Contact information
Free service hotline
net04@gtggroup.com
TEL: 0769-85075888-6618
13925591357
Fax: 0769-85075898
Mail: net04@gtggroup.com
ADD: Huacan Industrial Park, No. 2 Keji 8th Road, Songshan Lake Park, Dongguan City, Guangdong Province
CRA Certification for Wireless Products: Framework, Scope, and Core Obligations
On 11 December 2024, the EU Cyber Resilience Act (CRA) entered into force — the world's first mandatory product cybersecurity regulation covering the full lifecycle of hardware and software. For wireless product manufacturers, the question is no longer whether to comply, but when: from 11 December 2027, all products with digital elements placed on the EU market must be fully compliant. This guide breaks down the CRA framework, identifies which wireless products fall in scope, maps out key compliance deadlines, and explains the five core obligations manufacturers must fulfil.
1. What Is the CRA — The World's First Lifecycle Cybersecurity Regulation
The Cyber Resilience Act (CRA) is a landmark EU regulation that imposes mandatory cybersecurity requirements on all products with digital elements sold in the EU market. Its scope is exceptionally broad — from smartphones and laptops to IoT devices, networking equipment, and all forms of software.
The CRA's core objective is to ensure that digitally enabled products meet cybersecurity standards throughout their entire lifecycle, protecting both consumer and enterprise data. It is the first regulation to elevate cybersecurity compliance from an industry best practice to a legal mandate — non-compliant companies face fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher.
The CRA intersects with the existing Radio Equipment Directive (RED). RED Article 3.3(d/e/f) cybersecurity requirements for wireless devices became mandatory on 1 August 2025 under the EN 18031 series of standards. The CRA operates as a broader framework regulation covering all digitally enabled products. Key milestones:
11 December 2024 CRA enters into force
11 September 2026 Vulnerability reporting obligations take effect — manufacturers must begin reporting vulnerabilities and severe incidents
11 December 2027 CRA becomes fully applicable — all products with digital elements placed on the EU market must be fully compliant
2. Which Wireless Products Fall Under the CRA
The CRA scope hinges on whether a product contains "digital elements." For wireless products, the test is straightforward — if the product has any of the following characteristics, it falls within scope:
Digital processing capability The product contains firmware, software, a mobile app, or a cloud backend
Data connectivity Bluetooth, Wi-Fi, Zigbee, LoRa, NB-IoT, or any other physical or logical data connection
EU market placement Products placed on the EU market after 11 December 2027 must comply
Typical wireless products in scope include:
- Bluetooth devices: speakers, headphones, smartwatches, mice/keyboards
- Wi-Fi devices: routers, cameras, projectors, smart home hubs
- IoT devices: smart bulbs, locks, plugs, thermostats, fitness trackers
- Communication terminals: smartphones, tablets, smart glasses
- Industrial wireless: gateways, wireless sensors, wireless PLC modules
Important: Products already covered by sector-specific regulations (e.g., medical devices, automotive electronics) are generally exempt from the CRA. However, most consumer and industrial wireless products have no exemption pathway and must comply.
3. Five Core Requirements for Wireless Products
Under CRA Chapter II, manufacturers must fulfil the following essential cybersecurity requirements throughout the product lifecycle:
1. Secure by Design Products must ensure an appropriate level of cybersecurity at the design, development, and production stages. Products with known exploitable vulnerabilities must not be placed on the market. For wireless products, this means firmware, protocol stacks, and cryptographic implementations must undergo thorough security assessment before launch.
2. Secure by Default The default configuration must be secure — users should not need to take additional steps to achieve basic protection. For wireless products, this means encryption and authentication mechanisms must be enabled at factory defaults; convenience must not come at the expense of security.
3. Risk Assessment Manufacturers must conduct cybersecurity risk assessments and continuously update them across the planning, design, development, production, delivery, and maintenance phases. Risk assessment is not a one-time event — it is a continuous lifecycle obligation.
