Newsroom
subscribe to newsletter

How the EU Cyber Resilience Act is changing the security rules

9 minutes read
tags:
written by:
Andre Bastert
Andre Bastert
Video surveillance camera with a cybersecurity overlay

The EU has adopted new rules that aim to increase the level of security for all connected devices – with implications for manufacturers, importers, and distributors. 

The Cyber Resilience Act (CRA) is a new European Union regulation focused on improving the cybersecurity of all products with digital network elements sold in the EU.  

It sets the first ever EU-wide cybersecurity requirements for connected devices and software. Harmonizing existing regulations while complementing others such as NIS2, which is designed to strengthen cybersecurity in EU’s critical sectors. 

The main goal is to protect consumers and businesses from products with inadequate cybersecurity. When buying connected devices, there is a greater reassurance that they meet a standard that will help safeguard against threats. 

EU Cyber Resilience Act

The main, but not the only goal, of the CRA is to ensure any product with digital elements are following Secure by Design principles. 

This is from the point they are purchased and continues throughout their lifecycle. EU regulators want to protect customers by ensuring that every connected device sold does not expose them to increased cybersecurity risk. 

A secondary goal is to improve transparency when it comes to security and connected devices. Manufacturers need to provide specified information such as:  

  • For how long they will provide security updates 
  • How to set up and maintain the product securely, and  
  • How they identify, handle, and report security vulnerabilities – both to users and the appropriate authorities. 

The Cyber Resilience Act has a wide scope. While anyone manufacturing or selling a connected device is obviously within scope, there are many more parts of the supply chain that need to take heed. 

Defining "products with digital elements" 

The Cyber Resilience Act defines a product with digital elements as a “software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately”.  

Physical access control system with a cybersecurity overlay

Remote data processing also has a definition, which includes “the absence of which would prevent the product with digital elements from performing one of its functions”. 

For example, a network camera falls under the scope of the Cyber Resilience Act. The final hardware and/or software all need to meet these standards. But so do any operating systems, third-party libraries, and anything else provided that makes up the device and its use. 

The roles of manufacturers, importers, and distributors 

The wide scope of the Cyber Resilience Act means a great deal of shared responsibility. Manufacturers need to ensure that every relevant part of their product meets the cybersecurity standards, just as they would for any other regulations.  

In turn, importers and distributors need the same from manufacturers. The ecosystem depends on the coordination and cooperation across the supply chain to meet the CRA requirements. 

A women holding a visualization of the cyber resilience act

Key exemptions from the Cyber Resilience Act 

There are some exemptions from the Cyber Resilience Act, notably non-commercial open-source software and medical devices, among others. However, other cybersecurity regulations apply here. There are requirements for manufacturers to exercise due diligence if they integrate free open-source software into their products. 

The video surveillance industry has an obligation to provide products that meet cybersecurity standards. It not only provides connected hardware that would be a risk if not secured properly. It also records data that needs to be kept safe.  

Conduct a cybersecurity risk assessment 

A cybersecurity risk assessment is required for each product. The outcome of that assessment is then considered throughout the product's lifecycle, from planning and design to maintenance. 

The risk assessment must be documented and updated, and must refer to the Cyber Resilience Act requirements where they apply. Manufacturers are expected to document all relevant cybersecurity aspects of their products, and record any vulnerabilities they discover or are aware of. 

Ensure secure product design and development 

Connected devices need to be designed and developed with cybersecurity integrated from the outset. This creates security by design and by default. The EU wants products sold in its markets to be secure “off the shelf”, rather than requiring complex setup and configuration. It also requires that these remain secure if they are used in the way that is intended.

A network speaker with a cybersecurity overlay visualizing the cyber resilience act

True Secure by Design fundamentally relies on a hardware root of trust (HRoT) and the underlying operating system. This operating system is the software running in the device. 

Hardware-backed security, such as secure boot on the system-on-chip (SoC) and the usage of a secure element for secure key storage, provide the foundational protection. The operating system relies and builds upon this foundation to serve the customer with security features. 

These foundational hardware protections are often provided by a trusted ecosystem of component suppliers and semiconductor partners. 

Report actively exploited vulnerabilities and incidents 

There are strict deadlines for reporting vulnerabilities and security incidents. An early warning needs to be submitted within 24 hours of becoming aware, with a full notification within 72 hours.  

A final report must be submitted within 14 days of a corrective measure for exploited vulnerabilities, and a month for severe incidents. The reporting platform will be available by the 11th of September 2026 when the reporting obligations come into force. 

