New Cyber Resilience Act: The Ultimate Guide about EU Cybersecurity

Table of Contents

1. Introduction: What is the Cyber Resilience Act?

2. Key dates of applicability

3. Which products must comply with the EU Cybersecurity Act?

4. Checklist: Does the regulation apply to my product?

5. Risk level classification

6. Essential requirements: what you cannot overlook

   • Part I: Cybersecurity requirements

   • Part II: Vulnerability management requirements

7. Information requirements: Annex II

8. Step-by-step guide to achieving Cyber Resilience Act EU

9. Conclusion

10. Useful links

1. Introduction

The new EU Cyber Act, formally known as the Cyber Resilience Act (Regulation EU 2024/2847), is an innovative framework aimed at ensuring the cybersecurity of digital products within the European Union. This regulation encompasses both physical devices (hardware) and software, whether sold individually or as part of a system.

Primary Objective: To protect businesses and consumers by ensuring security updates throughout the product lifecycle.

Imagine a scenario where your smart home thermostat is hacked, exposing your personal data and compromising your safety. Thanks to the Cybersecurity Act, these risks will soon be significantly reduced.

2. Key Dates of Applicability

Preparing your business before these dates is critical:

• 11 June 2026: Market surveillance and conformity assessment bodies begin enforcement.

• 11 September 2026: Obligations relating to the reporting of exploitable vulnerabilities and cyber incidents come into effect.

• 11 December 2027: Full enforcement of the regulation for all products with digital elements.

Practical Tip: Start preparations at least one year before each date to avoid disruptions.

3. Which Products Must Comply with the Regulation?

The European Cyber Resilience Act applies to a wide range of products with digital elements marketed in the EU, including:

• Connected Hardware: Laptops, mobile phones, smartwatches or cameras, routers, smart speakers, hard drives, and IoT devices.

• Software: Mobile applications, firmware, operating systems, and standalone programmes (e.g., video games, apps, educational platforms).

• Products with Associated Applications: Smart thermostats, security cameras, and other devices dependent on an app for operation.

• Security Devices: Firewalls, CPUs, and other essential cybersecurity management tools.

Exclusions

Some products are excluded, such as:

• Those regulated under specific sectoral frameworks, like medical or aeronautical devices.

• Open-source software that is not commercially distributed.

• Test-phase products not intended for sale or end users.

Refer to Annexes III and IV for a full list of exclusions.

4. Checklist: Does the Regulation Apply to My Product?

4.1 Does your app or software interact with connected devices or hardware?

• Yes: Proceed to the next question.

• No: It is likely not covered by the regulation.

4.2 Does it handle personal or sensitive data?

• Yes: Proceed to the next question.

• No: It may be classified as low risk.

4.3 Does it have internet or external network connectivity?

• Yes: Its risk level needs to be assessed.

• No: It likely has fewer requirements.

4.4 Is it essential to the functioning of a physical device?

• Yes: The regulation applies.

• No: It may not be covered.

4.5 Does it provide remote configuration or control services for physical or digital products?

• Yes: It is likely subject to the regulation.

• No: It may not be covered.

Risk Assessment:

If you answered "Yes" to key questions, consider:

• Could it be vulnerable to cyberattacks?

• Does it directly impact critical safety functions?

• Does it process sensitive data that could be exploited?

If any of these apply, you likely need to conduct a full compliance evaluation.

5. Risk Level Classification

The EU Cybersecurity Act categorises products with digital elements into three main risk levels, determining the necessary conformity assessment procedures.

5.1 "Default" Products

• No critical vulnerabilities.

• Require manufacturer self-assessment.

5.2 "Important" or "Critical" Products (Annex III)

• Higher risk, divided into two classes:

• Class I:

  • Includes products like password managers or biometric readers.

  • Compliance can be achieved by adhering to an EU standard or through third-party conformity assessment.

• Class II:

  • Covers operating systems, firewalls, and routers used in industrial environments.

  • Requires conformity assessments by a notified body due to their higher risk level.

5.3 "Highly Critical" Products (Annex IV)

• The highest risk level, often encompassing critical infrastructure or devices vital to national security.

• Strict evaluation by a notified body is mandatory.

• Examples: Industrial control systems or products used in sensitive sectors like energy or healthcare.

This classification ensures that digital products are evaluated according to their potential impact on cybersecurity.

Why It Matters: Higher risk levels demand greater scrutiny, providing enhanced customer confidence and safety.

