Cybersecurity Product Scope

For which product manufacturers is it important to be aware of current and upcoming requirements for cybersecurity?

As a quick scan, to determine whether a product should comply to cybersecurity requirements, check whether it

  • ensuress network protection,
  • protection of personal data and privacy,
  • protection from fraud,
  • uses IoT (Internet of Things) technology
  • or AI (Artificial Intelligence) or
  • Machine Learning technologies.

The products using one of the mentioned technologies fall into the scope of different existing Directives, Regulations and/or standards and are a main focus of upcoming legislation. Example of groups of products that are already affected:

Internet connected radio equipment

  • Smart phones, tablets, electronic cameras, telecommunication equipment, IoT devices
  • Baby monitors, toys
  • Smart watches, fitness trackers

Machinery and software uses AI

  • Robots
  • Machinery ensuring safety functions, quality control and automatisation

CE marking and Digital Product Safety

What have been implemented already? And how to be cybersecurity compliant in upcoming years?

CE marking is a certification process that signifies a product’s compliance with safety, health, and environmental protection requirements set within the European Economic Area (EEA). Lately cybersecurity requirements of some regulations and directives were reviewed, updated and are already published, some – are on the development stage.

New cybersecurity requirements were implemented within the Radio Equipment Directive (RED), which covers a majority of IoT and wireless products. By integrating cybersecurity measures into the CE marking process, manufacturers will be required to ensure that their products adhere to specific security standards throughout their entire life cycle. Cybersecurity requirements will be mandatory from August 1st, 2025.

One of the key changes of a new General Product Safety Regulation 2023/988 is an “internal risk analysis” and an up-to-date technical file. In some cases technical document may also need consideration of cybersecurity risks. 

The latest Machinery Regulation that came into force in July 2023 brings new requirements for AI as well as more emphasis on cybersecurity. Risk assessments are also introduced in relation to cyber attacks. New Machinery Regulation will not only cover physical components but also digital components, or software, and might also capture systems that use AI and Machine Learning technologies as well as automated guided vehicles. Compliance with a new Machinery Regulation will be mandatory since the end of 2027.

How can we help you?

  • Evaluate the security level of your devices according to the technical requirements of ETSI EN 303 645 and upcoming EN 18031 standards(for devices that fall into the scope of RED);
  • GAP analysis to determine the relevant requirements and to establish the current level of compliance;
  • Personal training on machinery regulation that will help to understand most relevant changes compared to the Machinery Directive.

Upcoming regulations 

Cyber Resilience Act (CRA), aims to establish a clear cybersecurity framework for both hardware and software producers. The CRA will not become an EU Directive but will instead act as a horizontal regulation, applying cybersecurity requirements to a broad scope of tangible and non-tangible products. When the proposed regulation enters into force, software and products connected to the internet would bear the CE marking to indicate they comply with the standards. In Q4 2023 the final legal text will be negotiated with the European Parliament.   

EU AI Act will be the first regulation on artificial intelligence which aims to regulate a wide range of AI applications. The rules will follow a risk-based approach and will establish obligations for providers and those deploying AI systems depending on the level of risk the AI can generate. There are still talks in the council on the final form of the law. The aim is to reach an agreement by the end of this year. 

AI Liability Directive uniform rules for certain aspects of non-contractual civil liability for damage caused with the involvement of AI systems.  

Product Liability Directive introduces liability rules upon the producers of defective products. It addresses inter alia liability for defective software, and thus provides remuneration mechanisms for victims of AI-inflicted damages. According to Art.7 almost every economic operator who is involved in the production and distribution chain can be sought for damage compensation.  

    Questions? Contact us Today

    Do you have more questions?

    Our experts help you further