4. Vulnerability Management Manufacturers must define a security support period of at least 5 years (or the product's expected lifetime if shorter). During this period, they must provide security updates and establish vulnerability reporting and coordinated disclosure mechanisms.
5. Third-Party Component Due Diligence When integrating third-party components (including open-source software), manufacturers must verify the component manufacturer's compliance (check CE marking), confirm the availability of regular security updates, and verify the absence of registered vulnerabilities in the European vulnerability database or other public vulnerability databases.
4. CRA vs. RED: Overlapping Compliance for Wireless Products
Wireless products face dual obligations under both the CRA and the RED. Their respective focus areas differ significantly:
| Dimension | CRA | RED |
|---|---|---|
| Focus | Vulnerability reporting, security updates, lifecycle risk management | Encryption, access control, EN 18031 compliance |
| Product scope | All products with digital elements | Radio equipment (Bluetooth, Wi-Fi, etc.) |
| Standards | CRA horizontal standards (expected August 2026) + vertical standards | EN 18031 series |
| Key deadline | September 2026 (vulnerability reporting); December 2027 (full application) | Article 3.3(d/e/f) mandatory from 1 August 2025 |
| Maximum penalty | EUR 15 million or 2.5% of global turnover | Set by individual Member States |
CRA compliance does not replace RED compliance, and vice versa. Both regulations apply independently, and products must satisfy both. From a practical standpoint, completing RED Article 3.3(d/e/f) EN 18031 testing first provides a solid technical foundation for CRA's broader lifecycle risk management requirements.
5. Practical Recommendations for Wireless Product Manufacturers
As the CRA compliance clock accelerates, wireless product manufacturers should begin the following workstreams immediately:
Launch cybersecurity risk assessments The CRA requires assessments from the design phase through the entire lifecycle. Use established methodologies such as STRIDE, ISO 27005, or NIST SP 800-30 to systematically evaluate the full attack surface of wireless products — covering communication protocols, cryptographic implementations, and firmware update processes.
Build comprehensive technical documentation The CRA mandates thorough technical documentation including risk assessment reports, secure design specifications, vulnerability management policies, and security update plans. Extend your existing CE technical documentation to meet CRA requirements.
Establish vulnerability reporting channels Before September 2026, set up a vulnerability intake mechanism for security researchers and a severe incident reporting process for regulatory authorities.
Define the security support period Commit to a minimum 5-year security update timeline and disclose the support scope and update delivery method to end users.
Engage a professional compliance partner The CRA conformity assessment model is still being finalized, but the direction is clear. Work with a qualified cybersecurity testing laboratory to obtain a tailored compliance roadmap. For CRA certification services, visit GTG Certification Services.
6. Frequently Asked Questions
Q1 If my wireless product has passed EN 18031 testing, do I still need CRA compliance?
Yes. EN 18031 is the cybersecurity standard under the RED, addressing specific technical requirements for wireless devices such as encryption and access control. The CRA is a broader framework regulation covering lifecycle risk management, vulnerability reporting, and security updates. The two apply independently — passing EN 18031 does not constitute CRA compliance.
Q2 How long does CRA compliance take?
CRA compliance is not a single "certification test" — it is a continuous compliance system. Building a compliance framework from scratch (risk assessment, technical documentation, vulnerability management, security update processes) typically takes 3–6 months, depending on product complexity and the maturity of existing security practices. Completing compliance setup and validation well before the end of 2026 is strongly recommended.
Q3 What are the consequences of non-compliance?
Non-compliant companies face fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher. Products may be required to be withdrawn from the EU market. Additionally, Member State market surveillance authorities can impose restrictions on non-compliant products, including mandatory recall and delisting.
This article was generated with AI assistance. Content is for reference only and does not constitute any certification commitment or legal advice. Please refer to the latest official EU regulations.
Contact: net04@gtggroup.com