The EU's Cyber Resilience Act is expected to be adopted in 2024 and will come into effect with a transition period of 36 months. For manufacturers and retailers, this means: new obligations and regulations. Proper preparation is needed for successful implementation.
The Cyber Resilience Act creates new requirements and security standards that hardware and software must meet before they can be sold.
Dr. Oliver Hanka is a partner at PwC Germany and an expert in product and industrial security.
With the digital transformation come many new challenges for companies. This is especially true for the industry, because as transformation accelerates, so do the risks of cyber attacks on hardware and software. Security gaps in operational technologies, for example, allow unauthorized access to security-relevant areas such as industrial control systems (shortly: ICS) and in consequence not only endanger operational processes, but in the worst case even human lives. To protect critical production processes, IT and OT security must be well coordinated. Awareness of this is growing: According to the "Digital Trust Insights" study by PwC, 36 percent of German companies currently prioritize investments in OT security solutions - eleven percent more than the global average.
With the Cyber Resilience Act (shortly: CRA), the EU plans to counter these product-related risks: The directive creates new requirements and security standards that hardware and software must meet before they can be traded throughout Europe and used, for example, as network components in an OT environment. The directive is expected to be adopted in 2024 and is set to come into force with a transition period of 36 months. However, whoever believes there is still plenty of time to implement the requirements is mistaken. This is because product development cycles often extend over long periods of time. Therefore, companies that manufacture digital products for the industrial sector should act as early as possible. Because in the case of violations, there are fines of up to 15 million euros or up to 2.5 percent of the total global annual turnover. In addition, the responsible authorities can force sales bans and recalls.
Which products fall under the Cyber Resilience Act
The CRA affects all products with digital elements that exchange data directly or indirectly with other devices or networks. It is irrelevant whether these are physical products or pure software components. The same applies to components of a product that are sold separately. For example, the analytics platform of a predictive maintenance system falls under the regulation, as do the sensors or radio modules of the solution. Exceptions are products and components for which there are already other laws that set specific cybersecurity requirements - these include medical products or those of civil aviation. The handling of open-source software, however, is not yet fully clarified. Although open-source providers are exempt from the CRA, manufacturers who use the corresponding software in their products are not.
Clear rules for different product classes
For the correct classification of products under the CRA, different security categories apply: a standard class, critical class I, very critical class II and Annex IIIa products.
Products of the standard class can be checked for compliance with the requirements without an external testing body. The manufacturer has to prove conformity with a self-assessment and document the results. The testing procedures of class I, II or annex IIIa can also be applied by manufacturers for standard class products.
For the critical Class I, higher requirements apply, therefore a self-assessment is not possible. Here, affected manufacturers or traders can apply a harmonized standard defined under the directive to demonstrate the product's full CRA compliance. Well-known and tested standards such as the IEC 62443 are expected here. In such cases, no external testing authority is required. Companies must document compliance with the standards in writing. If there are no harmonized standards, the company must involve an external testing authority (as with Class II products) or use a cybersecurity certification system (as with Annex IIIa). Certification systems and harmonized standards must still be defined by the European Union Agency for Cybersecurity (Enisa).
Products in Class II are considered very critical. Here, manufacturers must involve an external testing authority for examination. There are two options. In the first option, the manufacturer implements a EU type examination: In this case, an external body checks the product's cybersecurity in the sense of the CRA. If the product complies with the regulations of the regulation, the manufacturer must continue to ensure on his own responsibility that the products comply with the type examination in the future. In the second option, the manufacturer demonstrates conformity through a quality assurance system in which an external testing body regularly audits the conformity.
Finally, there are products of Annex IIIa, which only indirectly meet the requirements of Annex I. A cybersecurity certification system determines the requirements and the contents of Annex I relevant to the product. The certification system also provides stipulations for ensuring conformity. If there is no certification system for a product type, the regulations for Class II products apply.
