This article looks at the security risks of “products with digital elements” and provides an overview of the obligations under the EU Cyber Resilience Act that manufacturers must be prepared to meet to ensure compliance.
The risks of a connected world that can´t be ignored
An accelerator of cyber risks in both the commercial and private domains is the ubiquitous Internet of Things (“IoT”). In the commercial domain, data-driven manufacturing processes, predictive maintenance of machines and the digital transformation of logistics have paved the way for an ultra-connected economy. Connected devices have also penetrated private homes and public infrastructure. Because connected devices have become the “new normal”, we don’t even think of them as such. Sure, your latest smartphone is one, but so is your smart watch, your baby monitor, your car, the door lock to your house (unless you still use an old-fashioned physical key), your robot vacuum cleaner, your smart toothbrush – you get the idea (and the list goes on).
This trend towards connected, ‘smart’ products can be seen as a logical consequence of the information age, but these devices are notoriously vulnerable to cyber-attacks.
Although the reports of 3 million smart toothbrushes allegedly being hijacked by hackers for a distributed denial of service (DDoS) attack on a Swiss company turned out to be a possible scenario rather than an actual incident, it perfectly illustrates how seemingly harmless gadgets that we use without thinking can indeed be turned into tools of destruction.
And this is actually happening: According to another recent report,the smart home solutions offered by Bitdefender block an average of 2.5 million security threats every 24 hours or roughly 1736 threats per minute (without their users even knowing).
Most recently in February 2025 it has been reported that Wi-fi network names, passwords , IP addresses and device ID´s of smart lighting devices had been compromised. Over all, 2.7 billion records had been exposed.
Get your candles ready.
t may sound a bit dystopian, but it is not far-fetched that (state) terrorist attacks could not only disrupt public infrastructure, as shown in the Netflix series “ZERO DAY”, but could also turn self-driving vehicles into weapons and take us back to a time when everything was analogue rather than digital.
But unlike then, there are no more analogue phone lines to withstand an attack or, heaven forbid, even a fax. In a world where everything is connected, cyber-attacks can bring public life to a screeching halt and force us to light the candles again. For too long, convenience has trumped security and smart home devices have been designed predominantly with functionality in mind, so it’s no surprise that hackers are exploiting their vulnerabilities, of which there are many.
What is the purpose of the EU Cyber Resilience Act and when does it apply?
The new EU Cyber Resilience Act (“CRA”) aims to raise consumer awareness of the security risks associated with so-called “products with digital elements” and to make them safer to use. It is an EU Regulation that does not require transposition into the national laws of EU Member States. It entered into force on 10 December 2024, but most of its provisions will apply from 11 December 2027. However, as the law requires “security by design” of the products to which it applies, manufacturers of such products should familiarise themselves with their obligations under the law as soon as possible to ensure that their products are designed from the outset with cybersecurity in mind.
Which products are governed by the Cyber Resilience Act?
The Cyber Resilience Act applies to all “products with digital elements” that are made available on the Union market if their intended or reasonably foreseeable purpose includes a direct or indirect logical or physical data connection to a device or network. A “product with digital elements” can be any software or hardware product and its remote data processing solutions even if they are provided separately. The scope is as broad as possible and notably includes any software or hardware that can be connected to the internet, even if it is currently only run or used locally. It also covers services provided to the users of the product, such as the processing of health data collected by smart watches by their manufacturers to provide training plans or training statistics.
Who must comply with the Cyber Resilience Act?
First and foremost manufacturers of products with digital elements, but also distributors and importers of such products. And make no mistake: Even if you do not make the product yourself but outsource its production to a contract manufacturer, you are still considered a manufacturer under the Act and the same applies if you market so called white label products that are made by somebody else under your own trademark.
What obligations does a manufacturer have under the Cyber Resilience Act?
The EU Cyber Resilience Act notably requires the manufacturer to
- ensure that his product has been designed, developed and produced in such way that is has an appropriate level of cyber security (“cyber security be design”)
- make his product available on the market without known exploitable vulnerabilities
- make his product available with a configuration that is secure by default and can be reset (“cyber security by default”)
- ensure that vulnerabilities can be addressed through (automatic), optional security updates
- prevent unauthorized access by suitable control mechanisms such as authentication, identity or access management systems
- ensure data confidentiality by encryption in transit and at rest or other suitable measures,
- ensure data integrity by preventing its manipulation or modification
- adhere to the principle of data minimization by processing only such data that is needed for the intended purpose of his product
- ensure data availability even after an incident through resilience and mitigation measures against denial-of-service attacks
- minimise any adverse effects of his product on the availability of other devices or networks
- design, develop and produce his product in a way that limits its “attack surfaces” and that reduces the impact of an incident by appropriate exploitation mitigation mechanisms and techniques
- provide security related information on the access or modification of data to users,
- enable users to securely remove all data and settings from the product and ensure that any possible transfer to another product or system can be executed in a safe manner.
Add to these obligations the vulnerability handling requirements in Part II of Annex 1 which , inter alia, provide for a “software bill of materials” as well as effective and regular product security tests and you will begin to understand that the manufacturer´s core duties under the Cyber Resilience Act are fairly complex. But it doesn´t stop there. Among many more obligations, the manufacturer must also carry out a cybersecurity risk assessment for his product and comply with comprehensive documentation duties. And last but not least, manufacturers must carry out a comprehensive conformity assessment and fulfill reporting obligations.
Without going into too many details here, manufacturers must in particular notify any actively exploited vulnerability contained in their product with digital elements that it becomes aware of to not one, but two supervisory authorities:
According to the legal definition of the Cyber Resilience Act, an ‘actively exploited vulnerability’ is a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner. In most other respects, the manufacturer´s reporting obligations under the Cyber Resilience Act are quite similar to those set forth in the NIS2 Directive and covered in part 1 of this post.
- the new computer security incident response teams (“CSIRT”) that EU Member States have to designate in accordance with the NIS2 Directive and
- the European Union Agency for Cybersecurity (ENISA).
It is also worth noting the minimum information and instructions that must be provided with any product containing digital elements. According to Annex II of the EU Cyber Resilience Act, this includes not only the information already contained in user manuals, but also information on the intended use and any reasonably foreseeable misuse that could lead to significant cybersecurity risks, detailed instructions on the safe use of the product, including but not limited to security updates, as well as instructions on the safe decommissioning of the product with digital elements.
Important products with digital elements listed in Annex III to the EU Cyber Resilience Act such as password managers, security software, operating systems, internet access routers and modems, smart home assistants and smart home products with security functionalities as well as connected toys and wearables to name but a few, are subject to particular conformity assessment procedures.
Critical products with digital elements listed in Annex IV of the EU Cyber Resilience Act, such as smart cards, may be required to obtain a European Cybersecurity Certificate if the EU Commission so provides.
What are the consequences for failing to comply with the EU Cyber Resilience Act?
Depending on the specific obligation ignored, non-compliance can result in administrative fines of up to EUR 15,000,000 or, if the offender is a company, up to 2.5% of its total worldwide annual turnover in the preceding financial year, whichever is the greater. As the market surveillance authorities of the EU Member States may also require the withdrawal from the market or recall of products with significant cybersecurity risks, non-compliance with the EU Cyber Resilience Act may seriously disrupt the distribution of products with digital elements in the Union market.