Design digital products securely and gain market advantages today

Manufacturers benefit in two ways from the IT Security Label, as they prepare now for the mandatory regulation of the EU Cyber Resilience Acts (CRA) starting in 2027, while already making the cybersecurity of their products a selling point today. The existing requirements of the IT Security Label will gradually align with the security objectives of the CRA, allowing manufacturers to integrate them early into their product development.

Products with the IT Security Label are listed with an individual product information page on the BSI website. Consumers can access this directly via a QR code on the label. There, they can quickly and easily learn about the security features of a product. This creates transparency and guidance.

Dr. Markus Richter, State Secretary at the BMI and CIO of the federal government, on the IT Security Label and the CRA

What does this mean for me as a manufacturer?

The product-related requirements of the IT Security Label already adress the security objectives of the Cyber Resilience Act. Therefore, the commitment to the voluntary IT Security Label supports the upcoming European regulations. There is still a need for additions regarding the process requirements in the areas of vulnerability handling, risk management, and documentation obligations.

For the product category "Smart Consumer Devices" - which includes most IoT and smart home products - the first product-specific supplementary document is already available with the Cyber Resilience Guidance for Smart Consumer Devices. Together with industry and society, the BSI will further develop the requirements of the IT Security Label in the context of the CRA. The insights gained from this process could potentially be used in European-level standardization.

With the IT Security Label, manufacturers also commit to reporting any known vulnerabilities to the BSI and addressing them in a timely manner. In line with the CRA, products with the IT Security Label will be randomly and selectively tested for actual compliance. This gives manufacturers the opportunity to familiarize themselves with the mechanisms of vulnerability management and market surveillance now, without being subject to the regulatory obligations of the CRA.

Do I automatically meet the requirements of the CRA with the IT Security Label?

The requirements of the IT Security Label and the supplementary documents published by the BSI provide specific guidelines for the product-related implementation of the CRA.

However, proper implementation depends on the manufacturer's risk analysis. In individual cases, this may go beyond the basic protection provided by the IT Security Label.

The IT Security Label cannot guarantee full compliance with the CRA nor establish a presumption of conformity. However, to provide manufacturers and suppliers with the best possible preparation, the IT Security Label will gradually be aligned with the security objectives of the CRA, and relevant process requirements will be addressed through supplementary documents.

Any further questions?

The BSI is happy to advise interested manufacturers and service providers on applying for the IT Security Label. Schedule an appointment directly at: it-sicherheitskennzeichen@bsi.bund.de

Apply now!