6. Essential Requirements (Annex I)

6.1 Part I: Cybersecurity Requirements

Annex I of the European Cyber Resilience Act outlines the essential cybersecurity requirements that digital products must meet. These provisions aim to ensure that devices are secure by design and remain so throughout their lifecycle.

6.1.1 Risk Identification and Management

• Conduct comprehensive risk analyses to identify potential vulnerabilities that could compromise the security of the product.

• Regularly update products to address emerging cyber threats.

6.1.2 Secure Design from the Start

• Implement secure default configurations to reduce the need for manual user adjustments.

• Integrate protective measures from the earliest development stages, ensuring a security-by-design approach.

6.1.3 Protection Against Unauthorised Access

• Establish effective mechanisms to restrict unauthorised access to devices and critical functions.

• Use robust authentication methods and advanced encryption systems to protect sensitive data and prevent malicious access.

6.1.4 Security Updates

• Ensure that products can receive security updates for at least five years after market release.

• Design updates to be easy to apply, while ensuring their authenticity and integrity to prevent tampering.

6.1.5 Security Testing and Validation:

• Conduct rigorous evaluations before commercialisation, including penetration tests, attack simulations, and risk mitigation validations.

6.1.6 Transparency and Documentation:

• Maintain detailed documentation explaining the security measures implemented, the vulnerabilities detected, and how they have been mitigated.

• Provide this information to both users and competent authorities during inspections.

6.2 Part II: Vulnerability Management Requirements

Annex I also requires manufacturers to adopt a comprehensive system for ongoing vulnerability management, designed to effectively prevent and mitigate risks.

6.2.1 Continuous Vulnerability Assessment

• Develop capabilities for secure remote updates, ensuring products remain protected against new threats.

• Guarantee the integrity and authenticity of updates during implementation.

6.2.2 Update and Correction Mechanisms:

• Develop capabilities for performing secure remote updates, ensuring that products remain protected against new threats.

• Ensure that updates are implemented with integrity and authenticity.

6.2.3 Coordination with Users and Stakeholders

• Provide end users with clear and accessible channels to report vulnerabilities.

• Implement a system to promptly receive, evaluate, and respond to vulnerability reports from users or third parties.

6.2.4 Documentation and Transparency

• Record all detected vulnerabilities, corrective actions taken, and outcomes achieved.

• Ensure this information is available for audits by competent authorities.

6.2.5 Supplier and Third-Party Management

• Verify that components supplied by third parties meet the required security standards.

• Establish ongoing monitoring and evaluation processes for suppliers to prevent risks associated with the supply chain.

7. Information Requirements (Annex II)

Annex II of the new EU Cybersecurity Act outlines the obligations for manufacturers to ensure that end users can operate digital products safely and comprehensibly.

7.1 Clear and Accessible Instructions

• Manuals must provide simple, step-by-step guidance on how to configure products securely.

• Instructions must be available in the official language of the countries where the products are marketed.

• The instructions must ensure that all necessary security measures are enabled prior to use.

7.2 Documentation on Security Measures

• Provide a detailed explanation of the product’s integrated security functionalities and how they mitigate risks such as unauthorised access or remote attacks.

• The instructions must include information on how to activate and maintain advanced security configurations.

7.3 Update Information

• Specify the duration of security update support.

• Provide clear instructions on how to download and install updates.

• Explain the impact of not installing updates on the product’s security.

7.4 Contacts for Reporting Vulnerabilities

• Provide clear contact information for users to report vulnerabilities or security issues.

• Implement a system to promptly manage and respond to reports received.

7.5 EU Declaration of Conformity and Technical Documentation

In addition to meeting the information requirements, manufacturers must prepare:

• EU Declaration of Conformity (Annex V): Certifies that the product complies with all the requirements of the regulation.

• Simplified EU Declaration of Conformity (Annex VI): A simplified version of the declaration included in the user manual.

• Technical Documentation (Annex VII): Includes risk assessments, tests conducted, technical specifications, and mitigation measures implemented. This documentation must be available to competent authorities during inspections.

7.6 Transparency Obligations

• Communicate the period during which the product will receive security updates and support.

• Detail the privacy policies related to the data processed by the device.

8. Step-by-Step Guide to Achieving Compliance with the Cyber Resilience Act

Complying with the EU Cybersecurity Actmay seem challenging, but by following these steps, your business will be ready:

8.1 Identify if your product is affected:

• Verify if your product includes digital elements connected to the internet or networks.

• Determine if it is designed to manage personal data or perform critical functions.

8.2 Assess the risks:

• Classify your product according to its risk level (Class I, II, or Highly Critical).