The harmonized standards and certification systems for cybersecurity are not yet finally defined. The European Commission still has to determine these in the framework of implementing legal acts.
Manufacturers need to take action now.
If products fall into one of the mentioned categories, manufacturers and retailers will be required in the future to ensure the required level of cybersecurity throughout the entire product development cycle.
This means: The security of the products must already be considered during the development phase and also ensured during production, delivery, maintenance, and disposal. If exploited vulnerabilities or acute cyber attacks occur, this must be reported within 24 hours to the national Computer Security Incident Response Team (CSIRT), thus to the BSI for Germany. Manufacturers must provide security updates for up to five years or for the expected product lifecycle. For components or entire systems in industrial plants, which are sometimes in use for longer than 20 years, these regulations also apply for the entire lifespan of the product. In addition, manufacturers must comprehensively inform users about possible risks of the products, for example as part of the user manual.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
The overview shows: extensive obligations are coming for the affected companies. Therefore, it is important to become active now, check your own products and classify them into the security categories Standard, Critical I, Critical II or Annex IIIa. This involves a certain amount of effort, but those who do not plan a time buffer for preparation for the CRA risk consequences such as fines, recalls or complicated retrofitting requirements. Companies can use the time gained through proactive planning to rectify deficits in a timely manner using standards such as IEC 62443. In this way, manufacturers act in the interests of safety and fulfill their responsibility towards customers and employees. Industrial companies that have planned investments in networked solutions and plants for the near future can check whether they might postpone the purchase to a later date. This would ensure that the purchased systems and components are already CRA-compliant and contribute to a high level of security in the long term.
:quality(80)/p7i.vogel.de/wcms/af/1e/af1ec4fca4636f521f780ba0ae009c8e/bild3-werkst-c3-bcck-20und-20werkzeug-5204x2928v1v1.jpeg "The main area of application for the new axial gear cutting machine is the production of rotor shafts for electric vehicles. (Image:Profiroll Technologies)")
:quality(80)/p7i.vogel.de/wcms/d1/ab/d1ab452217529e5c29a81add9aca7c22/0128871322v1.jpeg "Only one year to go: the new EU Machinery Regulation makes cybersecurity mandatory. Companies should act now. (Picture: ©Pisit - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/28/75/28751a17e2bcca46e53a1e7b8a84c433/schmersal-tiepner-029-6749x3796v1v1.jpeg "Tiepner's compact system produces ID cards made of laminated plastic, which are used as customer cards, ID cards or cheque cards, among other things. Left in the picture: Christian Höltge, Managing Director of Tiepner GmbH. (Image:Tiepner GmbH)")
:quality(80)/p7i.vogel.de/wcms/cd/fe/cdfe212a3b3206e2ff09dcdf71c11240/0129219561v1.jpeg "Extended S-series: The new Cobot models from Omron lift up to 30 kilograms and are now also protected against dust and water thanks to protection class IP65. (Image:Omron)")
:quality(80)/p7i.vogel.de/wcms/c3/6d/c36d161e7709095fd1de4cb9de27d927/0129133682v1.jpeg "Nanjing is Siemens' largest research and production center for CNC systems, drives and electric motors outside Germany. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/70/dc/70dc2fbc09e6958a72c63bd15e986e14/0129206156v1.jpeg "The global shoe machine manufacturer Desma relies on automation and has been revolutionizing shoe production—together with ABB Robotics for over 40 years. (Image:ABB Robotics)")
