Future-proof your products

Cybersecurity begins with product development

Obtain advice now with no obligation

Cybersecurity is a must these days. By December 2027 at the latest, connected products must comply with the requirements of the new EU Cyber Resilience Act (CRA) and the extended RED standard(RED Security). The challenge: the specifications are complex and time is running out.

STEINEL Solutions is one of the first companies to implement these requirements in a practical and competent manner. We support you from the initial analysis to CE marking and beyond.

What are CRA and the RED standard (RED security)?

Cyber Resilience Act (CRA) – EU 2024/2847
  • Applies to products with digital elements and communication interfaces (hardware and software)
  • Requirements: risk management, vulnerability management, security updates, SBOM, CE marking
  • Products placed on the market before 11 December 2027 are exempt
  • Products that receive subsequent updates are affected
RED standard – Directive 2014/53/EU + Delegated Act 2022/30/EU
  • Applies to radio equipment with direct or indirect internet connection
  • Hardware products only
  • Requirements: Protection against network damage, data protection, fraud protection
  • Deadline for Delegated Act: Valid from 1 August 2025

Who is this relevant for?

Product manager

You must ensure that new products are developed in compliance with regulations.

Development teams

You need clear requirements and technical standards.

Decision-maker

You are responsible for product safety and liability.

Companies with existing products

Updates may lead to CRA obligations.

Our expertise – your advantage

We help you to make your products legally compliant and safe, while keeping your development goals in mind.

solutions-cra-wissen.svg

Knowledge

In-depth knowledge of CRA and RED Security

solutions-cra-beratung.svg

Consultancy

Target group-oriented consulting for developers, product managers and decision-makers

solutions-cra-begleitung.svg

Accompaniment

Support from analysis to CE marking

solutions-cra-erfahrung.svg

Experience

Experience from successful projects

Portrait of Ramon Schenk, project manager at STEINEL Solutions AG
Ramon Schenk, Project Manager at STEINEL Solutions AG

"RED 3.3 and the upcoming CRA mark the beginning of a new era for software and hardware development. The multitude of requirements can seem overwhelming, but we see it as an opportunity to develop safer and more future-proof devices for our customers.
By considering these requirements early on in the project initialisation phase (e.g. risk analysis and concept phase), we maintain a clear view of the solution and proceed step by step."

Round portrait of employee Robin Bolt.
Robin Bolt, electronics and firmware developer at STEINEL Solutions AG

"Our IoT development includes not only radio, EMC and electrical safety, but also cybersecurity: security by design, thread/risk assessments, and regular security-critical software updates on IoT devices after SBOM checks.
This means that your products are not only innovative, but also trustworthy and protected in the long term."

Technical requirements
  • Protection against unauthorised access: access control, authentication, encrypted communication
  • SBOM (Software Bill of Materials)
  • Risk analysis and security testing
  • Incident response and update policies
  • CE marking with cybersecurity component
  • Relevant standards: EN18031, ETSI 303 645, IEC62443
Procedural requirements

Vulnerability management:

  • 24 hours after discovery
  • 72 hours technical information
  • 14 days of action information

Integration into PEP (product development process)


Reporting authorities: ENISA, BSI


Lifecycle support:

  • At least 5 years of updates after last release
  • 10 years of documentation requirement
  • Monitoring obligation during product lifetime + 5 years
Product classification & proof of conformity
  • Default Category (most products) → Self-assessment
  • Class 1 & 2 Important Products (Annex III) → partially with Notified Body
  • Critical Products (Annex IV) → Notified Body + scheme
  • Classification determines effort and evidence required

Overview of deadlines

solutions-cra-pfeile.svg

10 December 2024

CRA comes into force

solutions-cra-pfeile.svg

1 August 2025

RED Delegated Act mandatory

solutions-cra-pfeile.svg

11 September 2026

CRA reporting obligation for manufacturers

solutions-cra-pfeile.svg

11 December 2027

CRA fully applicable

What happens in the event of non-compliance?


  • Fine: up to 2.5% of global annual turnover (max. EUR 50 million)


  • Product recall, sales ban, public notification of violations
Image with lock on keyboard.

Act now – before it's too late

The requirements are complex, but with us at your side, implementation becomes predictable and efficient. Contact us for a no-obligation initial consultation.
Contact