From December 2027, EU-wide mandatory cybersecurity requirements will apply to “connected products with digital elements,” including network-enabled locks. The new regulations aim to ensure cybersecurity throughout the entire product lifecycle, promote the adoption of secure technologies, protect consumers, and strengthen trust in digital products. By securing our solutions, we support our customers in complying with these regulatory requirements.
The European Union is introducing the Cyber Resilience Act (CRA), the first regulation to set uniform cybersecurity standards for digital products across the EU. Its goal is to ensure a consistent minimum level of protection throughout the single market. Almost every product with a digital interface will be affected, from network-enabled high-security locks to locks that can be configured digitally via a PC. Under the CRA, manufacturers will need to implement secure design practices, manage vulnerabilities, and provide timely security updates. Importers and distributors will also share responsibility for compliance. The CRA extends the scope of the CE marking, which has traditionally focused on functional safety, to include mandatory cybersecurity requirements. In the future, products will be evaluated not only for mechanical or electrical risks but also for their resilience against cyberattacks.
What Does the CRA Mean in Practice?
The Cyber Resilience Act requires manufacturers to ensure a minimum level of cybersecurity for all connected products with digital elements. Compliance must be clearly documented and demonstrable. Specifically, this means:
Security by Design
Connected products must be designed with cybersecurity from the outset, for example through encrypted firmware updates.
Security by Default
Secure default settings, such as automatic security updates or the avoidance of default passwords, are mandatory.
Declaration of Conformity
Manufacturers must demonstrate that their product meets all CRA requirements, either through harmonised standards or equivalent internal procedures that are auditable.
Vulnerability Management
Identified vulnerabilities must be reported, documented, and addressed throughout the product’s lifecycle.
Software Bill of Materials (SBOM)
A SBOM, a “list of ingredients” of all software components, must be created during the development phase. Publication is not required.
Security Updates
Security updates must be provided for the entire support period of the product.
Who Is Affected?
The requirements of the Cyber Resilience Act apply to a wide range of stakeholders across the lifecycle of digital products. In particular, the following groups will need to adapt to the new cybersecurity regulations:
What Needs to Be Done and by When?
The regulation entered into force in December 2024 and must be fully implemented by 11 December 2027. Products newly placed on the market must comply with all requirements by this date.
Given the complexity of the requirements, early action is essential. Companies in critical infrastructure and industrial sectors should already align their product strategy, security architecture, and maintenance processes with the Cyber Resilience Act to avoid later retrofit costs, delivery delays, and regulatory risks.
Cyber Resilience Act Timeline
11 December 2024
CRA enters into force
11 June 2026
Notified Bodies (KBS) can assess compliance with CRA requirements
11 September 2026
Obligation to report vulnerabilities and incidents begins
11 December 2027
CRA requirements fully applicable to products
Our Expertise
Secure Device Architecture
CRA-compliant lock architectures with secure firmware.
Logging
Central documentation of all configuration changes and access events.
CVE-Monitoring
Support for vulnerability management through systematic CVE monitoring.
INSYS locks products provide a technically robust architecture for digital locks and access management systems. Features such as encrypted communication, comprehensive access logging, and traceable permissions management support auditability, operational security, and regulatory compliance across the European single market.
Any questions? We are happy to advise you.