TrustSource provides support in meeting regulatory requirements

As the IT industry matures and the prevalence and understanding of the criticality of software-based solutions grows, so too do regulatory requirements for software. In particular, the European Commission’s Cyber Resilience Act (CRA) sets new standards for the software development of products with digital elements.

But it is not only the CRA that requires software providers to take a strong risk-oriented approach. Other regulations also focus on IT and user security:

Cyber Resilience Act (CRA)

The CRA is the first piece of legislation that will come into force in all EU countries in October 2025, requiring manufacturers of products with digital elements to ensure the security and fault-free functionality of their products throughout their expected lifetime. Affected suppliers must meet the following requirements if they wish to continue selling their products in Europe:

Provide a Software Bill of Materials (SBOM), see Annex I
Regular risk assessments of security threats and their documentation, see Art. 13, III and IV
Provide a declaration of conformity, see Art. 13 XII, resp. Art. 28 I and Annex IV
Provide the CE mark, see Art. 12 XII, resp. Art. 30 I
Define a support period during which the provider will provide security updates (min. 5 years, resp. expected useful life), see Art. 13 VIII, S2 ff.
Providing free security updates during this period, which in turn must be kept available for 10 years, see Art. 13 IX
Provision of technical documentation in accordance with Art. 13 III & Annex VII
Organization and description of a coordinated vulnerability disclosure (CVD) procedure, see Art. 13, VIII
Implementation of the reporting requirements from Art. 14.

EU Network and Infrastructure Directive v2 (NIS2)

The new, second Network and Information Systems Directive (NIS2) is a comprehensive legal framework introduced by the European Union (EU) to improve the cybersecurity and operational stability of critical infrastructures and digital service providers. NIS2 builds on the original Network and Information Systems Directive (NIS) and extends its scope to a wider range of sectors and entities. Specifically, the directive requires:

  • Risk management: The directive requires organisations to implement robust risk management practices to identify, assess and mitigate cybersecurity risks.
  • Incident reporting: NIS2 requires companies to report serious cybersecurity incidents to national authorities within strict time limits.
  • Supply chain security: The directive also requires companies to assess and manage the risks associated with their suppliers and service providers.
  • Governance and accountability: NIS2 places great emphasis on governance and accountability, requiring companies to establish clear roles and responsibilities for cybersecurity management. Senior management and the board of directors are responsible.
  • Supervision and enforcement: National authorities are empowered to conduct inspections, impose sanctions and take enforcement action against non-compliant companies.
  • Information sharing and cooperation: NIS2 promotes information sharing and cooperation between companies and authorities for the exchange of threat information and incident reports in order to improve collective cybersecurity resilience.

For KRITIS companies, NIS2 supplements the cybersecurity aspect of the Critical Entity Regulation (CER), which requires comparable measures at the physical level.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a comprehensive legal framework introduced by the European Union (EU) to improve the operational resilience of financial institutions and critical third-party providers. To this end, comprehensive ICT risk management must be established to enable regular assessments of service providers. Specifically:

  • Risk management for third parties: DORA places great emphasis on the management of risks associated with third-party providers. Financial institutions must conduct due diligence checks on third-party providers, monitor their performance, and ensure that they comply with the same resilience standards.
  • Incident reporting: The regulation requires serious ICT incidents to be reported to the competent authorities. Financial institutions must have mechanisms in place to detect, report, and respond to ICT incidents to ensure transparency and accountability.
  • Digital operational resilience testing: DORA requires financial institutions to regularly test their ICT systems and processes to ensure they can withstand and recover from disruptions. This includes penetration testing, vulnerability analysis, and resilience testing.
  • Governance and accountability: The regulation emphasizes the importance of governance and accountability in managing ICT risks. Financial companies must establish clear roles and responsibilities for ICT risk management, with senior management and the board of directors playing an important role in overseeing resilience measures.
  • Supervision and enforcement: DORA introduces supervisory and enforcement mechanisms to ensure compliance with the regulation. Supervisory authorities are empowered to conduct inspections, impose sanctions, and take enforcement action against non-compliant companies.

Medical Device Regulation

The European Medical Device Regulation (MDR) is a comprehensive legal framework that replaces the Medical Device Directive (MDD) to ensure the safety and performance of medical devices within the European Union (EU). The MDR, officially known as Regulation (EU) 2017/745, originally came into force on May 26, 2021, and aims to address the gaps and challenges identified in the previous directive and improve the monitoring and safety of medical devices. To this end, the following requirements must be observed:

  • Solution qualification: Software must be classified into risk classes I, IIa, IIb, and III (Rule 11 Annex VII).
  • Software security: The software must be protected against unauthorized access, manipulation, and viruses in order to achieve typical security objectives.
  • Software life cycle: The software must be subject to a documented quality management system that complies with the IEC 62304 and ISO 13485 standards.
  • Risk management: The manufacturer must establish and apply a risk management system.
  • Documentation: Architecture, usability, and validation results must be documented.
  • Post-market surveillance: Obligations do not end with the placing on the market. The software must be continuously monitored and patches or updates must be provided regularly.
  • Reporting obligation: Safety incidents must be reported promptly.

With the majority of its requirements, the MDR is pioneering the majority of the CRA requirements, which now applies to almost all products.

Radio Equipment Directive (RED)

The RED is a harmonization directive that regulates the placing on the market of radio equipment and apparatus in the European Union. In addition to ensuring the free movement of goods, it also addresses a high standard of protection. It therefore covers all electrical and electronic products that use radio waves for communication (e.g., Wi-Fi, Bluetooth, mobile communications, etc.). This includes cell phones, tablets, and smartwatches, as well as Bluetooth devices, wireless mice, radios, wireless charging products, and other radio-controlled devices such as drones.

