This white paper is designed to take a deep dive into CRA and RED and looks at what each means in terms of scope, compliance rules, and convergence and divergence in requirements. Both rules are key pieces of legislation to improve cybersecurity and product safety in the EU, and for digital and connected products.

The CRA provides a statutory authority to ensure that connected digital products are being developed and maintained using a high degree of cybersecurity. It requires secure design of products, handling of vulnerabilities and risk assessments, as well as reporting incidents. The RED, by contrast, applies to radio products and imposes rules concerning safety, electromagnetic compatibility (EMC), the efficient use of the spectrum and, more recently, cyber security for network-connected radio equipment.

A comparative gap analysis reveals significant common ground between CRA and RED—such as the need for secure design, vulnerability management processes, and mechanisms for incident detection and reporting. However, the CRA extends further in areas like software lifecycle security, continuous monitoring for vulnerabilities, and stricter obligations on reporting cybersecurity breaches.

To help organizations in addressing compliance requirements, the white paper provides a roadmap of best practices, such as adopting a Secure Software Development Lifecycle (SSDL), enabling a vulnerability disclosure process, and taking a risk-based approach to hardware and software components. It also provides strategic advice for navigating supply chain risks, securely integrating third-party software, and responding to incidents within regulated timeframes.

In conclusion, this white paper is a useful reference resource for OEMs, developers, or compliance personnel who wish to target both CRA and RED. It demystifies complex regulatory requirements for digital businesses and offers practical guidance to help develop, deliver, and maintain digital products as safe and secure for Europeans.