On March 3, 2026, the European Commission launched a public consultation on the draft implementation guidelines for the Cyber Resilience Act (CRA).

Click this link for the original public consultation, and the call for comments is until March 31, 2026.

Following a public consultation on September 9, 2025, on February 17, 2026, the UK Communications Authority (Ofcom) issued a statement announcing the final regulations for the authorization of device direct-connected satellite (D2D) services. The current authorized operator is Virgin Media O2 (VMO2), and Ofcom also welcomes other operators to apply for changes in authorization to carry out D2D business in the statement. The regulation came into effect on February 25, 2026.

Click this link to view Ofcom's original announcement.

Following the European Commission's public consultation on the initiative to repeal the Cybersecurity Delegation Regulation (EU) 2022/30 on December 10, 2025, the Commission officially adopted the initiative on February 16, 2026, and the Delegation Regulation (EU) 2022/30 will expire from December 11, 2027. The Cyber Resilience Act (EU) 2024/2847 will replace the Delegated Regulation (EU) 2022/30. At present, the relevant initiative has not completed the legislative process and has not been published on the Official Journal (OJ) website.

Click this link to see the content of the initiative and the status of resolution.

On December 16, 2025, the UK Office for Product Safety and Standards (OPSS) published the Radio Equipment Regulations (Amendment) (Northern Ireland) 2025 on the official website of the UK government, amending the Radio Equipment Regulations 2017 to ensure that Northern Ireland continues to be consistent with the relevant EU rules. The regulation introduces requirements for connected radio equipment in the EU 2022/30 (EU), focusing on cybersecurity, personal data and privacy protection, and fraud prevention. The new regulations mainly apply to networkable radio equipment, child-related devices and wearable devices, and relevant products placed on the market in Northern Ireland from August 1, 2025 must meet the requirements. Manufacturers must complete the corresponding conformity assessment and affix the CE mark.

Click this link to view the original text of the regulations.

On January 9, 2026, the UK Communications Authority (Ofcom) launched a public consultation to discuss the enabling of the Automatic Frequency Coordination (AFC) system in the 5925-7125 MHz (6 GHz) band. Ofcom published a public consultation paper on February 13, 2025 for the entire 6 GHz band, proposing the introduction of AFC-controlled standard power Wi-Fi (up to 36 dBm) on the lower 6 GHz, including outdoor use. This new public consultation has confirmed the use of AFC systems in the 5925MHz-6425MHz bands and allows for standard power Wi-Fi devices and allows outdoor use.

Click this link to view the original public consultation.

On December 1, 2025, the European Commission published Commission Implementing Regulation (EU) 2025/2392, which provides a technical description of important and critical product categories that contain digital elements, in accordance with Regulation 2024/2847. The regulations will come into effect on December 21, 2025.

Click this link to view the original text of (EU) 2025/2392.

On January 15, 2026, the European Telecommunications Standards Institute (ETSI) published the following draft standards for the Cyber Resilience Act:

• EN 304 617 – Cybersecurity requirements for Browsers
• EN 304 618 – Cybersecurity requirements for password managers
• EN 304 619 – Cybersecurity requirements for software that searches for, removes, or quarantines malicious software
• EN 304 620 – Cybersecurity requirements for Virtual Private Networks (VPNs)
• EN 304 621 – Cybersecurity requirements for Network Management Systems (NMSs)
• EN 304 622 – Cybersecurity requirements for Security Information and event management (SIEM)
• EN 304 623 – Cybersecurity requirements for boot managers
• EN 304 624 – Essential cybersecurity requirements for Public Key Infrastructure and digital certificate issuance software
• EN 304 625 – Cybersecurity requirements for physical and virtual network interfaces
• EN 304 626 – Cybersecurity requirements for Operating Systems (OS)
• EN 304 627 – Essential cybersecurity requirements for routers, modems intended for the connection to the internet, and switches
• EN 304 635 – Cybersecurity requirements for Virtualisation Execution Stack (VES) and Container Execution Stack (CES), including hypervisors and container runtime systems
• EN 304 636 – Cybersecurity requirements for firewalls, intrusion detection and/or prevention systems

Click on this link to view the above draft standards. The link also includes a public consultation guide and a feedback form.

On December 11, 2025, the European Commission issued Commission Implementation Decision (EU) 2025/2499, which revises the harmonized standards for short-range devices (SRDs) and airborne mobile communication systems.

The main changes are as follows:

• Removal of the old version of the standard: EN 300 220-2 V3.1.1 for short-range devices (SRDs) in the frequency band from 25 MHz to 1 000 MHz, EN 302 480 V2.2.1 for airborne mobile communication systems (MCOBA) and EN 302 729 V2.1.1 for short-range devices using ultra-wideband (UWB) technology. The effective date of standard deletion is June 11, 2027;
• The following harmonized standards have been added: EN 300 220-2 V3.3.1, EN 302 480 V3.1.1, EN 302 729-1 V3.1.1, EN 303 659 V1.1.1 short-range devices in data networks, EN 305 550-6 V1.2.1 specific wireless measurement equipment (e.g. detection radar) in the frequency band from 40 GHz to 260 GHz.

Click on this link to view the original text of (EU) 2025/2499.

On December 10, 2025, the European Commission launched a public consultation to discuss an initiative aimed at repealing the RED Cybersecurity Delegated Regulation (EU) 2022/30. The initiative aims to repeal (EU) 2022/30 after the Cyber Resilience Act (CRA) goes into effect on December 11, 2027. This is intended to avoid overlap and ambiguity between the basic cybersecurity-related requirements of the Radio Equipment Directive and those in the Cyber Resilience Act.

Click this link to view the original public consultation, and the comment period is until January 7, 2026.

On November 12, 2025, the European Commission launched a public consultation on the new legislative framework (NLF), which aims to update the rules on conformity assessment bodies. The main body of the public consultation is a questionnaire containing information on the compliance of digital products (including the tendency of display formats such as QR codes, barcodes, NFC/RFID and other contactless technologies), digital product passports (DPPs), the regulation of refurbished products, etc.

Click this link to view the original public consultation, the deadline for comments is February 4, 2026.