South African companies exporting IoT devices to the European Union (EU) face a significant regulatory shift. The EU’s Cyber Resilience Act (CRA) becomes mandatory in December 2027 and manufacturers with products already in the European market need to act now, according to Renaldo Fibiger, field application engineer at Altron Arrow.
“While the South African market remains largely unaffected, customers active in the EU, particularly those with products already in the field, may face significant recall obligations if compliance issues arise,” he explains.
This is why Altron Arrow is reminding manufacturers that sell products in the EU to assess the risks now and determine their exposure before the regulation takes effect. “The more critical the device is the more stringent the compliance requirements will be,” Fibiger notes. “These are EU regulations, but it remains to be seen whether similar legislation will affect South Africa more broadly.”
What South African manufacturers need to know
The CRA requires hardware and software products sold in the EU to meet cybersecurity standards throughout their entire lifecycle. Critically, the act applies retroactively to existing products. While the act came into force in late 2024, with reporting required from 2026, full compliance becomes mandatory from December 2027.
• The act’s reach is extensive. Any product that runs code falls within its scope, including laptops, gate controllers, routers, home automation devices, medical devices, and some software applications. While full size motor vehicles are exempted from the act, automotive components in the supply chain must comply.
• Manufacturers are responsible for the entire lifespan of the product, typically ten years (or fifteen, in the case of products developed for military applications). This includes notifying the market of any vulnerabilities within 24 hours, providing security updates to address vulnerabilities and informing users about the support period for updates.
• The financial stakes are significant. Non-compliance could result in fines of up to 5% of total yearly revenue.
The three tiers of security required
The CRA assesses cybersecurity requirements based on the level of risk associated with a product, creating three classes of security:
Default classification: this is the lowest risk category and encompasses most devices, including printers and smart home automation products. Companies can typically self-assess compliance, provided they align with EU standards.
Important products require external third-party assessments for CE certification. This classification tier is split into two classes:
1. Class I covers less sensitive products like routers, home security devices, password managers, browsers, and antivirus software.
2. Class II encompasses higher-risk products including hypervisors, firewalls, and tamper-resistant microcontrollers and microprocessors.
Critical products already fall under the European Common Criteria-based cybersecurity certification scheme (EUCC). These include smartcards, hardware devices with security boxes, and smart meter gateways.
Cost implications of non-compliance
The cost implications for a South African manufacturer found in breach of the CRA are substantial. “While I support the regulation’s objectives, I understand manufacturers’ concerns regarding potential product recalls,” says Fibiger.
At this stage, he does not anticipate South Africa adopting these kinds of regulations in the immediate future but notes that the landscape could change. “Should similar legislation be introduced locally, businesses will need to adapt quickly.”
Fortunately, South African exporters in the IoT space are not without support in managing this transition. “At Altron Arrow, we work across both electronic components and cybersecurity, enabling us to guide manufacturers through the compliance process,” Fibiger says. “With proper preparation, the transition should be manageable.”
For more information on CRA compliance support, visit https://eu1.hubs.ly/H0plz9p0
For South African manufacturers selling into the EU market, December 2027 will arrive sooner than expected. The question is not whether to comply, but whether you have started preparing.
| Tel: | +27 11 923 9600 |
| Email: | info@arrow.altech.co.za |
| www: | www.altronarrow.com |
| Articles: | More information and articles about Altron Arrow |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version