Software Development Compliance: Translating EU Cybersecurity Legislation into Practice for IoT and Embedded Systems

Abstract

This thesis examines how the European Union’s upcoming cybersecurity legislation will affect software in IoT and embedded devices. Motivation for the thesis has arisen from real-world Company X’s preliminary investigation concerning the upcoming legislation that would have effect on the company’s ventilation unit’s control system. It translates legislation text into concrete engineering-level requirements that are needed for achieving compliance. The thesis maps relevant acts and outlines requirements that impose modifications to the software due to cybersecurity. Methodologically, the thesis is targeted literature and legal-text review which focuses on the practical implementation and conformity. Findings indicate that three instruments concern software cybersecurity requirements: Radio Equipment Directive (RED) Article 3(3), Cyber Resilience Act (CRA) and Revised Product Liability Directive (RPLD). RED’s new points can typically be met via selfassessment against harmonized standards (EN 18031 series) if scope and exceptions are correctly regarded. CRA introduces broad, risk-based obligations across the product life cycle. It covers essential security requirements, vulnerability handling, user information, technical documentation and vulnerability reporting. RPLD expands liability to digital products and software, indirectly raising the concerns for secure-by-design practices. In contrast, the Data Act mainly mandates data-access and sharing rights and process duties for connected products but does not prescribe concrete cybersecurity controls. Across the acts, the biggest consequence for manufacturers is an increased documentation and conformity assessment workload, even where existing security practices are already strong. The thesis combines these obligations into practical guidance for embedded and IoT software products’ manufacturers.