Cybersecurity: Stronger regulation of product safety

The General Product Safety Regulation (GPSR, 2023/988) is the new regulatory framework introduced by the European Union in December 2024, aimed at increasing product safety. This regulation replaces the previous directive from 2001 and introduces important changes for manufacturers, distributors and importers. The product safety directive was revised and updated, in particular, to take account of developments in relation to new technologies and online selling.

The GPSR ensures that all products that are sold in the EU meet basic security requirements. This affects both physical consumer goods and products with digital elements. “Companies that distribute or place goods on the market in the EU must ensure that they meet the new requirements – otherwise they risk fines or trade restrictions”, says Jürgen Messerer, Embedded Software Architect at bbv.

As with the Cyber Resilience Act (CRA), the GPSR is aimed at increasing protection for users and businesses from unsafe products. In the digital age where many products are increasingly software-controlled and networked, the new regulations take account of the risks posed by new technologies and strengthens market surveillance. “While the GPSR regulates security requirements for consumer goods on the EU market in general – both for physical and digital products – the Cyber Resilience Act focuses strategically on consumer goods with digital elements”, explains Jürgen Messerer.

There are some overlaps in relation to networked devices, IoT products or software solutions. The GPSR ensures that all products available on the EU market – regardless of whether they are sold online or offline – comply with the latest security standards. The Radio Equipment Directive (RED), in turn, sets out detailed and binding security requirements especially for radio equipment and devices that communicate wirelessly.

Who is affected by the GPSR – and what needs to be done

The GPSR is very comprehensive and affects all companies that place products on the market in the EU. This includes both manufacturers, who must ensure that their goods comply with the latest security standards, and importers and distributors. The latter also include operators of online platforms. They must demonstrate that they are taking effective measures to identify and remove unsafe products. This also applies to service providers insofar as they impact product safety, so companies that provide digital services or software for example.

The General Product Safety Regulation is already in effect. “Companies should therefore address the new requirements immediately and introduce the following measures depending on the product”, says Jürgen Messerer.

• Inventory: Affected products that fall under the GPSR must be identified. These also explicitly include digital and networked products as well as products with AI functions. Internal security guidelines and tests must be reviewed and adjusted if necessary. Technical documentation must be created and updated and include a risk analysis. Employees should receive adequate awareness training.
• Cybersecurity: It must be clarified whether the products contain digital or networked components that pose security risks. The resulting cyber risks, insofar as they can impair product safety or the health of users, must be considered as part of the general risk analysis under the GPSR. IoT products must be designed to be intrinsically secure or properly protected against cyberattacks. A hazard analysis shows where the risks lie and how they can be assessed.

• Obligation to report incidents: Fast and efficient reporting and coordination via a central system, such as Safety Gate, is essential for the safety of digital products, where risks can spread quickly. The Safety Gate rapid alert system was established in the European Economic Area as a health protection network, in which authorities can share information in real time concerning unsafe products. Online marketplaces are obliged to register on the portal. The modernised Safety Gate system, especially the Safety Business Gateway, serves as a central mechanism that requires economic operators and online marketplaces to report dangerous products and accidents. It is also used as a means of sharing information with the authorities.
• Transparency: Compliance with the new traceability requirements must be ensured for products. New processes may need to be implemented to adapt recalls and fault reports to the new regulations so that unsafe products can be quickly updated or removed from circulation. Security guidelines must be made available. These guidelines indicate the security features of a product and how it can safely be put into operation and hardened in the event of a security incident.
• Enforcement and legal remedies: Stricter market surveillance, extended supervisory powers for authorities, especially in the online space, as well as the possibility of collective legal action are also relevant for the safety of digital products. Safety deficiencies in digital products can affect many consumers at the same time. Effective enforcement measures and legal remedies are therefore important to ensure compliance with security requirements.

bbv can help you to implement the GPSR

bbv supports companies in a number of areas in complying with relevant regulations and standards, such as the Cyber Resilience Act, NIS-2, IEC62443 or in efficiently implementing the requirements of the General Product Safety Regulation. In addition to risk analysis, the experts at bbv conduct gap analyses and assist customers in developing appropriate measures.

• Compliance check and risk assessment
  bbv carries out a detailed analysis (cybersecurity risk assessments including threat analysis) to check if products comply with the new security requirements, and identifies potential vulnerabilities.
• Development of secure digital components
  If a product includes software or smart functions, we help to implement secure architectures and software updates to meet the requirements of the GPSR.
• Optimisation of traceability and documentation
  We develop solutions for seamless product traceability to comply with regulatory requirements and make recall processes more efficient.
• Integration of cybersecurity measures
  Since digital components are also covered by the GPSR, bbv offers security solutions for IoT and cloud products to protect companies against potential cyber risks.
• Training
  bbv offers targeted workshops for companies to familiarise employees with the new requirements of the GPSR and to share best practices for implementation. The workshops raise awareness of the issue of cybersecurity and introduce the most important topics. Participants work together in groups to jointly identify action areas in your company and develop a concrete roadmap for potential measures.