Digital products as regulated products: what the CRA changes

Until recently, the manufacturer of a digital product was primarily responsible for its functionality. Under the Cyber Resilience Act, the manufacturer will now also be responsible for its security—not only on the day of release, but throughout the product’s entire lifecycle.

4 Min Read
Technologia

For years, software and digital device manufacturers have focused primarily on delivering a functional product. If vulnerabilities subsequently emerged, they were usually addressed through subsequent updates. The Cyber Resilience Act (CRA) changes this approach. Security ceases to be merely part of product maintenance and becomes a mandatory feature for which the manufacturer is responsible from the design stage right through to the end of support.

This is not just another regulation on cybersecurity. For businesses, it means a shift in the way they think about digital products. Software is now treated in much the same way as other regulated products – it must meet specific requirements before it reaches the market, and the manufacturer remains responsible for its security even after it has been sold.

The European Union has decided to take this step because the existing model has proved inadequate. Products containing known vulnerabilities or lacking adequate security support were regularly entering the market, and the burden of dealing with the consequences fell mainly on users and the organisations using them. The CRA reverses this dynamic. Responsibility is shifted from the user to the manufacturer, who must deliver a secure product at the time of its placing on the market and maintain that level of security throughout the declared support period.

The biggest change concerns precisely this responsibility. In practice, the manufacturer’s role does not end with the release of a new version of an application or the sale of a device. They must continuously manage vulnerabilities, prepare security patches, respond to actively exploited vulnerabilities, and manage the process of reporting them in accordance with regulatory requirements. This means that security becomes an ongoing process, rather than a one-off stage of a project. For many companies, this will represent a greater organisational change than a technological one.

This, in turn, changes the way digital products are created. Since the manufacturer is responsible for security throughout the product’s entire lifecycle, it cannot treat security as a feature added just before launch. Cybersecurity must be taken into account right from the design of the architecture, the selection of components and the planning of the development process. That is why the CRA is based on the principles of ‘security by design’ and ‘security by default’, requiring, amongst other things, risk assessment, the maintenance of technical documentation and a structured vulnerability management process. In practice, security is becoming one of the fundamental parameters of product quality, alongside functionality and performance.

The implications, however, extend far beyond security departments. Meeting the CRA’s requirements calls for collaboration between product teams, developers, compliance specialists, lawyers and senior management. It will be the board that is responsible for establishing processes to ensure the product remains compliant with the regulation for years to come. This means that costs relating to maintenance, updates and vulnerability management must be planned for as early as the business model development stage. Cybersecurity is no longer merely a technical issue; it is becoming an integral part of product management.

As a result, the Cyber Resilience Act is redefining the concept of a digital product. It is no longer merely a set of features that a manufacturer sells to a customer. It is becoming a regulated product, the security of which is subject to the same requirements as other characteristics determining its marketability.

Share This Article