Skip to main content
Contact
Submit RFP

      Digital products must be operated securely and updated over the course of many years. The Cyber Resilience Act (CRA), an EU regulation establishing mandatory cybersecurity requirements for products with digital elements, tightens regulatory obligations in this regard, from development through to operation. In this context, product security refers to the cybersecurity of these products throughout their entire lifecycle and thus differs from the security of internal information technology (IT) systems.

      The key is a two-pronged approach: operational implementation in product development and centralized governance for standards, responsibilities, and consistent implementation. The white paper “Product Security under the Cyber Resilience Act” explores this interplay in greater depth.

      Product Security: Between Operational Implementation and Centralized Governance

      Product security accompanies a product throughout its entire lifecycle.

      This includes 

      • secure architectural and design decisions, 
      • implementation, 
      • testing, structured vulnerability management,  
      • regular security updates, 
      • and the handling of security incidents.

      This responsibility requires close integration with product development, as security-related decisions are made at the very point where technical directions are set.

      Furthermore, regulatory reporting requirements, uniform standards, and consistent processes demand cross-functional coordination. Product Security thus operates at the intersection of operational implementation within development teams and centralized governance at the corporate level. 

      Organizational Integration of Product Security Within the Company 

      In practice, various organizational models have become established. Embedding product security within research and development enables the early integration of security considerations into the product development process. Models centered around the Chief Information Security Officer (CISO) organization place greater emphasis on governance and compliance. Both approaches offer advantages but each has its limitations—such as operational distance from development or a lack of consistency across product lines.

      Consequently, a hybrid organizational model is increasingly gaining traction. A central role, such as the Corporate Product Security Officer (CPSO), is responsible for governance, standards, and reporting, while product security roles within the development departments ensure operational implementation. This approach combines technical effectiveness with regulatory oversight.

      auto_stories

      Wie operative Umsetzung und zentrale Governance zusammenspielen 

      Jetzt herunterladen

      The Ideal Model for a Product Security Organization and Steps for Implementation 

      A modern product security organization is based on clearly defined roles, well-defined responsibilities, and coordinated processes. It is built up step by step: from clarifying responsibilities and establishing a governance framework to systematically integrating security measures into the development process. Training and accompanying cultural change help ensure that product security is firmly embedded in decision-making processes.

      Product Security under the Cyber Resilience Act: Key Findings 

      The Cyber Resilience Act makes it clear that product security has become an integral part of the value chain for digital products. Structures that combine technical proximity to product development with centralized governance lay the foundation for regulatory compliance and effective management of product-related security risks. Hybrid models offer a viable and sustainable approach to this end.

      More interesting content on this topic

      Your Contact

      Andrzej Wozniczka
      Andrzej Wozniczka

      Partner, Consulting - Cyber Security & Resilience

      KPMG AG Wirtschaftsprüfungsgesellschaft