Germany's BSI Takes Lead on Enforcement of EU Cyber Resilience Act, Posing New Challenges and Opportunities for Businesses

Germany's Federal Office for Information Security (BSI) has assumed central supervisory responsibility for the enforcement of the European Union's Cyber Resilience Act (CRA), which imposes stringent mandatory cybersecurity requirements on digital products. The CRA, a key piece of EU legislation, mandates that manufacturers of digital software and hardware perform risk assessments and implement minimum cybersecurity measures by December 2027. Products failing to meet these standards will be banned from carrying the CE mark and cannot be sold in the EU market.

Starting September 2026, the CRA introduces a mandatory vulnerability reporting obligation requiring disclosures within 24 hours. The BSI will also coordinate the notification of conformity assessment bodies and scrutinize products suspected of non-compliance. It is empowered to issue product recalls and impose sanctions aligned with EU law, including fines up to €15 million or 2.5% of a company's global annual revenue.

To meet these expanded demands, the BSI will significantly boost its workforce, with plans from the Federal Ministry of the Interior to add 141 new positions by 2029. This is part of broader government investment totaling approximately €14.6 million annually and a one-time €10 million expenditure for establishing a cyber resilience test laboratory. The BSI's staffing has grown from 660 positions in 2016 to an expected 1,870 by 2026, reflecting the agency's expanding remit.

While the CRA introduces substantial organizational and technical challenges—particularly for small and medium-sized enterprises (SMEs)—it also opens opportunities. Enhanced cybersecurity compliance is expected to increase trust and potentially offer a competitive market advantage. The BSI plans to support manufacturers through training sessions, awareness campaigns, and a complaint office for consumers.

The CDU Economic Council has highlighted the importance of government backing by providing practical implementation guidelines and ensuring sufficient capacity at conformity assessment bodies to manage the new obligations effectively. The CRA is part of a wider EU cybersecurity framework that includes directives like NIS-2 aimed at strengthening overall digital security in the region.

Collectively, these developments signify a major step in EU efforts to fortify the cybersecurity of digital products, with Germany positioned as a pivotal enforcer through the BSI, reshaping compliance landscapes for businesses across the country and the continent.