May 5, 2025
12 MIN.
In this article
What are the product security requirements of the Cyber Resilience Act?
- 1. Secure by Design
- 2. Vulnerability management and security updates
- 3. Secure configuration and access control
- 4. Monitoring and incident response
- 5. Lifecycle Management
Seize the opportunities of the CRA – with individual solutions
Cyber Resilience Act – new challenges in the development of connected products
While the NIS-2 regulations are concerned with cybersecurity in Europe at an organizational and procedural level, the recently enacted Cyber Resilience Act (CRA) focuses on the end products. With the new regulations, the EU is getting serious about cybersecurity—the requirements are now more clearly structured, apply to more areas, and breaches are more heavily sanctioned. The aim is to make the internal market more resilient and ensure it has the capacity to act in the future.und zukünftig handlungsfähig bleiben.
The CRA applies to all products sold with digital components that can be connected to a network or to other devices.
This includes:
- Hardware, such as laptops, smartphones, IoT devices, microprocessors, etc.
- Software products, such as mobile apps, accounting software, computer games, but also Software-as-a-Service (SaaS) applications that are directly connected to a device (e.g., fitness software)
The regulations apply to consumer products and B2B solutions, regardless of their cost. The CRA has, therefore, far-reaching consequences for manufacturing companies worldwide that want to sell their products on the EU market.
Violations can result in severe penalties with
of up to €15 million or 2.5% of global annual turnover.
f the security defects cannot be remedied, the products must be recalled and withdrawn from the market.
Company management can be held personally liable if it violates its duty of care.
The regulations apply to consumer products and B2B solutions, regardless of their cost. The CRA has, therefore, far-reaching consequences for manufacturing companies worldwide that want to sell their products on the EU market. Violations can result in severe penalties with fines of up to €15 million or 2.5% of global annual turnover. If the security defects cannot be remedied, the products must be recalled and withdrawn from the market. Company management can be held personally liable if it violates its duty of care.
However, the new requirements also offer opportunities for manufacturers who integrate appropriate security measures into product development from the start, enabling them to stand out from the competition in a newly regulated market. Learn about the most important requirements of the Cyber Resilience Act and how individually developed software for your products can help your company overcome its biggest challenges.
What are the product security requirements of the Cyber Resilience Act?
The CRA aims to strengthen cyber resilience throughout the product lifecycle. The specifications are diverse, affecting not only the finished product, but also the development, configuration, and after-sales support. In combination with NIS-2 and other regulations, EU rules now cover all aspects of information security, meaning that every organization will have to deal with cybersecurity in the future.
Let’s take a closer look at the key contents of the CRA:
1. Secure by Design
1. Secure by DesignThe Secure by Design principle from software development stipulates that cybersecurity aspects guide the product development process right from the conception phase. According to common best practices, appropriate security procedures should be selected and applied during development and production
It is advisable for industrial companies to build on internationally recognized standards that provide guidance in various areas, including:
- The EN 18031 standard, which deals with the cybersecurity of radio equipment and was developed as part of RED (Radio Equipment Directive.)
- The EN 50742 standard, for the protection of machines against corruption (currently in planning.)
- The Common Criteria ISO/IEC 15408 to evaluate and certify the security of IT products
Relevant industry standards must be met for all products covered by the CRA within the framework of the mandatory CE marking, enabling companies to prove implementation of the required Cyber Resilience Act measures. These must be fully documented and submitted to receive product approval.
2. Vulnerability management and security updates
2. Vulnerability management and security updatesAccording to the conditions of the CRA, there must be no known vulnerabilities in the product at market launch. In addition, companies must demonstrate processes for continuously identifying and remediating vulnerabilities.
If a new security vulnerability is identified, the company is obliged to provide security updates free of charge, and roll them out automatically to the devices or software. These automatic updates are activated by default. However, users should have the option of rejecting or postponing updates.
3. Secure configuration and access control
3. Secure configuration and access controlManufacturers are called upon to create secure factory settings and offer a way to reset to factory settings. Standard passwords such as “admin” or “0000” may not be used in the factory settings, or users must be prompted to change them during the initial set-up.