:quality(80)/p7i.vogel.de/wcms/60/fd/60fd12ddfe1fb623568736f27d1cfe61/0128606899v1.jpeg "The future of supply chains: AI and dashboards to ensure optimal OTIF values (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/39/38/393873c2ed943bb715a6419d94049b63/geralt-entrepreneur-1340649-1280-1280x720v1v1.jpeg "Visual Components presents its forecast for production simulation in 2026. (Image:Pixabay)")
:quality(80)/p7i.vogel.de/wcms/60/4e/604e2a1ce26f177c5f28c2bff94c2f7d/der-20rotor-20mit-20aktiv-20verwindbaren-20rotorbl-c3-a4ttern-20im-20windkanal-1920x1079v1v1.jpeg "The rotor with actively twistable rotor blades in the wind tunnel: The open measuring section and sound-absorbing wall and model fuselage cladding enable high-quality acoustic measurements. (Image:DLR)")
:quality(80)/p7i.vogel.de/wcms/a8/9a/a89aef1cba3843fa06a1ec1f07cf659b/adobestock-95634179--c2-a9-20crazyforanimeart-20-e2-80-93-20stock-adobe-com-4762x2678v1v1.jpeg "Copied from the octopus: Researchers have developed a film-like thin-film platform that can dynamically change not only its color but also its surface structure. (Image:AdobeStock_95634179_ CrazyForAnimeArt)")
:quality(80)/p7i.vogel.de/wcms/2b/fb/2bfbb9fa26274cb8f6e8979c24a3d08e/0129243542v1.jpeg "In some cases, the new additively manufactured lightweight bearings only reach
11 percent of the weight of comparable steel bearings. (Image:Rosswag Engineering)")
:quality(80)/p7i.vogel.de/wcms/d2/40/d240b49c8edba464bf610f0e0b3628f0/p90629460-lowres-2250x1265v1.jpeg "(Source: BMW Group)")
:quality(80)/p7i.vogel.de/wcms/e9/60/e960f8c34a847b11fc576c54d9d46ea6/0129325747v1.jpeg "Robobuses, like WeRide here, are well on the way to becoming an integral part of local public transport. (Image:WeRide)")
:quality(80)/p7i.vogel.de/wcms/e3/8d/e38d7a9b1bcb87f6ef6546654a2ee40f/bild1v1.jpeg "(Source: InfiMotion)")
:quality(80)/p7i.vogel.de/wcms/a6/cc/a6cc273294dbe8ab9534fb4316fc8d2b/0129255976v1.jpeg "Porsche sees battery expertise as a key strategic competence and has developed the battery modules for the new Cayenne Electric itself. (Image:Porsche)")
:quality(80)/p7i.vogel.de/wcms/6f/8f/6f8ff5bf9b81829ef22736bc790cecca/0129224894v1.jpeg "View of the quantum optics laboratory at the University of Stuttgart: here, researchers are experimenting with new photon sources for quantum computing and quantum networks. (Image:Barz Group, University of Stuttgart)")
:quality(80)/p7i.vogel.de/wcms/52/3a/523ac3157ae4b4f596c7241c89127061/0129260553v1.jpeg "This artistic illustration shows a thermal analog calculator that performs calculations using excess heat and is embedded in a microelectronic system. (Image:Jose-Luis Olivares, MIT)")
:quality(80)/p7i.vogel.de/wcms/d1/f4/d1f4508c6b79ec2f0432b34a6fa33a98/0114966184v1.jpeg "The Infineon headquarters Campeon in Neubiberg, Munich. (Image:Infineon)")
:quality(80)/p7i.vogel.de/wcms/fa/d3/fad3872cf3f110f43411f2dce9e8f23a/0129265762v1.jpeg "Siemens Energy has discovered the USA as a prosperous growth market for network technology and gas turbines! In order to be able to meet demand at some point, the company is already digging deeper into its pockets ... (Image:Siemens Energy)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/18/fe/18fea5d28ddb2900571729dc660c7c6f/0124187813v1.jpeg "Companies should act now and make cyber security an integral part of their strategy. (Image:Johannes - stock.adobe.com / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/e6/cd/e6cde06a5f5cf17a9a258ccf0a6fec96/0124652198v1.jpeg "The requirements of the Machinery Regulation and the Cyber Resilience Act will significantly change the product development process. (Image:© Sikov – stock.adobe.com)")