{"id":29690,"date":"2026-07-03T14:10:23","date_gmt":"2026-07-03T12:10:23","guid":{"rendered":"https:\/\/pavesioassociati.it\/?p=29690"},"modified":"2026-07-03T14:11:01","modified_gmt":"2026-07-03T12:11:01","slug":"cyber-resilience-act-regulatory-updates-for-products-with-digital-elements","status":"publish","type":"post","link":"https:\/\/pavesioassociati.it\/en\/news\/cyber-resilience-act-regulatory-updates-for-products-with-digital-elements\/","title":{"rendered":"Cyber Resilience Act:  Regulatory Updates for products with digital elements"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regulation (EU) 2024\/2847 (the Cyber Resilience Act) introduces a harmonized European<br>framework on cybersecurity applicable to products with digital elements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>The new regulation forms part of the European Union\u2019s broader strategy to strengthen the cyber<br>resilience of the internal market. It complements the existing regulatory framework \u2013 particularly<br>the NIS 2 Directive, which focuses on security measures for networks and information systems within<br>regulated organizations \u2013 with the objective of ensuring a high and consistent level of cybersecurity<br>for products throughout their entire lifecycle.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Scope of application<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Cyber Resilience Act applies to all <strong>products with digital elements<\/strong> \u2013 namely, any hardware<br>or software product, as well as related remote data-processing solutions \u2013 whose intended purpose<br>or reasonably foreseeable use <strong>includes a logical or physical connection<\/strong> (whether direct or<br>indirect) to a device or network.<br><br>Excluded from the scope of the Regulation are <strong>products with digital elements that are<br>already governed by equivalent sector<\/strong> &#8211; specific legislation, including, by way of example,<br>regulations concerning medical devices and in vitro diagnostic medical devices, motor vehicles<br>subject to automotive type-approval requirements (categories M, N, and O), and aircraft.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Manufacturers\u2019 Obligations<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As of 11 September 2026, manufacturers of products with digital elements will be required to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>notify, through the Single Reporting Platform currently being established, any actively exploited vulnerabilities, i.e., vulnerabilities for which there is reliable evidence of exploitation by a third party not authorized by the system owner, as well as any severe incidents affecting the security of the products (Article 14);<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>inform users of the product with digital elements \u2013 whether directly affected or, where appropriate, the wider user community \u2013 of the identified vulnerability or incident, providing clear information regarding any risk mitigation measures and\/or corrective actions to be taken. Such information should also be made available in structured formats suitable for automated processing where appropriate (Article 14).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">As of 11 December 2027, manufacturers of products with digital elements will be subject to a number of specific obligations, including, by way of example, the requirement to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ensure that products are <strong>designed, developed, and manufactured in compliance with the applicable essential cybersecurity requirements<\/strong> set out in the Regulation (Article13, in conjunction with Annex I, Part I);<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>implement <strong>security-by-design and security-by-default principles and adopt a structured cybersecurity risk management approach<\/strong> throughout the entire product lifecycle (Article 13);<br><\/li>\n\n\n\n<li>establish and maintain <strong>vulnerability handling processes<\/strong>, including the timely provision of security updates and patches (Article 13, in conjunction with Article 14 and Annex I, Part I);<br><\/li>\n\n\n\n<li>comply with <strong>information obligations <\/strong>towards users, particularly with regard to cybersecurity risks, secure use instructions, and the availability of security updates (Article 13, in conjunction with Annex II);<br><\/li>\n\n\n\n<li>affix the <strong>CE marking<\/strong> as evidence of conformity with the applicable cybersecurity requirements (Article 30);<br><\/li>\n\n\n\n<li>prepare and maintain the <strong>technical documentation demonstrating the conformity<\/strong> of the product with digital elements, including a <strong>cybersecurity risk assessment<\/strong> (Article 31, in conjunction with Annex VII);<br><\/li>\n\n\n\n<li>carry out, or have carried out, the <strong>applicable conformity assessment procedures<\/strong> selected for the product (Article 32, in conjunction with Annex VIII).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For products that also qualify as <strong>high-risk AI systems<\/strong>, the Cyber Resilience Act introduces an<br>important principle of regulatory alignment and integration of requirements. Compliance with the<br>cybersecurity requirements of the Cyber Resilience Act may also serve to demonstrate compliance<br>with the corresponding cybersecurity requirements under the <strong>AI Act,<\/strong> thereby avoiding unnecessary<br>duplication of obligations. In essence, the cybersecurity requirements set out in the AI Act are<br>deemed to be fulfilled where the product complies with the essential cybersecurity requirements and<br>the related organizational processes established under Annex I of the Cyber Resilience Act.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>The Cyber Resilience Act represents a significant paradigm shift, requiring economic operators to<br><strong>embed cybersecurity as a structural component of digital products<\/strong>. Cybersecurity is no<br>longer treated merely as a technical requirement but as a strategic market factor and a key element<br>of accountability throughout the entire product lifecycle.<br><br>Against this backdrop, organizations should assess whether they place on the market products with<br>digital elements that fall within the scope of the Cyber Resilience Act. Such an assessment is essential<br>to ensure that the necessary measures are implemented in a timely manner to achieve compliance<br>with both the formal and substantive obligations introduced by the Regulation.<\/p>\n\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-kytf5\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-kytf5 \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-kytf5 button-1 undefined\" data-id=\"eb-advance-heading-kytf5\"><h2 class=\"eb-ah-title\"><span class=\"first-title\"><\/span><\/h2><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Regulation (EU) 2024\/2847 (the Cyber Resilience Act) introduces a harmonized Europeanframework on cybersecurity applicable to products with digital elements. The new regulation forms part of the European Union\u2019s broader strategy to strengthen the cyberresilience of the internal market. It complements the existing regulatory framework \u2013 particularlythe NIS 2 Directive, which focuses on security measures for [&hellip;]<\/p>\n","protected":false},"author":36,"featured_media":29688,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_eb_attr":"","footnotes":""},"categories":[448,452,458],"tags":[],"ppma_author":[482],"class_list":["post-29690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-client-alert-en","category-compliance-en","category-legal-tech-en"],"acf":[],"authors":[{"term_id":482,"user_id":36,"is_guest":0,"slug":"pavesio-studio-legale","display_name":"Pavesio Studio Legale","avatar_url":"https:\/\/pavesioassociati.it\/wp-content\/uploads\/2022\/02\/100x100px.jpg","user_url":"","last_name":"","first_name":"","job_title":"","description":""}],"_links":{"self":[{"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/posts\/29690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/comments?post=29690"}],"version-history":[{"count":5,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/posts\/29690\/revisions"}],"predecessor-version":[{"id":29704,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/posts\/29690\/revisions\/29704"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/media\/29688"}],"wp:attachment":[{"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/media?parent=29690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/categories?post=29690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/tags?post=29690"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/pavesioassociati.it\/en\/wp-json\/wp\/v2\/ppma_author?post=29690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}