New EU Cybersecurity Regulations: What You Need to Know

The European Union is introducing several new regulations—Cyber Security Act (CSA), Cyber Resilience Act (CRA), and Radio Equipment Directive (RED)—aimed at enhancing the security and resilience of digital products. These regulations will significantly impact various industries, setting new standards for products with digital elements. For tech and industrial companies, these changes present both challenges and opportunities.

Key Regulations: What Do They Bring?

1. Cyber Resilience Act (CRA)

The CRA focuses on the cybersecurity of products with digital elements. This means that nearly all electronic products with software, chips, or network capabilities, including IoT devices, are impacted. The regulation sets baseline security requirements that manufacturers must meet, ensuring security throughout the product’s lifecycle (e.g., providing security updates for five years).

Products must comply with specific technical standards, and depending on the product’s risk classification, they may be subject to third-party assessments (self-assessment for low-risk products and stricter scrutiny for critical products). The CRA applies to a broad range of PDEs 1 (Product with Digital Elements), including hardware and software products that are connected, either directly or indirectly, to networks or other devices. This includes items like smart home devices, security cameras, and various IoT products.

Open Source

Open-source software will be subject to light touch regulatory regime, this means the CE mark cannot be affixed to it. For-profit manufacturers using open-source software as part of their product with digital elements are responsible for making sure the open-source software components are compliant with the CRA.
Free and Open-Source software requirements will include:

  • Creating and documenting a cybersecurity policy to foster the development of a secure product with digital elements
  • Vulnerability handling process
  • Co-operation with market surveillance authorities

Products Out of Scope

The CRA will not apply to the following products as some are already covered by other specific regulations such as:

  • Software as a Service – except for remote data processing solutions relating to a product with digital elements
  • Medical devices and in vitro diagnostic medical devices
  • Civil aviation safety
  • Motor vehicles and their trailers
  • Products with digital elements developed or modified exclusively for national security or defense purposes
  • or to products specifically designed to process classified information

The CRA was officially adopted in October 2024, marking a significant step forward in strengthening cybersecurity across the EU. The regulation will take effect 20 days after its publication, with a phased rollout over the next 36 months, during which certain key provisions will be implemented sooner to address immediate cybersecurity needs.

2. Radio Equipment Directive (RED)

Starting from August 2025, wireless devices using Wi-Fi or Bluetooth must meet specific cybersecurity requirements to be CE compliant. It aims to ensure that these devices meet certain cybersecurity requirements to improve network resilience, reduce fraud, and protect user privacy.

The EN 18031 standard is part of the European Union’s effort to address cybersecurity under the Radio Equipment Directive (RED). This standard consists of three parts, each focusing on different aspects of cybersecurity for radio devices. The goal is to ensure compliance with Articles 3.3(d), (e), and (f) of the RED, which mandate secure networking, data protection, and fraud prevention for radio equipment:

  1. EN 18031-1:2024 covers network protection by ensuring that connected devices do not degrade network performance or misuse resources.
  2. EN 18031-2:2024 addresses privacy requirements, especially for devices handling personal data, including toys, wearable technology, and childcare products.
  3. EN 18031-3:2024 focuses on preventing fraud, particularly for devices involved in monetary transactions, such as those handling virtual currency.

Which equipment is covered by the directive?

The Radio Equipment Directive (RED) generally applies to almost all radio equipment, including both transmitters and receivers, unless specifically excluded. Examples of applicable equipment include:

  • Radio transmitters and receivers
  • Wi-Fi-enabled devices (such as routers and repeaters)
  • Bluetooth devices
  • NFC-enabled devices
  • Navigation technology systems (including GPS, Galileo, and GNSS)
  • Devices using ZigBee modules (such as sensors and smart home automation)
  • Smartphones
  • Remote controls and radio transmitters (for TVs, garages, and short-range devices)

Integrating these requirements early in the development process is crucial to ensure compliance and avoid disruptions during product launches in the EU market.

3. Cyber Security Act (CSA)

The CSA introduces an EU-wide certification framework for ICT products and services. This framework will help foster trust and enhance security across the EU’s internal market. Companies will be expected to apply secure practices from the start, ensuring that both firmware and hardware meet cybersecurity standards.

_______________________________________________________________________________________________________________________________________

How does this impact the business?

 

For R&D leaders and engineering teams, these regulations bring new complexity to the development process. Compliance with security mandates adds several layers to design and testing workflows, extending timelines for development and deployment. Here’s how they may impact operations:

Increased Development Time: The need to embed secure OTA update capabilities and extensive access control features may require redesigns and new component evaluations, adding time to development cycles.

