Regulatory Focus
Cybersecurity
Cybersecurity
195
Countries Covered
28
Languages
1062
Regulatory Sources
In the context of modern digital governance, Product Cybersecurity mandates that connectable products are secure by design. It shifts the burden of security from end-users to manufacturers by requiring minimum security standards, mandatory updates, and vulnerability transparency throughout a product’s entire lifecycle to prevent cyber threats.
This policy area forces companies to integrate security into product development, ensuring products are resilient, patched regularly, and legally compliant before entering the market.
Companies typically need to address cybersecurity expectations across the design, development, and lifecycle management of connectable products, including measures for risk identification, vulnerability handling, and secure updates. Obligations also extend to aligning product features and documentation with national strategies and product-specific cybersecurity rules applicable in different jurisdictions.
Regulations in this area typically include the following mandates for manufacturers:
- Security by design and default
- Vulnerability management
- Mandatory support periods
- Timely security updates
- Information and instructions to users
- Incident reporting
- Software Bill of Materials (SBOM)
We track a wide range of regulations, implementing acts, and technical standards that govern cybersecurity for connectable products. Our coverage spans binding legislation, delegated and implementing measures, draft laws, and labeling or conformity schemes that shape product design, market access, and ongoing compliance across global jurisdictions.
Examples of top-of-mind regulations within our coverage include:
- EU: Horizontal Cybersecurity Requirements for Products with Digital Elements, Regulation (EU) 2024/2847 (Cyber Resilience Act)
- EU: Cybersecurity for Internet-Connected Radio Equipment and Wearable Radio Equipment under Radio Equipment Directive (RED), Regulation (EU) 2022/30
- EU: Repealing Regulation (EU) 2022/30 on Cybersecurity for Internet-Connected Radio Equipment and Wearable Radio Equipment under Radio Equipment Directive (RED), Regulation (EU) 2026/339
- UK: Product Security and Telecommunications Infrastructure Act (Cybersecurity of Connected Devices), 2022
- UK: Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products), Regulations, SI No. 2023/1007
- Australia: Cyber Security Act, November 2024
- Australia: Cyber Security (Security Standards for Smart Devices) Rules, 2025
- China: Measures for the Management of Cybersecurity Labelling, Draft Notice, November 2025
- China: Basic Requirements and Test Methods for Consumer Internet of Things Product Security, Draft Standard, March 2025
- China: Technical Requirements for Vehicle Cybersecurity, Standard, GB 44495-2024
- USA: Implementation of the Cybersecurity Labelling Program for Internet of Things, 47 CFR 8, Final Rule, 89 FR 61242, July 2024
- California (USA): Connected Devices, Privacy and Consumer Protection, Senate Bill 327 Enacted, 2018
- Japan: Labeling Scheme for IoT Products based on Japan Cyber-Security Technical Assessment Requirements (JC-STAR), 2025
- Singapore: IoT Cybersecurity Labelling Scheme Overview, Guidance Document, Version 1.3, September 2023
- Singapore: Cybersecurity Labelling Scheme for Medical Devices, Public Consultation, January 2023
- Indonesia: Cyber Security and Resilience, Draft Law, February 2025
- Brazil: Minimum Cybersecurity Requirements for Telecommunications Equipment, Act No 77/2021
Intelligent Resources
Automate the work of managing regulatory change.
Let AI agents do the heavy lifting of monitoring regulations, mapping requirements to products, extracting obligations, and surfacing the risks that need attention first.
Monitor Product Compliance
Stay Ahead of Regulatory Change
Get early visibility into changes that could affect your products, supply chain, or market access—so you can act proactively, not reactively.
Assess Regulatory Applicability
Map Regulations to Your Products
Eliminate manual research and cut through regulatory noise by surfacing only the requirements relevant to your business, markets, and product categories.
Identify Compliance Requirements
Turn complex regulations into clear, actionable tasks.
Give your teams instant clarity as AI agents transform dense legal and regulatory text into structured, easy-to-understand requirements.
Prioritize Business Risk
Focus Where Risk Is Highest
Make faster, risk-informed decisions with confidence as AI agents automatically rank regulatory changes based on urgency, business impact, compliance deadlines, and product exposure.
Spotlight
Turning Compliance into Value
The State of Product
Compliance 2026
Discover how 500+ global leaders are shifting product compliance from a cost-centre into a strategic driver of growth, with key benchmarks like 69% of teams calling remediation their biggest challenge.
Frequently Asked Questions
-
Products (hardware and software) that can connect directly or indirectly to the internet, a network, or other devices for data exchange are generally in scope. This includes consumer and industrial IoT devices, smart home products, connected vehicles, medical devices, radio equipment, and other products with digital elements, regardless of whether connectivity is a primary or ancillary function.
-
Companies are expected to address cybersecurity throughout the product lifecycle, including secure design, vulnerability handling, software update management, and clear information for users and authorities. Many regimes also link cybersecurity compliance to market access, conformity assessment, labeling schemes, and post-market monitoring obligations.
-
The EU CRA requires manufacturers to report actively exploited vulnerabilities and severe incidents impacting product security to the national CSIRT and ENISA beginning 11 September 2026. It treats a product vulnerability and a security incident similarly to a data breach under the GDPR – manufacturers must submit an early warning (24 hours), a full notification (72 hours), and a final report (14 days for vulnerabilities; 1 month for incidents). In contrast, the UK PSTI and Australia’s Security Standards do not currently require direct, expedited reporting to the government for every security exploit.
-
While the two laws are highly aligned and share significant principles with the ETSI EN 303 645, compliance with one does not automatically grant compliance with the other due to specific administrative and documentation requirements. Specifically,, the Australian Department of Home Affairs has explicitly indicated that manufacturers can use their UK Statement of Compliance for the Australian market, but only if it includes Australian-specific details.
-