There are moments in our field when a new set of requirements arrives, fundamentally changing how we approach our work. We lived through this with EMC—and those of us who were there remember both the uncertainty of those early days and the satisfaction of watching our community rise to meet it. It is rising again. This time, cybersecurity is leading the charge.

For years, the industry has treated cybersecurity as a software problem—something for IT departments to manage after products leave the drawing board. That’s no longer good enough. Regulators on both sides of the Atlantic have made clear that security must be designed in, not bolted on.

For those working with connected products destined for the European market, the shift is already here. As of August 1, 2025, cybersecurity requirements under the EU Radio Equipment Directive (RED) became mandatory via Delegated Regulation (EU) 2022/30, activating Articles 3.3(d), (e), and (f). The scope is broad—programmable logic controllers, industrial IoT gateways, building automation systems, wireless medical devices, and any device capable of communicating over the internet now fall within its reach.

The EU Cyber Resilience Act (Regulation (EU) 2024/2847), entered into force on December 10, 2024, with full applicability on December 11, 2027, takes it a step further by establishing mandatory cybersecurity requirements for virtually all hardware and software products with digital elements. Its structure, including CE marking, technical documentation, and lifecycle obligations, will look a lot like frameworks you already know well.

Let’s face it—if you know how to design for safety and compatibility, you already think like a security engineer. Compliance engineers bring precisely the right expertise to this moment. This Guide reflects that expanding role—and our continued commitment to providing the technical knowledge and resources you need to meet it.

With appreciation for all that you do,

Lorie Nichols
Editor