The EU Cyber Resilience Act: What It Means for Telcos 

The EU Cyber Resilience Act, which became law on 10 December 2024, as announced by the European Commission, marks a significant shift in how cybersecurity responsibilities are distributed across the connected domain. This legislation aims to ensure that connected devices, software, and network operators meet strict cybersecurity standards, offering a safer digital environment for consumers and businesses alike. For telcos, this isn’t just another regulation, it’s a call to action that will reshape their role in protecting residential and SME markets.

What is the EU Cyber Resilience Act?

The EU Cyber Resilience Act introduces comprehensive rules requiring manufacturers, software developers, and service providers to embed cybersecurity into their products from the ground up, making everything from baby-monitors to smart watches safer. It covers connected IoT devices, software, and services, ensuring that products are designed with security in mind and remain secure throughout their lifecycle. Importantly, it also places partial responsibility for cybersecurity onto Internet Service Providers (ISPs) and telcos, particularly in their role as critical national infrastructure and facilitators of connectivity.

What does this mean for telcos?

For telcos, the EU Cyber Resilience Act presents both a challenge and an opportunity. 

Here’s what it means in practical terms:

1. Increased responsibility for end-user protection

Under the EU Cyber Resilience Act, telcos will need to take an active role in safeguarding their customers – both residential and business – from cyber threats. This means going beyond traditional connectivity and providing proactive, carrier-grade cybersecurity as part of their core service offering.

2. A shift from optional to essential security services

Telcos have often treated cybersecurity as an add-on or premium service. The EU Cyber Resilience Act will push it into necessity; requiring ISPs to deliver robust security solutions for all customers as standard. This includes protecting against threats like phishing, malware, and ransomware that disproportionately impact smaller businesses and home networks.

3. Alignment with regulatory requirements

Compliance with the EU Cyber Resilience Act will demand investments in network-level security, real-time threat detection, and reporting capabilities. Telcos must ensure that their systems and customer premises equipment (CPE) meet the new standards, turning security from a compliance challenge into a competitive advantage.

Why is this a game-changer for residential and SMB markets?

The EU Cyber Resilience Act recognises that cybersecurity cannot remain the domain of large enterprises alone. Residential users and SMBs face the same threats but lack the resources to defend themselves. By placing responsibility on telcos, the act ensures:

• Scalable protection for underserved markets: Residential customers and SMEs can now access enterprise-grade security through their telco, filling a critical gap in the market.
• Increased trust in digital services: Customers will view telcos as not just providers of connectivity, but as partners in their digital safety, enhancing brand loyalty.
• Proactive threat mitigation: With telcos embedding security into their networks, threats can be identified and neutralised at the source, reducing the risk of widespread attacks.

So, how can telcos prepare?

To meet these new expectations, telcos must evolve their approach to cybersecurity. Here are the key steps they should take:

1. Invest in carrier-grade security solutions

Telcos need to adopt solutions that operate at the network level, offering proactive protection against cyber threats. Platforms like BlackDice provide AI-driven, predictive security that safeguards all connected devices, including IoT gadgets.

2. Embed security into customer premises equipment (CPE)

By integrating cybersecurity directly into routers and other CPE, telcos can deliver seamless protection that requires no action from the end-user. This approach ensures compliance with the EU Cyber Resilience Act while enhancing the user experience.

3. Educate and empower customers

Telcos should take the lead in educating their customers about the importance of cybersecurity, providing tools and insights to help them manage their own risks effectively.

4. Turn compliance into a competitive advantage

Meeting the EU Cyber Resilience Act’s requirements isn’t just about avoiding penalties, it’s an opportunity to differentiate in a crowded market. Offering robust security as a standard feature can drive customer retention and attract new users.

How does the EU Cyber Resilience Act relate to the NIS2 directive?

The EU Cyber Resilience Act (CRA) and the NIS2 Directive are complementary regulatory frameworks, each addressing different aspects of cybersecurity, with some overlap in their objectives to strengthen the digital security of the European Union.

The diagram below demonstrates the key relationships between the CRA and NIS2, across the scope of application, responsibilities and the role each plays in critical infrastructure.

Diagram 1 – Key relationships between the CRA and NIS2

“The CRA secures the building blocks of the digital ecosystem (devices, software), while NIS2 ensures that the organisations and sectors relying on those building blocks maintain resilient operational security. Together, they create a unified framework for a safer and more robust digital environment.”

– Paul Jenkins, CISO, BlackDice

Telco responsibilities

Both regulations significantly impact telcos. Under CRA, telcos must ensure the connected devices they supply, like routers and customer premises equipment (CPE), comply with security standards. Under NIS2, telcos are classified as essential entities and must maintain high levels of operational cybersecurity to safeguard their networks and services.

Both aim to reduce vulnerabilities across the digital ecosystem. CRA addresses the product-level risks by mandating security-by-design for IoT and software. NIS2 addresses systemic risks by requiring organisations to strengthen their cybersecurity infrastructure and capabilities.

Read more about the NIS2 directive, here

The road ahead

EU Cyber Resilience Act is more than just a regulatory milestone, it’s a transformative step toward a safer digital future. For telcos, it represents a chance to redefine their role in the cybersecurity ecosystem, protecting the networks and devices that underpin modern life. By embracing this responsibility and investing in innovative, scalable solutions, telcos can lead the charge in creating confidence for residential and SMB customers while building stronger, more resilient networks, concludes Paul Hague, Founder and CEO at BlackDice, who says:

“We’re proud to work with telcos globally to deliver the kind of proactive, carrier-grade cybersecurity that aligns with the EU Cyber Resilience Act’s vision. In doing so, we ensure that cybersecurity isn’t just a privilege for the few, but a standard for everyone.”

– Paul Hague, Founder and CEO, BlackDice

Need help navigating the new regulatory landscape? Contact us to learn how BlackDice can help telcos comply with the EU Cyber Resilience Act while protecting their networks and customers.