heise PlusAbo
Anzeige

Cyber Resilience Act: networked products must soon be better secured

The EU regulation on cyber resilience has come into force. In future, manufacturers of networked products must offer a minimum level of cyber security.

listen Print view
Cell phone in the hand of a person. A lock with an EU star can be seen on the cell phone.

(Image: Pe3k/Shutterstock.com)

3 min. read
By

Products "with digital elements" such as software will soon only be allowed on the market in the EU if they meet minimum cyber security requirements. This is provided for in the Cyber Resilience Act (CRA), which came into force on Wednesday. Manufacturers now have up to 36 months – i.e. until December 2027 – to adapt networked products to the new requirements. As a rule, these must then be supplied with security updates for at least five years. It is up to manufacturers to take responsibility for the cyber security of their products and applications over their entire life cycle ("security by design"). The regulation on cyber resilience also obliges importers and retailers. In future, products bearing the familiar CE mark must generally be secured against IT attacks.

From September 2026, EU manufacturers will also have to report actively exploited vulnerabilities and serious security incidents in connection with their digital products to the relevant authorities, such as the Computer Security Incident Response Team (CSIRT) of the German Federal Office for Information Security (BSI). The list of device classes and software covered is long. It ranges from computers and servers to baby monitors and "smart" doorbells. One focus is on the Internet of Things and "plastic routers", which are often easy to attack due to many built-in security vulnerabilities. The mere making available of open source software is not covered as long as the manufacturers do not want to make a profit from it. Free software that is developed by a public administration exclusively for its own use is also excluded.

BSI wants to take over supervision in this country

The CRA is a regulation that applies directly in all EU member states within the transitional periods provided for. In Germany, however, politicians still have to appoint a national market surveillance authority to ensure that manufacturers and retailers comply with the requirements. The BSI is positioning itself for this. "As the central cybersecurity authority of the federal government, we have extensive experience in securing digital products and processes," emphasizes Gerhard SchabhĂĽser , Vice President of the Bonn office.

Videos by heise

The product-related requirements of the CRA and the IT security label issued by the BSI are already largely identical. The office has published a technical guideline (TR-03183) to make the requirements of the regulation more tangible. The reformed Product Liability Directive came into force on Sunday, which also provides for claims for damages in the event of defective products in the IT sector.

(vbr)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten