As connected products are now ubiquitous in our daily lives and professional infrastructures, their cybersecurity has become a major challenge. In response to this trend, the European Parliament and the Council of the European Union have adopted the Cyber Resilience Act (CRA), a regulation that will soon impose minimum cybersecurity requirements for all products with digital elements placed on the European market.
Why a new regulation?
Connected objects, control systems, software, applications, or security equipment: many products still present vulnerabilities that can be exploited by cyberattackers.
Weak passwords, a lack of security updates, or insufficient data protection can turn a connected product into an entry point for wider attacks targeting businesses, critical infrastructure, or private users.
The Cyber Resilience Act aims to strengthen the security of these products from their design phase and throughout their entire lifecycle.
Who is affected?
The regulation applies to all manufacturers placing products with digital elements on the European market, whether they are established within the European Union or not.
In particular, it mandates:
- The integration of cybersecurity measures right from the product design stage;
- Vulnerability management and remediation throughout the product's lifespan;
- Improved transparency towards users;
- The reporting of certain vulnerabilities and security incidents.
Importers, distributors, conformity assessment bodies, and market surveillance authorities are also affected by certain provisions.
When does the CRA come into effect?
Regulation (EU) 2024/2847 was published in the Official Journal of the European Union on November 20, 2024.
Its general application will begin on December 11, 2027.
However, certain obligations will come into force sooner:
- June 11, 2026: Provisions relating to the notification of conformity assessment bodies;
- September 11, 2026: Obligations to report certain vulnerabilities and incidents.
What are the impacts on fire safety and intrusion detection products?
The CRA introduces several product categories subject to more or less strict conformity assessment procedures.
According to the analysis published by Euralarm, the majority of electronic fire safety and physical security products fall under the so-called "default" category.
However, some specific products, notably certain access control equipment or smart home products embedding security functions, may be classified as Class I Important Products, carrying additional conformity assessment requirements.
ANPI monitors developments in the European regulatory framework
Faced with the emergence of new cybersecurity requirements, ANPI is actively monitoring European regulatory developments in order to support the fire safety and security sector in understanding these new obligations.
Leveraging its recognized expertise in testing, certification, and inspection, ANPI is currently analyzing the impacts of the Cyber Resilience Act on fire safety and intrusion products, as well as future support opportunities for manufacturers.
Preparing today
Even though the full application of the regulation will not take effect until 2027, manufacturers are encouraged to anticipate these new requirements now. Cybersecurity is progressively becoming an essential criterion for quality and trust, on par with functional safety or regulatory compliance. For stakeholders in the fire safety and security sectors, the CRA represents a major shift that will reinforce the resilience of connected products against cyber threats and contribute to improving overall user safety.
Contact ANPI experts to discuss regulatory developments and stay informed about future initiatives related to connected product cybersecurity.
Find out more
- Regulation (EU) 2024/2847 on the Cyber Resilience Act
- Centre for Cybersecurity Belgium (CCB)
- Euralarm – Electronic fire safety and security products under the CRA
- Or contact us via certification@anpi.be
