Digital Product Assurance and Cyber Security: Key Updates on EU, UK, and Global Regulations and Standards

The state of digital product assurance in 2025

It's an exciting world for digital product developers.

Adopting technology into our everyday lives is a trend that is gathering pace and introducing major opportunities for products and services. However, this rapid consumption of digital products presents very real security impacts. As the CEO of the UK National Cyber Security Centre, Richard Horne, recently warned, "We face enduring threats from hostile states and cyber criminals looking to exploit our dependency on the technology that now underpins all aspects of modern life."

Across the UK and Europe, governments, regulatory agencies, and industry bodies are responding to this new threat landscape by working to improve digital products' cyber resilience. These include:

Industry bodies such as the Global System for Mobile Communications Association (GSMA) and Chartered Institute of Information Security (CIISec), as well as professional organizations like the UK Cyber Security Council (UKCSC);
Government departments like the Department for Science, Innovation and Technology (DSIT) and bodies such as NCSC and the National Protective Security Authority (NPSA);
Multinational and regulatory agencies like the EU Agency for Cyber Security (ENISA).

In addition to the product-specific legislation focus, it is worth noting early that 'organizational compliance' mandates are coming into force to look at the security and resilience of supply chains and technologies associated with the operation of critical industries. Increasingly, it is apparent that the Utilities, Banking, and Transport sectors depend on third-party devices (such as payment terminals, ATMs, ticket machines, and so on), creating a 'flow-down' of requirements.

Examples include:

The Digital Operational Resilience Act (DORA)
Network and Information System Directive 2 (NIS2).

This creates a complex assurance landscape for developers that demands integrating security best practices from the outset. Staying current with evolving standards and adhering to them is essential for safeguarding digital products from exploitation, ensuring long-term security, and maintaining market access.

What products are included?

The most detailed list is within the EU's Cyber Resilience Act (CRA), which defines them as 'Products with Digital Elements' (PDEs), and the scope here is vast. It ranges broadly from 'Default' class products, such as smart home devices to increasingly critical classes that include routers, operating systems, industrial IoT systems, VPNs, and firewalls.

Broadly speaking, this mirrors the UK's Cyber Resilience Testing (CRT) scheme definitions - 'commodity technology products' versus 'commodity technology whose primary purpose is the delivery of Cyber Security services to others'.

Specific legislation targets categories such as AI or radio-connected devices, while several specialist areas (such as medical devices, transport, or defense) will have bespoke assurance requirements.

What is changing?

Assurance requirements are being published by the groups mentioned above, with a steady focus on improving the security baseline for products before they enter the market and throughout their lifecycle.

At a minimum, self-assessment against these standards is required to enforce responsibility against manufacturers, whereas higher tier/class devices will require third-party validation by approved test labs such as an ISO/IEC 17025:2017 UKAS accredited NCC Group's LabUK function.

Key laws, regulations, frameworks, and standards

The EU has taken a proactive lead on this, with a raft of legislation such as the Cybersecurity Act, the AI Act, the Cyber Resilience Act, and directives ensuring that manufacturers have a long-term liability for the health of their digital products. While the EU has announced plans to simplify the requirements set out in the Cybersecurity Act, its focus on strong product assurance is set to continue.

In parallel, the UK is developing its Cyber Resilience Testing (CRT) scheme. Developed around a 'Principles Based Assurance' (PBA) methodology, using a Claims, Arguments, and Evidence (CAE) approach, the CRT scheme will assess a wide range of internet-connected products. Meanwhile, the security requirements for consumer IoT devices set out in the Product Security and Telecommunications Infrastructure (PSTI) Act continue to be implemented.

Outside of Europe, numerous other countries are seeking to tackle the same challenges, such as Australia's plans to mandate security standards (similar to those outlined in the UK's PSTI Act) for consumer IoT devices.

Timescales

Apr 2025: UK's CRT is due to go live

Mid-2025: Uplift to the EU's Radio Emissions Directive

Mid-2025: Review of the EU's Cybersecurity Act

Sept 2026: EU's CRA vulnerability reporting requirements come into effect

Dec 2027: EU's CRA security requirements come into effect

Impacts

The impact of noncompliance with these schemes ranges from financial penalties to the loss of access to lucrative markets. It is often dependent on whether they are voluntary, mandatory, or somewhere in between (such as embedded in procurement requirements).

The EU's CRA is legislation and, as such, comes with stringent penalties of €15m or up to 2.5% of global turnover for noncompliance. The UK CRT, on the other hand, is not strictly mandatory but is aimed at providing support to government bodies and critical national infrastructure (CNI) in identifying suitable products. As such, the benefit of participating is to allow access to the government and CNI markets.

Typically, industry bodies develop standards to meet the needs of their member organizations, and therefore they rely on those members to drive the adoption of standards (such as telecommunications providers demanding their suppliers comply with PSTI, the Telecoms Security Act (TSA), or the GSMA's Network Equipment Security Assurance Scheme (NESAS).

Understanding the 'ask'

With a proliferation of schemes and obligations, it is vital that organizations:

1) Review upcoming national and multinational regulation and procurement rules to understand whether their offerings will fall under their scope. For instance, the EU CRA offers detailed breakdowns of which products it considers to be in scope.

2) Work with their supply chain to understand what obligations will be flowed down to them as suppliers (such as via DORA Article 30 requirements).

3) Recognize that bodies are striving to de-duplicate efforts, such as steps to align the UK's CRT and the EU's CRA.

Next steps

While the volume of incoming rules may seem daunting, the good news is that there are broad areas of overlap between them. A holistic view of an organization's obligations will reveal numerous repetitions of basic best practice requirements, whether undertaking threat modeling or recommendations around passwords and encryption.

The good work currently being done can, if properly marshaled and directed, be used as evidence to support multiple compliance regulations and assurances simultaneously.

"Providing assurance to the security of products and systems is vital to protecting clients, preserving access to markets, promoting security assurance by design, and protecting hard-earned reputation."

Shabrez Raja | Principal Security Consultant NCC Group

Our experts are here to help you.

Don't hesitate to contact us to discuss your specific product assurance requirements and explore how our services can keep you ready and resilient.

Learn more about Digital Product Assurance Get in touch