Cyber Resilience Act: BSI becomes digital TÜV for networked products
The German government is initiating the implementation law for the EU's Cyber Resilience Act and wants to make the BSI the central market surveillance authority.
(Image: Summit Art Creations / Shutterstock.com)
The German government has paved the way for comprehensive regulation of cybersecurity for networked products in Germany. With the draft of a law for the implementation of the EU's Cyber Resilience Regulation (Cyber Resilience Act), the Federal Office for Information Security (BSI) is to become the central authority for security in the digital internal market.
According to the government draft presented by the Federal Cabinet on Wednesday, the BSI will assume a dual role as market surveillance and notification authority. The Bonn-based office will thus receive far-reaching powers to ensure that products with digital elements – from smart refrigerators to industrial controls – meet the EU-wide minimum cybersecurity requirements.
The initiative follows the principle of a one-to-one implementation of the European requirements. The government is deliberately refraining from introducing additional national requirements to keep the bureaucratic burden on businesses low. The Cyber Resilience Act (CRA) obliges manufacturers to consider security aspects from the design stage (Security by Design), conduct risk assessments, and provide security updates throughout a product's lifecycle.
The new reporting obligation for actively exploited vulnerabilities is particularly relevant. It will apply from September 11, 2026. The full requirements will only become binding from December 2027.
Staff expansion and new control bodies at the BSI
To manage this mammoth task, a significant increase in personnel is planned. The BSI is to receive 95 additional positions this year for the new tasks. By 2029, this need will grow to a total of 141 positions.
In addition to monitoring product conformity, the BSI will establish a consumer complaint office. Furthermore, the authority will be empowered to evaluate and monitor testing bodies itself in cases of bottlenecks, provided there is a public interest in their notification.
A central component of the law is targeted support services. The BSI is tasked with offering awareness campaigns and training, which are explicitly aimed at small and medium-sized enterprises (SMEs) as well as administrators of open-source software.
A real-world laboratory for cyber resilience will provide manufacturers with a controlled environment to practically test the requirements of the regulation. The federal government estimates one-time costs of around 10 million euros for the establishment of this center and the notification of testing bodies.
Political debate on deadlines and capacities
The draft will now go to the Bundestag and Bundesrat. The Bundesrat does not have to approve the law. Members of parliament generally welcome the initiative but raise critical questions. Digital policy representatives from the governing coalition, such as Henri Schmidt (CDU), praise the support for SMEs and suggest expanding these offerings to other actors.
Videos by heise
Meanwhile, the Greens are urging for speed, as the EU notification regulations will take effect in June 2026. Digital policy spokesperson Jeanne Dillschneider warned in an interview with the SZ dossier that the long transition periods could tempt companies to postpone necessary preparations. She draws parallels to the implementation of the NIS2 directive, where many organizations missed reporting deadlines. Early preparation of testing structures is necessary to avoid bottlenecks in product certification.
(mki)