• Identify and evaluate the cybersecurity vulnerabilities of your digital products.

8.3 Implement mitigation measures for identified risks:

• Develop specific strategies to address the vulnerabilities detected in your product.

• Ensure these measures comply with the standards outlined in Annex VIII of the regulation.

8.4 Meet the information requirements (Annex II):

• Prepare clear and accessible manuals for the secure configuration of the product.

• Provide contact information for users to report vulnerabilities and ensure that processed data

8.5 Prepare the Technical Documentation (Annex VII):

• Include product specifications, risk assessments, tests conducted, and update plans.

• Ensure that the documentation is available for inspections by the authorities.

8.6 Draft the EU Declaration of Conformity (Annex V):

• Ensure it contains all required information, such as product identification, applicable standards, and details of the manufacturer or authorised representative.

• Prepare a simplified version (Annex VI) for end users.

8.7 Conduct conformity tests:

• Perform the necessary tests according to the regulation’s standards, specified in Annex VIII.

• Ensure your product meets the requirements before marketing.

8.8 Apply the CE marking:

• Once the product meets all requirements, affix the CE marking visibly and in compliance with the regulation.

8.9 Establish a support plan:

• Design a programme to provide security updates and technical support throughout the product lifecycle (minimum of 5 years).

• Inform users about available updates and their importance in maintaining product security.

8.10 Appoint an authorised representative (if you have no EU-based office):

• Appoint an authorised representative to act as a liaison with authorities.

• This representative will also maintain the technical documentation and the EU Declaration of Conformity for at least 10 years, facilitating inspections and verifications.

9.Conclusion

The new European Cybersecurity Act is not just a regulation; it is your opportunity to stand out. Complying with its standards not only protects your products and customers but also strengthens trust in your brand in a market where security is a top priority.

Every step, from identifying affected products to ensuring continuous support, positions your company as a reliable leader in cybersecurity and cyber resilience. Being proactive not only helps you avoid penalties but also allows you to turn security into your competitive advantage.

10. Useful Links

• Full text of Regulation (EU) 2024/2847

• Guidelines on CE marking

• FAQs on the Cyber Resilience Act

• Key points about the USB Type-C standardisation law

• Contact Your Compliances for personalised advice

Visit our blog for more information on regulations and cybersecurity

Case Studies and Practical Examples

You are a manufacturer of pet security cameras and have just received a large order from a distributor in Germany. Excited, you start production. However, everything comes to a halt at customs. European authorities request compliance documentation and an authorised representative within the EU to validate that your products meet CE marking requirements. Without this crucial figure, your products cannot enter the European market.

You have been selling smart speakers through your Amazon Europe store, and business has been going well. But one day, you wake up to an alarming email: Amazon has suspended the sales of your products. The reason? You have not appointed an authorised representative in the EU, and your products fail to meet minimum cybersecurity requirements. The result: loss of inventory, unexpected costs to resolve the issue, and a loss of trust from your loyal customers.

Frequently Asked Questions (FAQs)

How can I determine if my digital product must comply with the new Cybersecurity Act?

If your product connects to the internet, uses applications, handles personal data, or interacts with other devices, it is highly likely that this regulation applies to it. Additionally, products like IoT devices, apps associated with products, and security systems are clearly within its scope.

What steps can I take to ensure compliance during product design?

The key is to think about security from the very beginning. Design your product with secure default configurations and ensure it can easily receive updates. Identify potential weaknesses during the prototype stage and conduct tests to anticipate any threats.

What are the essential cybersecurity requirements I cannot overlook?

There are three critical aspects: protect against unauthorised access, manage risks from the design phase, and maintain security updates for at least five years. Before launching your product, test its security rigorously, as if you were trying to "break it."

What impact does this regulation have on IoT devices and their security?

This regulation makes security a priority for IoT devices. What does this mean? Devices must be secure from their design stage, receive updates for several years, and be prepared to withstand hacking attempts.

What actions should I take before the regulation’s key dates?

Do not wait until the last minute. Start by determining whether the regulation applies to your product and classify its risk level. Then, create a clear plan: implement the necessary security measures, prepare all the documentation required by law, and conduct tests to ensure everything is in order. Starting at least a year before the key dates will help you avoid surprises and keep your business running smoothly.

How should vulnerabilities detected after a product's commercial release be managed?

No product is perfect, but preparation is key. If a vulnerability is discovered, an effective monitoring system will allow you to detect it quickly. Additionally, having clear channels for receiving reports from users and experts enhances your ability to respond promptly to security flaws.