Regulation (EU) 2022/30 ends on 11 December 2027 as the Cyber Resilience Act takes over
The repeal is now official
The European Commission has adopted Delegated Regulation (EU) 2026/339, which repeals Delegated Regulation (EU) 2022/30 — the cybersecurity delegated act under the Radio Equipment Directive (RED). The Commission adopted the measure on 16 February 2026 and published it on 29 April 2026. The repeal takes effect on 11 December 2027.
Why the regulation is being withdrawn
Delegated Regulation (EU) 2022/30 made the cybersecurity-related essential requirements of RED Article 3(3), points (d), (e) and (f), applicable to certain categories of connected radio equipment from 1 August 2025. The Cyber Resilience Act — Regulation (EU) 2024/2847 — introduces a horizontal cybersecurity framework for products with digital elements and becomes fully applicable on 11 December 2027. To avoid two overlapping sets of cybersecurity requirements and to provide legal certainty, the Commission aligned the repeal date with the CRA’s full application.
The transition period still applies
The repeal does not remove obligations during the transition. Radio equipment placed on the EU market between 1 August 2025 and 10 December 2027 must still comply with the RED cybersecurity requirements under Delegated Regulation (EU) 2022/30, and market surveillance for that period remains in force.
What changes from 11 December 2027
From that date, cybersecurity compliance for in-scope products moves to the Cyber Resilience Act framework. RED cybersecurity harmonised standards will no longer provide presumption of conformity under the repealed act, and manufacturers should plan their compliance route around CRA requirements.
