Navigating New Cybersecurity Regulations: RED Delegated Regulation & Cyber Resilience Act

Discover how the RED Delegated Regulation and Cyber Resilience Act (CRA) in the EU reshape cybersecurity requirements for embedded IoT devices.

In this session, you will:

• Learn to assess risks and determine which compliance levels apply to your hardware.
• Understand how to certify devices and navigate the documentation required for the CE mark.
• Implement standards effectively to meet "security by design" mandates.

Gain practical insights, real-world examples, and engage in discussions to prepare your organization for compliance and resilience in today’s evolving digital landscape.

What this presentation is about and why it matters

How do you make sense of the EU’s new cybersecurity rules when they are still being translated into standards, deadlines, and product obligations? Adithya Madanahalli approaches that tension with a practical walkthrough, using embedded IoT devices, wireless products, and the contrast between the RED delegated act and the Cyber Resilience Act. He connects regulation to engineering choices like product classification, risk assessment, documentation, and lifecycle support, without assuming a legal background. This session is especially useful if you build connected devices and want a grounded map of what compliance work starts to change in the design process.

Who will benefit the most from this presentation

• Embedded product engineers working on connected devices, especially if firmware is shipped to customers.
• IoT developers who need to understand how regulatory requirements affect design, testing, and updates.
• Security engineers supporting hardware teams that have to think beyond initial release.
• Technical leads or architects who must decide how compliance work fits into product planning.
• Manufacturers, distributors, or importers trying to understand where product obligations start and end.

What you need to know

A basic familiarity with embedded and IoT product development will help. It is also useful to know the difference between product design, deployment, and maintenance.

• General understanding of connected embedded devices and firmware.
• Comfort reading about standards, regulations, and compliance workflows.
• Awareness of security concepts such as updates, access control, and encryption.

Glossary (terms used in this talk)

• Stride: The step size used when moving a convolution kernel across an input; larger strides reduce output resolution and compute.
• Cyber Resilience Act (CRA): A European Union regulation focused on cybersecurity requirements for products with digital elements. It drives manufacturers to assess risks, implement security measures, and keep documentation aligned with product changes.
• Threat modeling: A structured way to identify what can go wrong in a system, what assets or properties are affected, and what mitigations are available. It is often used to prioritize security work before implementation decisions are made.
• RED Delegated Regulation (Radio Equipment Directive delegated act): An EU delegated regulation that adds cybersecurity-related requirements to certain radio equipment. It extends the compliance conversation beyond radio performance into areas such as network protection, privacy, and fraud protection.
• EN 18031 series: A family of harmonized European standards used to support cybersecurity requirements for radio equipment. Such standards provide a technical route for demonstrating conformity with a regulatory requirement.
• EN 303 645: A European consumer IoT security standard that defines baseline expectations for connected products. It is often used as a reference point for secure default configuration and product security practices.
• OJEU (Official Journal of the European Union): The official publication where harmonized standards are referenced for EU regulatory use. When a standard appears here, it can become part of the accepted compliance route for a regulation.
• CE marking: A marking that indicates a product meets applicable EU requirements for sale in the European market. It is typically associated with a conformity assessment and supporting technical documentation.

Final thoughts

Practical and regulation-focused, this talk gives embedded teams a way to turn legal text into engineering work that can be planned, reviewed, and tracked. The value here is a clearer vocabulary for classifying products, framing risk, and thinking about lifecycle obligations in a connected-device context. It will help engineers, architects, and product owners who need to align security work with market access. The session stays grounded in the realities of shipping hardware under changing rules.

This overview is AI-generated from the session transcript. Spot an issue? Let us know.