Concerns that have been heard for some time in the context of products such as smart door locks, WLAN baby monitors and robot vacuum cleaners are now increasingly of relevance for sun protection as well: any product that transmits radio signals or can be controlled via an app is a connected product. Security researchers have demonstrated repeatedly in recent years that wireless systems lacking the latest encryption technology, from garage doors to car keys to smart home components, are decidedly vulnerable to manipulation.
The risks are just as real in the building systems world: a malicious actor who is able to discern patters of absence from roller shutter movements or exert unauthorised control over shading systems can cause serious harm, from unnoticed surveillance to property damage to the groundwork for a break-in. The EU Cyber Resilience Act, the regulatory response to this development, aims to achieve much the same as the GDPR 2018 has achieved for data protection: a common European standard that protects consumer and critical infrastructure alike.
The EU Cyber Resilience Act (2024/2847) has implications in particular for wireless systems, apps and digital control solutions of all types. Cybersecurity thus has to be considered essential in the context of product approval and marketing in the sun protection sector as well. Non-conforming products will lose their CE marking in future and will not be approved for sale in the 30 countries of the European single market. The Act provides substantial sanctions too, including liability risks, recall risks and administrative fines of up to 15 million euros/2.5% of global annual sales. The arrival of the CRA marks a fundamental paradigm shift for manufacturers and dealers: they can only plan with confidence if they can be sure the systems they buy and sell today are going to remain CE-compliant in the future. The ONYX smart wireless control system from leading European sun, light and weather protection system supplier HELLA already complies with all the requirements of the EU Cyber Resilience Act, making it one of the first manufacturers in the sector to achieve this feat. "The Cyber Resilience Act makes the type of data security we have long defined as standard for our own control system development the minimum standard for Europe as a whole," says Andreas Kraler, Managing Partner of the HELLA Group. "Security cannot be just an add-on for connected sun protection systems; it needs to be comprehensively integrated into the system."
The new Act requires manufacturers to consider the cybersecurity of their products and solutions from the outset: security must be an integral part of the system architecture (secure by design), all default settings from the factory must prioritise security (secure by default) and all products with digital elements must support updating throughout their life cycle. Sun protection solutions with control systems are becoming a digital product for regulatory purposes. Resistance to cyber attacks is going to be just as critical in the future as mechanical quality.
HELLA has been taking a "secure by architecture" approach with ONYX since 2008. Cybersecurity is integral to the system architecture from the outset rather than just being tacked on somewhere along the way; it remains front and centre as the system is being developed and as the technical implementation takes shape. One major advantage with ONYX is that it is our own proprietary solution. HELLA produces the hardware and software itself and refines them continuously. New security requirements, updates and regulatory adjustments can therefore be implemented independently, and the whole package can be reliably maintained throughout the product life cycle. The solution encrypts communication in line with the state of the art and protects against replay attacks, in which radio signals are recorded and then transmitted again to counterfeit an authorised action.
HELLA also maintains a software bill of materials (SBOM) for ONYX. An SBOM is a complete, transparent record of all the software components used together with all dependencies, as will be required in the future by the CRA.
This is complemented by a clearly defined and documented update mechanism spanning the entire product life cycle. Another key part of the platform for professional and comprehensive disclosure is the integral vulnerability management process for detecting, documenting and resolving security vulnerabilities. The advent of the CRA changes nothing about everyday use for end customers: the systems remain perfectly straightforward to operate despite quietly meeting the most stringent security requirements for connected products in the background.
Companies will be required to report identified security vulnerabilities to the European Union Agency for Cybersecurity (ENISA) from 11 September 2026 and from December 2027 onwards, it will not be permitted to bring a product into circulation in the single market unless it is CRA compliant. There is no plan to introduce a transitional period for non-compliant products. Manufacturers, importers, dealers and specialist companies will in future have comprehensive responsibility throughout the supply chain and will be required to demonstrate the compliance of the systems deployed. Choosing control systems is thus going to be a decision entailing potential risks both legal and commercial for the trade. The ONYX system solution from HELLA already complies with the new CRA rules as standard.