More Extensive Testing: Product testing will now require thorough cybersecurity checks, stretching beyond functional and performance tests to include security validations, which may strain resources and add additional review cycles.

Increased Development Costs: Implementing additional security features and certification processes increases R&D budgets and can strain teams already operating under tight resource constraints.

Pressure to Ensure Compliance: As failure to meet standards can mean market restrictions or legal liabilities, development leaders bear the responsibility of ensuring that products not only meet functional requirements but are also secure from cyber threats.

Impact on Team Morale: Introducing new layers of compliance can feel overwhelming for teams focused on innovation, potentially stifling creativity and creating anxiety around product viability.

_______________________________________________________________________________________________________________________________________

How Can Companies Prepare for Compliance?

 

1. Implement Security Throughout Development:
Technical leaders should ensure that cybersecurity is integrated from the outset and at every stage of product development. They are now responsible for ensuring their products remain secure throughout their lifecycle, not just at the time of market release.

2. Conduct Risk Assessments:
Regularly assess the risks associated with the company’s products and systems to identify vulnerabilities that need addressing, while aligning with industry best practices for secure product development and risk minimization.

3. Establish Compliance Frameworks:
Develop and maintain frameworks that align with the requirements of CSA, RED, and CRA, including relevant policies and procedures. This includes defining policies and procedures for security measures, incident response, and the continuous monitoring of product security.

4. Streamline Supply Chain Security:
Technical leaders need to ensure that all components meet cybersecurity standards to reduce vulnerabilities that third-party components could introduce. By strengthening supply chain security, third-party risks can be minimized, which is crucial for maintaining the integrity of critical systems.

5. Plan for Incident Response and Reporting:
Establishing incident protocols and being ready for strict reporting deadlines helps leaders prevent regulatory penalties and maintain product trustworthiness. Companies should plan to meet the 2026 deadline for mandatory incident and vulnerability reporting under CRA regulations.

6. Prepare a Technical Documentation:
The technical documentation must include at least all the elements listed in Annex VII of the CRA:

  • A general description of the product with digital elements, including:
    – its intended purpose;
    – versions of software affecting compliance with essential requirements;
    – where the product is a hardware product, photographs or illustrations showing external features, marking and internal layout;
    – user information and instructions as set out in Annex II;
  • A description of the design, development and production of the product and
    vulnerability handling processes, including:
    – necessary information on the design and development of the product, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;
    – necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;
    – necessary information and specifications of the production and monitoring processes of the product and the validation of those processes;
  • An assessment of the cybersecurity risks against which the product is designed, developed and produced, including how the essential requirements are applicable
  • Relevant information that was taken into account to determine the support period
  • A list of the harmonized standards, common specifications or European certification schemes applied;
    – If they haven’t been applied: descriptions of the solutions adopted to meet the essential requirements, including a list of other relevant technical specifications applied.
    – In the event of partial application, the technical documentation shall specify the parts which have been applied;
  • Reports of the tests carried out to verify the conformity of the product and of the vulnerability handling processes with the CRA’s essential requirements;
  • A copy of the EU declaration of conformity;
  • Where applicable, the software bill of materials, further to a request from a market surveillance authority.

7. Obtain Cybersecurity Certification for Your Products:
Obtaining cybersecurity certification demonstrates that a product is maximally secure. In a competitive market, certification serves as a key differentiator, influencing customers and organizations to prefer certified products that meet stringent security standards.

_______________________________________________________________________________________________________________________________________

How Can ARS Embedded Systems Assist?

 

As a development partner, ARS Embedded Systems helps tech companies design secure, compliant systems, enabling them to accelerate product development and launch safely. Our expertise in hardware, firmware, and testing ensures that our clients’ products meet the latest EU standards without adding unnecessary complexity to their development.

Our Services Include:

  • Custom Firmware & Software Development: We develop secure software and firmware tailored to meet evolving EU standards without burdening your internal resources.
  • Lifecycle Support: We provide firmware updates and technical documentation essential for product certification.
  • Testing and Risk Assessment: Our team assists with cybersecurity testing and security assessments to meet regulatory demands.

_______________________________________________________________________________________________________________________________________

Conclusion: Why Act Now?

 

New EU regulations like the CRA and RED will bring significant changes to the market in the coming years. Companies that prepare in time will secure a competitive advantage and reduce the risk of delays due to non-compliance.
With ARS Embedded Systems as your development partner, you can ensure that your products meet the highest standards and that your business stays ahead of regulatory changes.
Ready to talk? Let’s explore how we can help!

________

1 Products with Digital Elements (PDEs) Definition

    • any software or hardware product and its remote data processing solutions
    • including software and hardware components to be placed on the market separately
    • with a data connection to device or network
    • that are made available on the EU single market