Cyber Resilience and Data Act

In future, manufacturers of networked devices will have to fulfil the requirements of several new directives: the Cyber Resilience Act, the Data Act and the new Radio Equipment Directive. Who is affected? How can the requirements be implemented most efficiently?

Cyber Resilience Act

From the end of 2027, the Cyber Resilience Act will apply: manufacturers will be responsible for the IT security of networked devices – throughout their entire service life. This will be a challenge in many consumer sectors. Many industrial sectors have already taken the first steps. The Machinery Directive, for example, also requires IT security measures. However, there are major differences depending on the sector. The following flowchart shows which products are affected:

EU Cyber Resilience Act Flowchart

Further new regulations

Besides the Cyber Resilience Act there are further new regulations from the EU which which are keeping manufacturers of networked devices busy: the Data Act gives customers sovereignty over their data, and the Radio Equipment Directive was given an addition for internet-connected devices in 2022.

Data Act

Although the Cyber Resilience Act is more present in the media, the Data Act is likely to affect more manufacturers. Since September 2025, when the Act became into force, the data stored and transmitted by a device belong to the customer. They must be able to use the data themselves and also decide whether they want to pass it on – for example to the manufacturer of the device. The following flowchart shows which products are affected:

EU Data Act Flowchart

Radio Equipment Directive

Until now, the Radio Equipment Directive (RED) has primarily regulated electromagnetic compatibility and personal safety. In 2022, the RED was supplemented with an addition for the cyber security of internet-enabled radio equipment. The new directive applies since August 2025 and affects all devices, machines and systems with wireless interfaces.

EU RED EN 18031 Flowchart

Best Practices

At SCS, we have experience from realised projects in areas such as marine, aviation, rail, medical or energy in how to protect systems against cyber attacks by design (security by design) or how to make data available to users via suitable interfaces (data access by design). Contact us if you want to take a closer look at one of your products to see whether one of the EU directives affects you and how the requirements could be solved.

Katrin Blattner-Kempin Intelligent Buildings How can I help you?