breaches. Compliance experts such as the BSI Group advise manufacturers to check whether their product falls under the scope of these three standards. If they do, the manufacturer should conduct a compliance gap analysis; implement any necessary changes in design, testing and documentation; and consult with a RED Notified Body to obtain a certificate which demonstrates market compliance. Onus on manufacturers, but duty for resellers Inevitably the greater responsibility lies with manufacturers to ensure that their new equipment complies with the new RED DA regulations by establishing conformity through appropriate certification schemes. But resellers and distributors should also make sure that what they sell complies. If the equipment being sold is judged to present any form of risk, resellers and distributors have a duty not to sell it and should inform the manufacturer and the relevant market surveillance authority. Compliance
experts also advise that failure to comply with these requirements could lead to warnings and penalties from the individual state’s relevant supervisory authority, and in the worst case a sales ban and/or prosecution associated with a breach of competition law. With the deadline for compliance with the EU’s Cyber Reslience Act (CRA) in the pipeline for in 2027 (with some requirements coming into force in 2026), it may be a good idea for manufacturers to prepare for both regulations at the same time. “The path to Cyber Resilience Act compliance starts now with RED DA – not in 2026,” stated Manual Weber, Lead Embedded Software Architect at technology consulting services firm Zühlke in a recent blog. “Early action means fewer surprises, smoother transitions, and stronger products.” Crucially, the RED DA directive doesn’t apply to equipment in circulation before 1 August 2025 however, so products already in distribution or with retailers within the EU/EEA prior to this date are not subject to the requirements. n
Manuel Weber Lead Embedded Software Architect
zuhlke.com