Provide security updates for the product's lifecycle 

Security updates must be available for the lifespan of the product, and be built in as a default behavior. Just as a laptop or smartphone’s OS updates with relative ease, so must the digital components of any connected device. 

The regulation mandates a minimum support period of at least five years for security updates (with some exceptions), 

This includes the average lifespan, user expectations, third-party components, and legal requirements outside of the Cyber Resilience Act. 

Create clear technical documentation and user instructions 

Most manufacturers provide some form of technical documentation. But now this is legally required and part of the proof that the rules have been followed. The technical documentation must contain details of the cybersecurity risk assessment, the support period, test reports to show evidence of conformity, and more.

Computer screen with a cybersecurity overlay visualizing the need for technical documentation

The user instruction requirements include contact details for the manufacturer, details of cybersecurity support provided, and how security updates can be installed. These should be “living documents”, updated when necessary. 

Axis is well prepared for – and aims to go beyond – the essential requirements of the CRA. It’s important to work closely with partners such as NXP Semiconductors providing FIPS- and Common Criteria-certified EdgeLock® secure elements to ensure that distributors and end customers know that products are compliant: 

  • The Axis Security Development Model (SDM) embeds security throughout the software lifecycle, from initial threat modeling and pre-release penetration testing to continuous vulnerability management and a bug bounty program after release. This ensures a proactive and ongoing approach to software security. 
  • Collaboration with NXP supports the integration of hardware-based security features. This includes the use of trusted and certified EdgeLock secure elements. Helping to establish a hardware root of trust within Axis devices and enabling security considerations to be addressed from the earliest design stages. 
  • Axis is a CNA, or CVE Numbering Authority, with the ability to issue CVE IDs for vulnerabilities. It does this through the CVE website, its own website, and to subscribers’ email, ensuring that all users are alerted to risks as soon as possible. 
  • Axis device management software provides security update notifications, and the ability to allow automatic or manual upgrades of the AXIS OS, on hundreds of devices if needed. End of software support dates are readily available. 
  • SBOMs are available for most AXIS OS-based products, network video recorders, as well as most Axis video and device management software. 

Full enforcement of the Cyber Resilience Act begins on the 11th of December 2027. From then all hardware and software products in the EU market must be fully compliant and carry the CE marking. Early preparation is critical for products already in development.

Cybersecurity cover photo visualizing the eu cyber resilience act

However, there are important dates that should be noted. On the 11th of June 2026, the framework on notification of conformity assessment bodies will apply. This is important for products that fall into “important” or “critical”, and require third-party assessment.  

More widely applicable is the 11th of September 2026, when reporting obligations apply. Manufacturers must begin reporting actively exploited vulnerabilities after this day.  

The CRA will apply to all products placed on the market after the Act becomes applicable, even if they were designed and developed before it comes into effect. 

Penalties for non-compliance are severe, designed to incentivize businesses of all sizes to comply. Fines of up to €15 million, or 2.5% of the total worldwide annual turnover of the preceding financial year, whichever is higher, is the biggest possible fine. 

Network camera with a cybersecurity overlay visualizing compliance towards the cra

This is reserved for non-compliance with the essential cybersecurity requirements. Smaller, but still significant fines, will apply for infringements such as failures in vulnerability handling or reporting incomplete or incorrect information in response to a request. 

Even for manufacturers that work hard to ensure their products are and remain secure, the CRA introduces strict rules on how they document and prove this, to regulators, their customers, and their distributors. 

The new rules reinforce the need for security by design, built into every choice made in creating a product. It means that long-term security readiness depends on design choices made years before deployment – it cannot be an add-on or patched in.  

There is also the issue of access and trust. With adherence to the regulations relying on different parts of the supply chain, there is a clear need for businesses to comply in order to protect each other. Also, customers will be more likely to trust providers and manufacturers with a clean record. 

This underlines the importance of close collaboration across the value chain, from component suppliers to device manufacturers, to support long-term cybersecurity readiness. 

Andre Bastert

Andre Bastert is a Global Product Manager at Axis Communications. He is responsible for the AXIS OS software platform empowering Axis network devices. Andre focuses on everything about cybersecurity, the IT-infrastructure/security integration and the software lifecycle management aspect of our products. Andre started his career at Axis in 2014 in technical services. Before taking on his current position he worked as a product specialist for PTZ cameras and AXIS OS. When not working, Andre spends time with his family and enjoys renovating the in a true Do-it-yourself-spirit.

Read more posts by Andre
Andre Bastert