In addition, access to sensitive data must be adequately protected with appropriate measures against brute force attacks, such as Rate Limiting, minimum lengths for passwords, and encrypted authentication methods.
4. Monitoring and incident response
4. Monitoring and incident responseAfter the product has been rolled out or sold, manufacturers are obliged to take additional measures. This includes continuous monitoring of all security-related activities, for example, user authentications, or network traffic, to detect anomalies.
To be clear— the responsibility for monitoring lies directly with the manufacturer. It is not enough to provide the buyer or user the opportunity to do so. However, users must be granted access to the logged data, and it must be possible to deactivate monitoring.
Serious security incidents and actively exploited vulnerabilities must be reported within 24 hours to the European Union Agency for Cybersecurity (ENISA) —even on weekends and public holidays. While the incident is being dealt with, core features of the product must continue to work.
5. Lifecycle Management
5. Lifecycle ManagementAs we can see from the requirements outlined above, manufacturers will be responsible for the entire life cycle of their digital products in the EU. An appropriate time frame for technical support must, therefore, be defined.
If the product reaches its End of Life (EOL) status, mechanisms must be in place that allow users to delete all data or, if necessary, transfer it to their own systems.
Challenges for the industry
The EU’s new cybersecurity directives are demanding for manufacturing companies. Ever more devices and products must contain digital components for companies to survive in dynamic markets. These changes require the long-term development of skills that have long played a minor role in conventional manufacturing industries. Companies must find and train skilled workers, retrofit production lines, and adapt organizational structures. The strict and detailed cybersecurity requirements are an additional pressure point.
However, the shifting market conditions also offer opportunities for industrial companies that embrace the changes and make the right investments. Stronger cyber resilience not only ensures long-term business success, but also allow companies to capture an additional market share by adapting products to the new requirements and bringing them to market before the competition.
Seize the opportunities of the CRA – with individual solutions
Software partners who are familiar with the specific needs of the manufacturing industry, such as TRIOVEGA, are ready to help you transition to a digital future. With Custom Software Solutions, we develop the software solutions you need for your products. We can provide complete projects or sub-components, without vendor lock-in, or help strengthen your team with targeted measures from highly experienced specialists. First, our Requirement Engineers analyze the initial situation of your software application, taking security considerations into account right from the start, and integrating them into project planning—secure by design, as required by the Cyber Resilience Act. Let’s talk about your project.
Most of the security measures outlined in the CRA require a self-assessment by the manufacturing company. This can be a challenge if the company has limited in-house experience with digital products. Partners with expertise in cybersecurity for industrial environments can help you select the right level of security to cost-effectively and accurately meet all regulatory requirements.
With targeted investments, you can take advantage of the opportunities offered by secure, individual software development in the implementation of the CRA.
Author: René Janz
René Janz is an industrial engineer with extensive knowledge of the shop floor. He has been with TRIOVEGA GmbH since 2023, and as Director Business Development, René is responsible for the strategic expansion of OT security and digitalization in the production industry.
You want to know more about our products
and solutions?
edge.SHIELDOR
Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs
service.factoryINSIGHTS
Discover potential and optimize production processes effectively with our data science expertise
This might also interest you:
- Cyber Resilience Act – new challenges in the development of connected productsFachkräfte aus dem IT-Bereich wissen längst, dass sie nichts mit dem amerikanischen Geheimdienst zu tun haben: die drei Säulen der sogenannten CIA-Triade, Confidentiality (Vertraulichkeit), Integrity (Integrität) und Availability (Verfügbarkeit).
- CIA Triad in Industry 4.0: How to secure the store floorAs IT experts know, in information technology, CIA refers not to the American intelligence agency, but to the three pillars of the CIA triad – Confidentiality, Integrity, Availability. The importance of these principles is becoming more apparent in the OT sector.
- The NIS 2 Directive: The measures industrial companies must take to complyWhat measures must industrial companies take to comply with the NIS 2 Directive? Find out the most important requirements and obligations for successful implementation.
