Focus on cybersecurity and current EU regulations

Cyber Resilience Act: strengthening the cybersecurity of products

With the introduction of the Cyber Resilience Act (CRA), the EU is setting new standards for the security of digital products and their software. The CRA establishes mandatory cybersecurity requirements for all products with digital elements that are manufactured, imported or distributed in the EU. The aim is to identify security vulnerabilities at an early stage, minimise risks and ensure end-to-end cybersecurity throughout the entire lifecycle of a product.

TÜV SÜD helps companies meet regulatory requirements by providing comprehensive security assessment, penetration testing, software analysis and certification services. This includes:

• Risk assessment and vulnerability analysis: identification of potential security vulnerabilities and development of measures to minimise risk.
• Secure Software Development Lifecycle (SDLC) assessments: support in implementing secure development processes to meet CRA requirements.
• Certification and conformity assessment: verification that products meet the new security requirements, including the issue of corresponding certificates.

„The Cyber Resilience Act presents companies with new challenges, but also offers a great opportunity to sustainably improve the security of digital products,“ explains Stefan Würth, Senior Manager Automotive & Industrie Security at TÜV SÜD. „We help manufacturers to meet the legal requirements and to raise the security level of their products.“

NIS-2 Directive: Critical Infrastructure and Organisation Protection

The new EU directive on network and information security (NIS-2) came into force in 2024 and extends the requirements for companies in critical and essential sectors. Companies must implement stricter cybersecurity measures, carry out improved risk analysis and prepare for extensive reporting requirements.

TÜV SÜD offers companies targeted support in implementing the NIS-2 requirements, including:

• Gap analysis for compliance with the NIS-2 directive: assessment of existing security measures and identification of optimisation potential.
• Creation and implementation of security guidelines: Development of customised security strategies for organisations.
• Penetration tests and attack simulations: Testing resilience to cyber attacks and vulnerability assessments.
• Awareness training for employees: Raising awareness of cyber threats and training in safe behaviour in the corporate environment.

„The NIS-2 Directive has a far-reaching impact on companies in many sectors. TÜV SÜD helps to implement the necessary measures at an early stage and to increase cyber security in the long term,“ Würth continued.

RED: new requirements for connected devices

From 1 August 2025, new regulatory requirements for the cybersecurity of radio equipment in accordance with the Radio Equipment Directive (RED) will come into force. These particularly concern network security, protection of user privacy and the avoidance of financial fraud risks with functional, networked devices.

TÜV SÜD offers manufacturers comprehensive testing and certification services to ensure that their products comply with the new requirements of the RED directive. These include:

• Security tests for connected devices: Checking IoT products for data protection and tamper-resistance.
• Evaluation of network security: Testing for weak points in wireless communication and protective measures against attacks.
• Conformity assessment according to the new RED requirements: Ensuring that products meet the new safety standards and remain marketable.

„The new requirements of the RED directive ensure that connected devices are not only reliable, but also secure against cyber threats,“ says Würth. „With our comprehensive testing procedures, we ensure that manufacturers and suppliers meet the increasing requirements.“

TÜV SÜD at embedded world 2025

At embedded world 2025, TÜV SÜD’s experts will be available for technical discussions and to provide companies with individualised information on the challenges of the new cybersecurity directives. Visitors will have the opportunity to learn about best practices and specific solutions for compliance with the Cyber Resilience Act, the NIS-2 Directive and the Radio Equipment Directive.

About the embedded world

The embedded world Exhibition&Conference is an international meeting place for the embedded community, leading experts, key players and industry associations. It offers a comprehensive insight into the world of embedded systems, from components and modules to operating systems, hardware and software design and machine-to-machine communication. The event focuses on technologies, processes and future-oriented products and is an important date for developers, system architects, product managers and technical management.

More information:

• tuvsud.com/en/themes/cybersecurity
• tuvsud.com/en/resource-centre/stories/cyber-resilience-act-a-new-era-in-product-cybersecurity
• tuvsud.com/en/themes/cybersecurity/processing/nis2