure full compliance with the EN 18031-1 requirements:

General Equipment Capabilities (GEC):

• Using latest available Yocto LTS releases for building Linux OS
• Using latest available third party software components
• Performing CVE scans for software builds and patching vulnerabilities in timely manner via OTA updates
• Minimizing exposure of unnecessary interfaces such as JTAG

Confidential Cryptographic Keys (CCK) & Cryptography (CRY):

• Aligning with recommendations for cryptographic keys and hash algorithms

Secure Storage Mechanism (SSM):

• Storing all measurement data, confidential assets and configurations on on-board encrypted storage
• Taking secure boot into use for ensuring integrity and authenticity of bootloader and kernel
• Taking dm-verity into use for ensuring integrity and authenticity of contents in root filesystem

Access Control & Authentication (ACM & AUM):

• Using uniquely generated factory default passwords which align with best practices in terms of strength and complexity
• Adding mechanism for mitigating brute-force attacks on interfaces which require authentication

Resilience Mechanism (RLM):

• Adding support for differentiating and blocking DoS attacks from normal network traffic/usage

Network Monitoring Mechanism (NMM):

• Adding support for traffic logging which is considered inter-network DoS attack

These features and enhancements will be rolled out in upcoming software releases via OTA updates during 2025 and 2026. These updates will ensure that devices on field stay resilient against cyber security threats and attacks in the future.

While EN 18031-1 addresses RED compliance, the Cyber Resilience Act (CRA) introduces broader requirements for all products with digital elements—ranging from secure-by-default configurations to lifecycle vulnerability management. Wapice’s approach to security and compliance ensures that our solutions are not only RED-ready but also CRA-prepared.

We continuously invest in improving our products to meet evolving cybersecurity standards and legislative requirements. Whether you’re building new devices or updating existing ones, Wapice can help you implement the necessary measures to stay secure, compliant, and competitive.

Explore our full range of security services at wapice.com/services/security.

Authors: Lauri Välimaa & Matti Ylineva