Security by Design in production

The Cyber Resilience Act was adopted in the EU in 2024. The regulations, which will come into force at the end of 2027, apply to almost all “products with digital elements” that are sold on the European market. We spoke with the IT security specialist about what this means for manufacturers of machines, devices and software solutions.

“The Cyber Resilience Act states that we want an EU that is resilient against cyber attack, even at product level,” explains Buchenberg. “These are process issues which a lot of companies will be dealing with on an on-going basis. It would be nice if all of those affected were already doing it, given that they must be able to implement the new requirements as of December 2027.”

“It’s a long list, and companies are faced with stiff penalties if they fail to comply,” emphasises the IT security specialist. “The products concerned must be developed and manufactured with a Security by Design approach. The products must come onto the market ‘without any exploitable vulnerabilities’, have integrated security measures, ensure data security and minimise any digital attack surfaces.”

Furthermore, there is an obligation to report and to remove any vulnerabilities, which still applies even after the sale. “For example, software developers must provide security updates to close any vulnerabilities free of charge for five years,” Buchenberg explains. “If a manufacturer supplies a milling machine with control and HMI they must provide firmware updates for years.”

But he doesn’t just explain, he also outlines some practical solution approaches. Which you can find out about in Panorama No. 1/2026 on pages 26 and 27.