As digital systems connect everything from homes to hospitals, cybersecurity has become inseparable from product safety and compliance. Here’s how new cyber resilience rules are redefining how engineers and manufacturers must design, document, and defend their devices.
The New Compliance Trinity
Cybersecurity used to belong to IT departments. Today impacts everyone.
From smart thermostats to industrial controllers, every connected product now sits within the reach of hackers, and regulators wants to assess it.
Across the world, governments are responding with new frameworks that treat cybersecurity, data protection, and cyber resilience as a single, inseparable compliance pillar.
The EU Cyber Resilience Act (CRA), NIS2 Directive, and sector-specific standards like IEC 62443 or ISO/SAE 21434 for automotive systems are rewriting what it means to be “safe.”
This isn’t just about encryption or passwords. It’s about ensuring products remain secure throughout their entire lifecycle, from design and manufacturing to post-market updates. And for engineers used to EMC or safety certification, this new wave of regulation brings both familiar structure and new complexity.
From Product Safety to Cyber Resilience
In the past, compliance focused on protecting users from the product.
Now, cybersecurity adds a second dimension: protecting the product from the world. This is true also for industrial machinery, now covered by EN 50742.
This dual view of safety and security is driving what the EU calls a “secure-by-design” approach. Under the Cyber Resilience Act, manufacturers of connected devices must:
- Identify and mitigate cybersecurity risks from the design stage;
- Maintain a security risk management system (similar to ISO 14971 in safety);
- Ensure vulnerability handling and patch management after product launch;
- Provide clear security update policies and support periods;
- Report actively exploited vulnerabilities to authorities within 24 hours.
For engineers, this introduces a new compliance rhythm: the job doesn’t stop at certification — it continues in maintenance.
The NIS2 Directive: Expanding the Perimeter
While the CRA focuses on products, the NIS2 Directive targets organizations that operate critical services or digital infrastructure.
It requires companies to adopt risk management and incident response measures, ensure supply chain security, and prove that security is part of corporate governance.
If your product becomes part of a larger connected ecosystem, NIS2 compliance might apply indirectly. This can happen if your product is like a medical device feeding hospital data or an industrial controller linking to a SCADA network. Compliance might occur through your customer’s obligations.
That’s why cybersecurity requirements are flowing downstream: even suppliers must show they’re part of a secure chain.
Cyber Resilience: The Missing Link Between Safety and Security
Safety and cybersecurity are no longer separate specializaitions, they converge in resilience.
Regulators define resilience as the ability of a product or system to continue operating safely under stress, whether that stress comes from a surge, a failure, or a cyberattack.
In practical terms, this means:
- Hardware robustness — protecting against tampering or physical intrusion.
- Software integrity — ensuring firmware and updates are authenticated and signed.
- Redundancy and recovery — systems must degrade gracefully, not catastrophically.
For compliance teams, this adds a new dimension to risk analysis: what happens if the system is attacked while performing a safety function?
That question is now part of certification audits in several sectors, including medical, automotive, and energy.
How to Prepare: Building Compliance Around Security
Just like EMC or electrical safety, cybersecurity compliance works best when planned early.
Here are key steps to align with upcoming laws like the CRA or NIS2:
- Perform a cybersecurity risk assessment: identify threats, vulnerabilities, and potential impacts on safety or privacy.
- Adopt lifecycle management: track components, firmware versions, and patch history.
- Document everything: security policies, test reports, and design decisions are now auditable.
- Use standards: IEC 62443 (industrial), ISO/IEC 27001 (information security), EN 303 645 (IoT) or EN 50742 to provide recognized frameworks.
- Collaborate with certification bodies early: some markets will require notified body involvement for high-risk devices.
The earlier you embed these controls, the smoother the certification path will be.
Where to begin
Many companies underestimate the post-market phase of cybersecurity compliance.
To stay compliant, maintain an active vulnerability management system and keep track of security updates.
Under the CRA, failing to provide ongoing updates or disclosing vulnerabilities late can result in penalties similar to those of GDPR — and loss of market access.
Conclusion
Cybersecurity is no longer an optional layer; it’s part of the core compliance structure.
The line between IT and product engineering has disappeared, replaced by a unified concept of regulatory resilience.
For engineers, this shift offers an opportunity: to apply the discipline of safety engineering to digital threats.
The same mindset that drives compliance in electrical safety, systematic risk analysis, documentation, verification, can now help secure the digital frontier.
