Product Security Developments

While the Cyber Resilience Act (CRA) is the first comprehensive regulation of its kind, setting strict cybersecurity requirements for a huge range of digital products and having a global impact, this is only the beginning!

Other major markets including the United Kingdom, United States, Australia, Japan, and several Asian countries are introducing or planning their own regulations aimed at securing digital and connected products. These regulatory initiatives have their own timelines and specifics; some are very light weight and many mainly focus on consumer IoT. The CRA is setting the highest bar, both in terms of much stricter security requirements and its broad coverage of digital products. The CRA uses the CE mark as the mechanism for conformity and ensure there is a legal and commercial requirement for manufacturers to embed cybersecurity into their product development lifecycles.

There are also significant requirements around co-ordinated vulnerability disclosure and vulnerability reporting that are mandatory earlier in September 2026 (Art. 71). This is significant and is the only obligations that also applies to legacy products in relation to actively exploitable vulnerabilities (Art. 69).

Introduction

One thing is for sure, product security is a major headache for consumers and businesses. Up until now, digital products are often released with known vulnerabilities, exploited by cybercriminals, leaving businesses struggling to keep up with security patching and consumers largely unaware of the danger. This issue spans from tech giants like Microsoft to small businesses. The CRA is a first of its kind legislation anywhere in the world. It pushes the responsibility back to the manufacturers, distributors and importers of digital products. It mandates “security by design and by default” as a prerequisite for accessing the EU single market and this will now effect product developers globally.