top of page

Cyber Resilience Act: EU Moves to Streamline Cybersecurity Rules

  • Dec 12, 2025
  • 2 min read

On December 10, 2025, the European Commission launched a public consultation on a proposal to repeal Delegated Regulation (EU) 2022/30. The repeal is intended to take effect once the Cyber Resilience Act becomes fully applicable on December 11, 2027.

This initiative reflects the EU’s effort to simplify its cybersecurity regulatory landscape and avoid duplication of legal requirements. Currently, Delegated Regulation (EU) 2022/30 supplements the Radio Equipment Directive (RED) by introducing cybersecurity obligations for certain radio equipment. However, the upcoming Cyber Resilience Act establishes a broader, horizontal framework applicable to a wide range of digital and connected products.


Cyber Resilience Act and Regulatory Harmonization


The Cyber Resilience Act is designed to unify cybersecurity requirements across the EU, ensuring that products with digital elements meet consistent security standards throughout their lifecycle. Repealing Delegated Regulation (EU) 2022/30 aims to eliminate regulatory overlap and reduce legal ambiguity for manufacturers and economic operators.

From a legal engineering standpoint, this harmonization is critical. Overlapping frameworks can lead to conflicting compliance obligations, increased costs, and delays in product commercialization. A single, coherent regulatory approach allows companies to integrate cybersecurity requirements more efficiently into product design and development.


Infographic showing the transition to the Cyber Resilience Act (CRA), including the repeal of Delegated Regulation (EU) 2022/30, public consultation timeline, unified EU cybersecurity framework, and key compliance impacts for manufacturers such as risk management, conformity assessment, and market access.

Impact on Product Regulation and Compliance


The transition toward the Cyber Resilience Act will significantly impact product regulation strategies. Manufacturers of connected devices must shift from directive-specific requirements under the RED to a comprehensive cybersecurity regime covering risk management, vulnerability handling, and ongoing compliance obligations.

This evolution reinforces the importance of embedding compliance into the engineering process. Legal engineering teams will need to align technical design, documentation, and conformity assessment procedures with the new regulatory framework to ensure seamless market access within the EU.


Stakeholder Consultation and Next Steps


The public consultation period remains open until January 7, 2026, providing stakeholders with an opportunity to contribute feedback on the proposed repeal. Industry participants, compliance professionals, and legal experts are encouraged to engage in the process to help shape a clear and effective transition.

By proactively addressing potential regulatory conflicts, the European Commission aims to create a more predictable and innovation-friendly environment. For companies operating in the EU market, early preparation for the Cyber Resilience Act will be essential to maintain compliance and competitiveness.

bottom of page