  • Protection of health and safety (Art. 3.1a): The devices must not endanger the health of persons or domestic/farm animals. This usually concerns compliance with limit values for electromagnetic fields.
  • Electromagnetic compatibility (EMC) (Art. 3.1b): The devices must not cause any unacceptable electromagnetic interference and must be sufficiently immune to interference from other devices.
  • Efficient use of the radio spectrum (Art. 3.2): The devices must use the frequency spectrum allocated to them efficiently in order to avoid interference with other radio equipment.
  • Network protection (Art. 3.3 d): Protection against threats to the network infrastructure.
  • Data protection and privacy (Art. 3.3 e): Protection of personal data and user privacy (e.g., secure storage, easy deletion of data).
  • Protection against fraud (Art. 3.3 f): Functions to protect against financial fraud risks (relevant for devices that process payments).
  • Uniform charging interface (Art. 3.4): The directive also contains provisions on the harmonization of charging interfaces (known as the “common charger” law), which essentially stipulates the mandatory use of USB-C for many electronic devices. (see also Annex 1a Part 1)

Product Liability Directive (PLD)

It explicitly includes software—including AI systems—and digital design documents (3D printing). The only exception is FOSS, which is not used in a business context. In other words, all software in a commercial environment. An overview of the most important changes:

  • Extended scope of liability: the distributor (importer, fulfillment service provider, or operator of online marketplaces) can be held liable if the original manufacturer is located outside the EU and cannot be reached.
  • Liability for updates and security: Liability also arises if a product becomes defective or damaged after being placed on the market due to faulty updates or failure to update.
  • New types of damage: The loss of data and medically recognized impairment of mental health are recognized as damage.
  • New limits: The maximum liability limit of EUR 85 million for personal injury and the deductible of EUR 500 for property damage have been abolished without replacement.
  • Easing of the burden of proof: A presumption of evidence is introduced to make it easier for injured parties to assert claims. Under certain circumstances, courts can demand that manufacturers disclose evidence.

The regulation has been in force since the beginning of December 2024 and must be transposed into national law by member states by December 9, 2026.

Do you want to understand which regulations are relevant to you and what the consequences are?

Talk to an expert

Learn how TrustSource helps you meet all regulatory requirements as a one-stop solution:

Software Composition Analysis (SCA) / Software Bill of Materials (SBOM)

TrustSource offers a variety of options for collecting SBOMs (SCA) and storing them in a structured manner. Whether integrated into the CI/CD run, executed via pre-comit or manually, whether with TrustSource’s own or third-party scanners. TrustSource enables you to analyze your own or third-party software and to store, analyze, and process the results in a structured manner, or to provide SBOMs, notice files, or CSAF documents as needed.

sca_example
ts-riskmanagement

Activate your risk management

One of the CRA’s main goals is to activate risk management. The TrustSource platform provides you with a unique tooling that allows you to strictly enforce and activate risk management throughout your organization. Thanks to instant, platform-embedded risk reports, every activity changes the risk profile, ensuring that data is always up to date. Newly discovered vulnerabilities in your code are immediately reflected in your risk exposure. Risk heat maps automatically reflect the changes, giving management direct insight into current risk exposure.

Organize the end-of-support date

The CRA requires the end-of-support date (EoSSec) to be determined and communicated. TrustSource can provide the support phases of the components that make up the solution in order to determine a suitable date. In addition, TrustSource offers the option of providing OpenEoX-compliant information for each release via API, which can be included in any documentation via QR code.

openeox

With the CRA the first time capabilities move into focus. With TrustSource you will be able to auto-build your capability documents from the root. By adding capabilities to each module your solution consists of, your final solution comes with the base for misuse analysis.

Coordinated Vulnerability Disclosure Process (CVD)

One of the new requirements for software vendors is to provide a CVD-process. This typically involves a lot of organisational setup. Given your organisation does provide a help desk to its users, this should be of less effort. You may use TrustSource best practises to set up the required steps. If your organization doesn’t yet provide a help desk, the effort to achieve this may be much higher. In this case, you may opt for an outsourcing through EACG, the company behind TrustSource.

cvd-process
CSAF Request Flow

Read here more about the possibilities of the CSAF Trusted Provider here.

Standard-based reporting of security incidents

MDR, NIS2, and CRA require the reporting of exploited vulnerabilities and security incidents to central authorities. TrustSource offers you the option of hosting your own CSAF Trusted Provider. This integrates with the TrustSource solution so that you can use vulnerability information directly for CSAF publication. TrustSource takes care of all the checks and validations that need to be done for such publications. You can use this communication basis for both your customers and the notified bodies. With the help of the TrustSource wizards, publishing a security advisory or a VEX document is a breeze. Try it out…

Want to prepare for upcoming regulatory requirements but don’t know how? Read our white paper!

To the white paper
Make an appointment

Would you like to learn more about the CRA and its implications? Benefit from our expertise!

Watch webinar

Privacy Preference Center

Privacy Preferences

To enhance our Web presence, we make use of the following 3rd party services. They tend to create cookies, allowing for a detailed tracking of the website visit. However, these traces may be added to other traces you have left somewhere else and, hence, help these 3rd parties to puzzle a picture of you.
We ourselves do _not_ collect any data other than anonymised movements across and dropouts from our site.

Google Analytics

Allows us to track your movement across the web page. Disabling this, will not harm further usage, but not allow us to improve the site. Google's privacy terms apply (https://business.safety.google/privacy)

Vimeo

Required to play videos from vimeo. We use this for some pages and educational contents. Vimeo privacy rules may apply (https://vimeo.com/privacy)