The impact of the cyber resilience act on the product lifecycle

Mathilda Nynäs

The world as we know is constantly changing. The number of connected devices, i.e. devices with an internet connection, is growing faster than ever. By the year 2025, the number of connected devices is predicted to reach 40 billion units, with the number of IoT devices rapidly increasing (Statista 2020). In a world where everything and everyone is connected to the internet, there is a need for comprehensive digital regulations.

The need for regulation on an EU level

Cybersecurity incidents impact users without regard to national borders (European Commission 2022a, 2). At the moment, there are no cyber security legislation covering all digital devices available on the internal EU market, resulting in a rather fragmented market with multiple national regulations for manufacturers to consider (European Commission 2022a, 11-12, 16-17). The proposal for a horizontal EU-wide regulation on cyber security, the Cyber Resilience Act (CRA), was put forward by the European Commission on September the 15th of 2022 (European Commission 2022b).

Incentives for bringing safer devices onto the internal market

The digital device market is highly competitive, any extra step can lead to delayed delivery and an economic disadvantage. The first to enter the market should not benefit, but rather those with the most secure products. (European Commission 2022a, 10-11.) During the last decade, the EU has strived to ensure a cybersecure environment for its population and businesses (Joint Research Centre 2020, 27-28). The Joint Research Centre (JRC) of the European Commission calls for digital devices to be designed with security in mind (Joint Research Centre 2020, 102). This is one of the key objectives of the CRA (European Commission 2022b, §1).

The impact during the product lifecycle

The CRA covers a wide scope of digital products; all software, hardware and digital components placed on the market, unless otherwise specified (European Commission 2022b, §2-3). The regulation imposes security and vulnerability handling requirements for manufacturers to implement from the design and development phase and until the end of the lifecycle or for five years (European Commission 2022b, §10). As previously mentioned, cybersecurity should play a central part in the process. In figure 1, there is a brief display of the obligations of manufacturers.

Figure describing the different phases of the product lifecycle
FIGURE 1. Security and vulnerability handling requirements of the manufacturer based on §10 and Annex I of the Cyber Resilience Act.

The importance of the maintenance phase

Step four and five in figure 1 describe the responsibilities of the manufacturer during the maintenance phase. After deployment, and during the whole lifecycle, the manufacturer is obliged to regularly review and test the product for vulnerabilities. If, and when, a vulnerability is discovered, the manufacturer needs to be transparent and openly disclose any discoveries. Security updates and patches should be deployed as soon as possible. (European Commission 2022b, Annex I.)

Devices receiving software updates
FIGURE 2. Stay updated – Stay safe.

One of main issues with digital products is the lack of security updates during the products lifecycle and the delay of these updates. From data collected by Google’s Project Zero in 2021, the average time between the manufacturer being made aware of an issue and the vulnerability being fixed with an update is 52 days. (European Commission 2022a, 7; Schoen 2022.) This response time is far too long and needs to be reduced further, hopefully with the help of the CRA. Under the CRA, the manufacturer needs to act swiftly and deliver security updates without delay (European Commission 2022b, Annex I). The manufacturers are not only responsible for mending vulnerabilities but they are also obliged to, without delay, inform their users of the vulnerability and instruct them how to safely limit or shield themselves from exploitation. This will help reduce the possible damages for both manufacturers and users. (European Commission 2022b, §11(4).)

Going forward

There is a significant increase in manufacturing and maintenance costs under the CRA, but with more secure devices there will be securer products, and this will in turn lead to reduced costs of cybercrimes (European Commission 2022a, 52-53). Thus, the manufacturers will benefit in the long run. The proposal for the CRA is not even a year old and it is still an ongoing process, therefore modifications can still be made before the act is finalized in the years to come.


European Commission. 2022a. COMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT REPORT Accompanying the document Proposal of for a Regulationof the European Parliament and of the Councilon horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. Available at: Accessed 17 May 2023.

European Commission. 2022b. Cyber Resilience Act. Available at: Accessed 14 May 2023.

Joint Research Centre of the European Commission. 2020.Cybersecurity, our digital anchor. Available at: Accessed 5 June 2023.

Schoen, R. 2022.  A walk through Project Zero metrics. Google Project Zero. Available at: Accessed 4 June 2023.

Statista. 2020. Internet of Things (IoT) and non-IoT active device connections worldwide from 2010 to 2025. Available at: Accessed 6 June 2023.

Mathilda Nynäs
R&D project assistant
Centria University of Applied Sciences