In recent years, the digital world has experienced rapid growth — a trend that is expected to continue in the years ahead. Unfortunately, digital expansion goes hand in hand with an increased risk of cyberattacks. With billions of connected devices around the globe, the cybersecurity of cyber-physical systems is becoming increasingly critical. In response to this growing concern, the European Union (EU) has introduced the Cyber Resilience Act, a regulation aimed at strengthening the security of products with digital elements.
In this article, we’ll cover the key elements of this new regulation to help you understand the various implications for your business. To read the full regulation, you can follow this link:
What is the Cyber Resilience Act?
The Cyber Resilience Act is a new regulation that sets mandatory security requirements for all products with digital elements sold in the European Union. This includes both software and hardware products that are connected to other devices or to a network. The law aims to reduce vulnerabilities and improve cybersecurity throughout the entire lifecycle of digital products.
The regulation addresses two major issues:
Widespread vulnerabilities in digital products, which increase the risk of cyberattacks.
Inconsistent security updates, which leave many products exposed to known security flaws for extended periods.
Why is this important?
Cyberattacks can have major consequences, affecting not only end users but also businesses and public infrastructure. By strengthening cybersecurity standards at the product level, the Cyber Resilience Act aims to prevent attacks before they happen. This is especially important for critical sectors such as healthcare, transportation, and smart home devices, where vulnerabilities can lead to significant harm.
The Act ensures that manufacturers incorporate security at every stage of a product’s lifecycle — from design and development to maintenance. It also gives consumers greater transparency regarding the security features and update schedules of the products they purchase.
Key requirements for manufacturers
Under the Cyber Resilience Act, manufacturers must:
Ensure the cybersecurity of the product throughout its lifecycle: This includes identifying and addressing vulnerabilities, as well as providing security updates for a defined period.
Meet strict compliance assessments: Products classified as important or critical (such as smart home systems or medical devices) must undergo more rigorous assessments to ensure compliance with cybersecurity standards.
Provide transparency to consumers: Manufacturers must inform users about the cybersecurity features of their products, including the duration of security updates.
These requirements apply not only to products developed within the EU but also to those imported into the European Union market.
Dates to keep in mind
The Act provides a clear timeline for manufacturers to adjust their products. Here are the key dates to remember:
General compliance: Manufacturers have 36 months from the regulation’s entry into force to ensure their products meet the required cybersecurity standards.
Reporting obligations: Manufacturers must report vulnerabilities and any serious cybersecurity incidents affecting their products starting 21 months after the regulation comes into force.
Conformity assessment bodies: 18 months after the regulation’s entry into force, these bodies must be ready to evaluate and certify products. Manufacturers of critical and important products must ensure that their products are assessed at this time.
Support for small and medium entreprises
The Cyber Resilience Act recognizes that small and medium-sized enterprises will face challenges in implementing the regulation within their businesses. Therefore, it includes special provisions to help SMEs comply with this regulation.
Guidance will be provided on everything from cybersecurity risks to the application of the law, ensuring that even small businesses can remain competitive in the market while maintaining high cybersecurity standards.
How to prepare?
To ensure compliance with the Cyber Resilience Act, manufacturers should review their product development processes now. To do so, manufacturers can take the following steps:
Conduct cybersecurity risk assessments: Identify and address potential vulnerabilities.
Develop a plan for regular security updates: Ensure that your products receive timely updates throughout their support period.
Assess compliance: If your products fall into the important or critical categories, make sure they undergo the necessary third-party evaluations.
The future of cybersecurity in the EU
The Cyber Resilience Act marks a major step forward in securing the digital ecosystem. By setting cybersecurity standards for products with digital elements, the EU is paving the way for the protection of consumers and businesses against cyber threats. For manufacturers, this law is not only a compliance issue but also an opportunity to build trust with customers and differentiate themselves in a competitive market.
As the 36-month compliance deadline approaches, now is the time to take action. Manufacturers who quickly adopt cybersecurity requirements will be well-positioned to thrive in this new, secure digital landscape.
Are you ready to comply with the Cyber Resilience Act? Contact Vendel to learn how we can help you bring your connected products into compliance for the European Union market.