New requirements for digital product security

Whitepaper: EU Cyber Resilience Act

Nahaufnahme Chip
  • Article
  • 4 minute read
  • 07 Dec 2023

Through the Cyber Resilience Act, the European Union aims to institute new cybersecurity requirements for products incorporating digital components. This imperative stems from the increasing significance of networked devices and services in everyday live, for both economical operators as well as private users.

The draft is expected to be ratified in 2024, with full implementation after a transitional period of 36 months. Given that product development cycles usually span several years, companies affected by these regulations must now enact proactive measures to stay ahead of the regulatory pressure.

When launched, many products currently in development will need to demonstrate compliance with the Cyber Resilience Act. Early categorisation and review of your portfolio will afford crucial time for necessary actions.

Our white paper provides an in-depth examination of the affected product types, necessary considerations, and proactive steps companies can take now.

Your expert for questions

Oliver Hanka ist Partner bei PwC Deutschland

Oliver Hanka
Partner at PwC Germany
Tel: +49 160 5105836

Obligations of Manufacturers and Distributors

The Cyber Resilience Act (CRA) specifically targets products featuring digital components designed to establish direct or indirect data connections with other devices or networks. This encompasses both software and hardware. The key criterion for CRA applicability is a product's ability to communicate with other products or components. Companies face distinct obligations depending on how legislators categorise their products. Those falling into the default “standard category” generally possess limited security relevance.

The specific requirements for companies under the Cyber Resilience Act depend on the categorisation of their products. Products in the “standard category”, which have basic security relevance, include everyday consumer electronics such as smartphones or laptops. The higher security category, “critical class 1”, includes products such as network firewalls or data encryption software, which play a more important role in the security infrastructure and are therefore subject to stricter requirements. For this category, it is often necessary to have a conformity test carried out by external bodies or to use harmonised standards. Products in “very critical class 2” that are used in industrial contexts, such as SCADA (Supervisory Control and Data Acquisition) systems for the control of production processes, require mandatory external verification of their security standards. Products that fall under Annex III(a) and contain components that are important for the security of critical infrastructure must – if available – use a specific certification system, otherwise the strict requirements of class 2 apply.

Download the whitepaper now

The EU Cyber Resilience Act – Product security in the digital age

In the future, companies whose products fall into these categories must ensure a high level of cybersecurity throughout the entire product lifecycle. Integrating the security aspect into the development process of new products from the outset is crucial, emphasising “security by design.” Additionally, products must remain secure during delivery, maintenance, and disposal. Comprehensive documentation of regularly conducted risk assessments is mandatory and reporting of exploited vulnerabilities must occur within a 24-hour timeframe. Manufacturers are responsible for identifying and rectifying security vulnerabilities for a minimum of five years or during the expected product lifetime, ensuring the provision of appropriate security updates. This requires an organisation to establish necessary resources and processes well in advance.

Given this extensive list of obligations, it is imperative that affected companies proactively address regulatory pressure and meticulously review their product portfolio. Those who do not leverage the time buffer until the CRA comes into effect risk facing fines, product recalls, or costly rework. There is also the possibility of new products being denied CE labelling. Therefore, it is advisable to conduct a review of the own product portfolio in accordance with the regulation, perform risk assessments, and prepare the required documentation to demonstrate conformity.

Follow us

Contact us

Dr. Oliver  Hanka

Dr. Oliver Hanka

Partner, Cyber Security & Privacy, PwC Germany

Tel: +49 160 5105836

Marc Oliver Brock

Senior Manager, PwC Germany

Tel: +49 1511 5866177