Navigating the New EU Cybersecurity Requirements and Compliance Options

Although the European Union’s Radio Equipment Directive (RED) applies to its 27 member states, it’s relevant for many North American device OEMs, too. An example is those with multinational enterprise customers, especially ones that prefer the simplicity of working with a single supplier. Another example is OEMs that want to keep SKUs to a minimum so they can sell the same products in North America, the EU, and other regions.

Cybersecurity is a major factor for complying with EU regulations. For years that meant OEMs followed Delegated Regulation 2022/30, which specified how devices must:

• Not harm or misuse network resources.
• Protect personal data and privacy.
• Include anti-fraud safeguards when used for financial transactions.

The EU Cyber Resilience Act (CRA) covers the same requirements as RED’s Article 3(3)(d), (e), and (f). That duplication is why Delegated Regulation 2022/30 was repealed in October 2024 and replaced by the CRA. That change took effect in August 2025, with a transition period that ends December 11, 2027, when CRA becomes the sole regulation that OEMs must comply with.

Why Antennas are the First Line of Defense

Cybersecurity is a never-ending process because threats are continually evolving. That’s why the CRA requires device OEMs to design their products so the firmware and software can be patched and updated to thwart new attack vectors.

This requirement is another reason why the CRA is relevant even for devices that won’t be sold in any of the EU’s 27 member states. The design capabilities that enable over-the-air (OTA) patches and updates to comply with the CRA can be re-used in any other region, such as North America, to meet enterprise cybersecurity requirements. Those capabilities are a powerful market differentiator and give OEMs another way to compete aside from price.

Antennas play a critical role in all of these scenarios because they enable radio modules and other device components to receive patches and updates. They also enable devices to upload information, such as alerts about unusual behavior that could indicate a new type of attack. That data is key for analyzing emerging threats and developing responses before they escalate.

How to Choose and Implement a CRA-Ready Antenna

One best practice is to choose a wideband antenna, such as 600 MHz to 6 GHz in the case of devices using LTE/5G. That broad coverage helps ensure that even if the device owner subsequently switches mobile operators — such as to get better coverage, better pricing, or access to a new air interface — or uses multiple mobile operators from day one, the antenna will be able to connect to the new network to upload and download cybersecurity data.

A wideband antenna also can enable CRA compliance for devices used in rural areas and other locations where cellular coverage is spotty or unavailable, or while roaming in areas where the device or end user doesn’t have a plan with any of the local operators. Many of the Non-Terrestrial Network (NTN) satellite bands are close enough to 4G and 5G spectrum that a single wideband antenna system can cover both technologies. That’s why modules that support both cellular and NTN have a single RF connector for the antenna. (For a deeper dive, see “Combining Satellite and Cellular to Unlock New Business Opportunities.”)

When using a wideband antenna, keep in mind that each mobile operator has its own set of performance requirements — such as total radiated power (TRP) and total isotropic sensitivity (TIS) — that devices must meet in order to use their network. So to ensure that a device will be able to connect when it needs a patch or update, the design process should include testing to verify that it meets those requirements for all of the operators in the target market(s).

This initial set of tests often is referred to as pre-certification because it’s conducted in the lab and in the field using specialized equipment. Passing pre-certification is key for ensuring that the device will then pass each operator’s certification tests on the first submission, thus avoiding expensive and time-consuming redesigns for resubmission. (To learn more about certification and pre-certification, including how Taoglas engineering services can help, see “What’s New in Cellular Certification.”)

Another tip is to consider leveraging a secure Wi-Fi network. A wideband cellular antenna that supports up to 6 GHz also covers the 2.4 GHz and 5 GHz Wi-Fi bands. And even if the device has access to a 4G or 5G signal, Wi-Fi might be the best way to download a patch or update — particularly a large one — because it avoids cellular tariffs and/or is faster than the cellular connection.

Finally, many devices subject to the CRA use batteries. Power consumption during patches and updates is an important consideration both for compliance and device longevity. When comparing antennas, pay close attention to efficiency, which enables the transceiver to use less power to transmit or receive a usable signal.

Integration also maximizes battery life. One example is impedance matching, which ensures that the antenna can broadcast all of the signal that the transmitter provides when uploading data about a suspected attack. If there’s mismatch, then some of the signal is reflected at the transmitter. This wastes battery life because the transmitter is using power that literally goes nowhere.

For additional insights into impedance and other key integration aspects that directly and indirectly affect CRA compliance:

• Read “All Together Now: Best Practices for Cellular Antenna Integration”
• Watch “How Smarter Cellular Integration Reduces Certification Complexity”

Get in touch for orders or any queries: sales@rfdesign.co.za / +27 21 555 8400

Courtesy of Taoglas