What does this mean for legacy products that are CE marked that cannot meet RED Cyber requirements?

Answer

For legacy products that are CE marked, the applicability depends on when and how the products were placed on the EU market:

1. Grandfathered Products: Any product that was already placed on the EU market (i.e., transferred to economic operators or sold after production) before the new requirements become applicable can continue to be used without the need for adaptation until the end of its lifecycle. This includes products in the hands of consumers or other economic operators.
2. Products in Stock or Continuous Production: Products still in stock or in continuous production and placed on the market after August 1, 2025, must comply with the new RED Article 3.3 (d), (e), and (f) requirements. This applies to both new batches of legacy equipment and old batches sold after this date.
3. Non-Compliant Legacy Products: If a legacy product cannot meet the new requirements (e.g., because it is not firmware upgradable or due to hardware limitations), manufacturers may involve a Notified Body to conduct a risk analysis. The analysis must demonstrate that the remaining risks are acceptable for the intended use case. Based on this assessment, a Notified Body may determine whether the product can still achieve conformity or require further action.