Technical Guideline for Cyber Resilience Requirements

The Cyber Resilience Act (EU) 2024/2847 was published in the Official Journal of the European Union on 20 November 2024. As already reported in our technical article on the new Cyber Resilience Act, the new regulation defines security requirements for products. These requirements can be difficult to understand for people without prior knowledge of IT or OT security. The German Federal Office for Information Security (BSI) offers support with a publication. In this technical article, you will find an overview of the parts of the technical guideline.
 

Objective and parts of the Directive

The aim of Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products is to provide manufacturers with advance notice of the type of requirements they will face under the Cyber Resilience Act (CRA). This will enable manufacturers of products with digital elements to prepare for the implementation of Regulation 2024/2847 before the CRA comes into force.

The above-mentioned publication consists of three parts. At present, only parts 2 and 3 have been published.

Part 2 (Software Bill of Materials – SBOM) describes what the CRA's requirements regarding the verification of software supply chains might look like. The final version of part 2 was published in a new edition in September 2024.

Part 3, entitled ‘Vulnerability Reports and Notifications’, provides recommendations on how to deal with incoming vulnerability reports and was made available by the BSI in its first final edition at the end of August 2025. The full texts of the two technical guidelines can be accessed via the respective links:

The first part, which specifies and explains the numerous requirements imposed on manufacturers by the Cyber Resilience Act, was published at the end of September 2024 as a so-called community draft. We will, of course, inform you as soon as we learn that the final version of this part has also been published.

The first part of the technical rule already highlights fundamental requirements for manufacturers and products from the draft document:

1. Security design: Products with digital elements must be developed, produced and updated securely. Manufacturers are obliged to implement best practices in the software development cycle and ensure security requirements such as the protection of data confidentiality and integrity.

2. Risk assessment: Manufacturers must conduct a risk analysis over the entire life cycle of the product to identify potential threats and their impact. This analysis must be documented and regularly updated.

3. Security updates: Products must receive regular security updates to fix vulnerabilities. Manufacturers are obliged to provide an automatic update mechanism that is activated by default. In addition, users must be informed of available updates and be able to postpone updates temporarily.

4. Access control: Measures must be implemented to protect against unauthorised access, including strong authentication mechanisms and the ability to set individual passwords.

5. Vulnerability management: Manufacturers must operate a system to identify, assess and remediate vulnerabilities. They must inform users of any security vulnerabilities that are discovered and provide updates in a timely manner.

6. Documentation: Comprehensive technical documentation is required, including information on design, development processes and security risks. This documentation should also include details of tests performed and components supported.

In summary, the requirements aim to ensure that products are developed securely and continuously updated to withstand potential cyber threats and keep users safe.
 

Conclusion and further information

In our opinion, the work of the BSI makes a very valuable contribution to making cyber requirements significantly more tangible for manufacturers of machinery, systems and electrical equipment. Further information and the full text of the draft document for Part 1 can be accessed and downloaded from the BSI website.

Tip:

Register now for our free CE InfoService and stay informed about relevant news in the field of product compliance (e.g. the publication of the first part of TR-03183).

Posted on: 2025-09-10 (last amendment)