media alt text

Ready for the Cyber Resilience Act?

Digital security will soon become a key requirement for smart products. If this does not comply with the regulations, companies will no longer be allowed to sell their products in the EU.

What is the Cyber Resilience Act?

The new European regulations from the Cyber Security Initiative were adopted by the EU Parliament in mid-March 2024 and are due to come into force in 2027.

It states that from 2027, all products and devices with digital elements may only be sold in the EU if regular security updates can be installed.

With the Cyber Resilience Act, the EU intends to encourage European companies and the economy as a whole to adopt higher security standards. The concept of "security by design & security by default" is intended to help ensure that security aspects are already taken into account during product development. The effects of the legislation can be serious. Porsche, for example, is stopping sales of the Macan in the EU because it cannot guarantee that it can be updated.

Are you affected by the regulations?

The answer to this is comparatively simple: if you want to sell devices in the EU in 2027 or later that have digital elements - i.e. a combination of hardware and software - then yes. This now applies to almost all devices that have a certain level of intelligence.

Particular attention is being paid to so-called "connected products". These are all products that have an interface. These include Wi-Fi, LAN, NFC, but also all industrial interfaces such as Modbus, CAN and RS485.

What does this mean for you as a manufacturer?

The legislator will oblige you as a manufacturer to install security-relevant updates in your devices at short notice and at regular intervals (the details are still being worked out) - free of charge.

How you do this is up to you. For example, you can send service technicians to your customers to install software updates - but this is very cost-intensive and will meet with little understanding from your customers in the future.

The complexity does not lie in the technical implementation of the update capability - many devices can already do this nowadays. It is much more important to optimize the entire software lifecycle process. This includes the following important aspects:

  • Clearly defined development processes
  • Scalable software architecture (maintainability and expandability)
  • Continuous integration and continuous deployment pipelines (& DevOps)
  • Automatic CVE tracking
  • Automatic tests (unit tests to system tests)
  • Over-the-air update capability of devices
  • Documentation and action plan for cyber security incidents

With the Cyber Resilience Act, the software lifecycle is becoming an important part of product development and maintenance. The manual testing of existing security vulnerabilities and the provision of cyclical updates with high software quality takes a lot of time. However, there are a number of levers that can be used to (partially) automate and optimize many of the aspects mentioned above.

Our offer for you

As blue-zone, we support our customers in these areas both in consulting and in the implementation or development support for their smart products. This applies both to the development of new products and to the updating of existing products to make them fit for the Cyber Resilience Act.

Your contact person

media alt text

Andreas Lehner, MSc

Head of Innovation, Sales

blue-zone GmbH

T +43 7236 78500-25