Leupold Legal supports manufacturers of products with digital elements, such as smart home appliances, smartphones, smartwatches, smart toys and computer games, in
Fulfilling their obligations to provide regular updates and disclose vulnerabilities in their products.
Leupold Legal advises the management bodies of essential and important entities on fulfilling their legal risk management and reporting obligations under the NIS2 directive. The number of obligated entities has increased from 1,900 to around 30,000, including but not limited to entities in the following sectors:
Companies can use the online check provided by the Federal Office for Information Security (BSI) to determine whether they are affected by the NIS2 directive. However, this is only an initial guide. The BIS recommends that affected companies seek external advice if necessary to identify any need for action.
The EU’s AI Act also imposes cybersecurity requirements. Leupold Legal tells you what needs to be done to comply.
Products that do not meet the relevant cybersecurity requirements can, under the new EU Product Liability Directive, trigger strict liability on the part of the manufacturer, importer and other economic operators for resulting damages.
This is of particular importance for software-as-a-service (SaaS) products, whose cybersecurity must be established for the entire duration of their use.
Leupold Legal will tell you what you need to do to achieve this and how you can avoid product liability in other cases by taking the right measures
Leupold Legal advises financial companies on compliance with their special IT security obligations under the European Digital Operational Resilience Act (DORA), which has been applicable since 17 January 2025. This includes, in particular, advice on the DORA requirements for
Notably, the CRA requires manufacturers to ensure that their products have been designed, developed and produced in accordance with essential cybersecurity requirements before they are placed on the market. These requirements are subject to a comprehensive cybersecurity risk assessment, and manufacturers must provide security updates to remediate vulnerabilities and ensure products remain safe throughout their lifecycle. Important products with digital elements, such as security software and smart home products but also with security features like smart door locks, baby monitoring systems and personal wearable health technology, must meet additional requirements. The CRA requires a special European cyber certificate for critical products with digital elements, such as smartcards.
Yes, the CRA applies to both hardware and software products with digital elements, including software-only products.
The NIS2 Directive obliges EU Member States to ensure that essential and important entities take appropriate and proportionate technical, operational, and organisational measures to manage cyber security risks, and to prevent or limit the impact of cyber security incidents on their service recipients. These measures include the implementation of security policies, incident handling, business continuity measures, supply chain and network security, and cybersecurity training for employees, as well as basic security practices such as the use of multi-factor authentication. Essential and important entities are also subject to reporting obligations in the event of a security incident and must inform recipients of their services about cyber threats and the measures they can take in response to such threats.
In Germany, the regulation that implements the NIS2 Directive requires important and essential entities, as well as domain name registries, to register with the Federal Office for Information Security (BSI). If they do not comply, the BSI can register them itself and impose an administrative fine.
No, principals such as OEMs should ensure they have the right to conduct audits and exercise these rights to verify their suppliers’ compliance with NIS2. Furthermore, principals should require their suppliers to report security incidents promptly and provide all necessary information and support to fulfill their reporting obligations.
The NIS Directive establishes multi-stage reporting obligations in the event of an incident. Important and essential entities must first submit an early warning to the computer security incident response teams (CSIRTs) established by Member States within 24 hours of becoming aware of an incident. They must also submit an incident notification within 72 hours, which provides an update on the prior warning. A final incident report is due one month after submitting these notifications.
The CRA holds manufacturers responsible for ensuring product cybersecurity and fulfilling reporting obligations. The NIS2 Directive obligates Member States to ensure that management bodies of important and essential entities can be held liable for infringements of their cybersecurity and risk management obligations. The legal representatives and individuals responsible for an essential entity can be held personally liable for breaching their duties to ensure compliance.
Entities that do not comply with the essential cybersecurity requirements under the Cyber Resilience Act are subject to administrative fines of up to 15 million euros. The NIS2 Directive requires Member States to impose administrative fines of at least 10 million euros or 1.4% of an entity’s total worldwide turnover from the preceding financial year on entities that fail to meet the essential cybersecurity requirements.
Although ISO/IEC 27001 establishes a robust framework for information security management, adherence to EU regulations such as the CRA necessitates supplementary measures tailored to product security.
Additionally, the GDPR mandates transparency about automated decision-making processes, including providing meaningful information about the logic involved.
KRITIS sectors include energy; information technology and telecommunications (ICT); transportation and traffic; health; media and culture; water; nutrition; finance and insurance; waste management; and state and administration. Operators of facilities in these sectors must take appropriate and proportionate technical, security and organisational measures to prevent the occurrence of security incidents, ensure adequate physical protection of their property and critical assets, and respond to security incidents, prevent them and limit their negative effects. They must also take measures to ensure the rapid restoration of critical services following security incidents. These obligations are governed by the new KRITIS umbrella law (“KRITIS Dachgesetz”), which transposes EU Directive 2022/2557 into German law.
