"Navigating New Regulations: Essential Guide for Manufacturers on Cybersecurity in the Digital Age"

**"Navigare le Nuove Normative: Guida Essenziale per i Fabbricanti sulla Sicurezza Informatica nell'Era Digitale"**

# The Importance of Cybersecurity Regulations: A Practical Guide for Manufacturers

The digital age we live in brings with it not only extraordinary opportunities but also significant challenges. In recent years, the levels of security required from software and hardware products have increased dramatically. In response to this necessity, a new regulation has been introduced that establishes specific deadlines and technical requirements that manufacturers must comply with to ensure the safety of their products. This article provides an overview of the main provisions, requirements for various product levels, and specific guidelines for manufacturers.

## Deadlines and Reporting Obligations

One of the first observations is regarding the timing of the regulation. It will come into effect on December 11, 2027, while the obligation to report incidents caused by the exploitation of specific vulnerabilities will be active from June 11, 2026. This means that manufacturers must begin preparing for these changes immediately to meet the indicated deadlines.

## Product Classification: Normal, Important, and Critical

The regulation classifies products into three categories: normal, important, and critical. Each category presents distinct technical requirements and verification procedures.

### Normal Products

Normal products include any software or hardware, as well as remote data processing solutions. Manufacturers of these products must follow the minimum measures outlined in Annex 1 and implement a vulnerability management process. This represents a fundamental first step in protecting and maintaining the security of the products.

### Important Products

Important products encompass cybersecurity systems and any other product whose operation may have significant impacts on other systems or on the safety of individuals. By December 11, 2025, the European Commission will provide more detailed technical guidelines on these categories. Manufacturers will need to follow the verification procedures specified in Article 32, which may involve the intervention of a certification body to attest to compliance with the requirements.

### Critical Products

The category of critical products refers to those already certified according to the Common Criteria. These products must obtain reliability certification of at least “substantial” level to be considered compliant. If a certification scheme is not available, the manufacturer is obliged to collaborate with a certification body to evaluate and verify the product. The need for rigorous certification for critical products is fundamental to national security and the safety of information systems.

## Guidelines for Manufacturers

### Risk Assessment

A crucial element for manufacturers is conducting risk assessments related to the cybersecurity of their products. It is essential to identify and implement both technical and process security controls. These measures should cover maintenance activities, support, vulnerability management, and the reliability of products must be guaranteed for at least five years.

### Technical Documentation and Tracking

The regulation requires detailed technical documentation, which includes, among other things, product tracking and the drafting of a declaration of conformity. It is essential that manufacturers provide adequate information and instructions to users, accompanied by effective contact points for handling complaints and product recalls. These requirements allow for clear and useful communication between manufacturers and users.

### Incident and Vulnerability Notification

In the event of incidents, manufacturers are required to notify the CSIRT (Computer Security Incident Response Team) of any exploit of vulnerabilities. Reporting vulnerabilities by users or third parties is also encouraged, thus creating a beneficial feedback loop for continuously improving the security of products.

## Free and Open Source Software

The regulation also addresses issues related to free and open-source software, highlighting the importance of applying the same security measures required for commercial products. This software must comply with general security regulations and the specific requirements of intelligence systems.