The cybersecurity wake-up call for European manufacturers

For decades, the CE mark has been widely misunderstood as a simple label required to sell products in Europe. In reality, it represents a legal declaration that a product complies with strict EU safety, health, and environmental standards.

Now, with new legislation such as the Cyber Resilience Act, the system is entering a new phase. As products become connected, software-driven and data-enabled, cybersecurity is being embedded into the very structure of product compliance.

According to AMS Consultants Ltd, which advises manufacturers and importers on CE marking and regulatory compliance, the shift represents a major adjustment for industry. BusinessNow.mt talks to Founder and Director Stephen Mallia and Chief Operating Officer Amy Mallia, who say many companies are still catching up with what the new rules will require.

Cybersecurity enters the CE framework

One of the most significant changes comes from the Cyber Resilience Act, which introduces mandatory cybersecurity obligations for products with digital components.

Stephen Mallia explains that the regulation fundamentally reshapes how CE marking works.

“The Cyber Resilience Act transforms CE marking by establishing cybersecurity as a mandatory, horizontal requirement for all products with digital elements,” he says.

Manufacturers will have to move beyond optional updates or reactive patches. Instead, cybersecurity will need to be built directly into the design and documentation of products.

“Manufacturers must now ensure safety by default, providing explicit proof of how cybersecurity is tackled within embedded software and IoT devices.”

That proof must be included in a comprehensive technical file demonstrating how cyber risks are managed. For many companies, this represents a steep learning curve.

“Despite these looming legal obligations, many manufacturers remain unprepared and are often oblivious to their expanded responsibilities. Failure to properly document cybersecurity measures could result in significant fines or even a ban from the European market.”

CE marking is becoming stricter and more political

Looking ahead, CE marking itself is evolving in several directions at once.

“CE marking is evolving into a more digital, rigorous, and political framework simultaneously,” Mr Mallia says.

Digitalisation is being driven by legislation that addresses connected devices and software-integrated hardware. At the same time, regulatory updates such as the Machinery Regulation (EU) 2023/1230 and the Construction Products Regulation are expanding the legal responsibility of manufacturers and introducing heavier penalties for non-compliance.

“The responsibility is now clearly black on white,” he says. “Compliance is moving from a simple labelling exercise to a demanding technical discipline.”

The regulatory shift also reflects a broader political priority within the EU to strengthen consumer protection and digital safety.

“As current legislation is set to define the market for the next five to ten years, CE marking is transitioning into a lifecycle where manufacturers must provide ongoing proof of compliance to maintain market access,” he adds.

The impact of global manufacturing

At the same time, global supply chains and e-commerce have complicated enforcement.

COO Amy Mallia says the speed and scale of manufacturing in China, combined with the rise of online retail, has changed how products reach consumers in Europe.

“The speed of online selling and the volume of low-cost imports mean products can reach consumers quickly, often with unclear economic operator details and weak or inconsistent documentation,” she explains.

This has placed pressure on regulators and enforcement authorities, who often have to act reactively after complaints, customs inspections, or safety incidents.

“We often support importers and manufacturers who want to do it properly and realise that the real risk is not only the product itself, but the lack of traceable evidence behind it,” she says.

“The market is moving fast, and compliance has to keep up.”

When unsafe products reach the market

The presence of unsafe or controversial products on the European market often raises questions about whether the CE system itself is failing. Stephen Mallia argues that the problem is rarely the framework itself.

“The presence of unsafe products on the European market is primarily a failure of enforcement and operator accountability rather than a flaw in the CE framework,” he says.

The system relies on a Declaration of Conformity, a legally binding statement that manufacturers sign to confirm their products meet EU requirements. However, some companies treat the declaration as a simple administrative formality or basic paperwork.

“This breakdown typically occurs when importers neglect due diligence or when technical documentation is fraudulent or non-existent,” he explains.

Market surveillance authorities, meanwhile, often struggle with limited resources.

“The framework is robust,” Mr Mallia says. “But it requires diligent economic operators and rigorous enforcement to ensure that safety compliance is never treated as a mere administrative exercise.”

The myth of the CE label

A persistent misconception is that CE marking is simply a label added to packaging. Decades of inconsistent enforcement and the widespread appearance of the mark on low-cost imports have diluted its perceived importance.

“The misunderstanding results from the fact that the label is visible while the underlying engineering evidence remains hidden,” Mr Mallia explains.

“In reality, the CE mark is a legal declaration of responsibility backed by structured documentation,” he says.

Signing a Declaration of Conformity without a robust technical file can carry serious civil or even criminal consequences if a product causes harm or fails a market audit.

“True compliance is not simply a package label criterion,” he adds. “It must be substantiated with proof behind the mark.”

Accountability in the age of e-commerce

The rise of e-commerce and drop-shipping has further blurred lines of responsibility.

“The key is the concept of the economic operator placing the product on the EU market,” Ms Mallia explains.

Manufacturers, importers, and distributors all carry legal obligations, but online selling models can obscure who is actually responsible for compliance.

“Platforms are under growing pressure to take more responsibility, but businesses should not assume the platform will protect them,” she says.

The safest approach, she adds, is to ensure there is a clearly identified responsible operator, proper documentation, and a traceable supply chain before a product enters the EU market.

Compliance as a competitive edge

Rather than seeing compliance purely as a regulatory hurdle, Ms Mallia believes forward-looking manufacturers are beginning to treat it as part of their competitive strategy.

“Yes, compliance is becoming a competitive advantage,” she says.

Companies that integrate regulatory requirements early can avoid costly redesigns, reduce disruption, and respond faster when authorities or partners request documentation.

“As sustainability, safety and cybersecurity requirements tighten, the companies that invest early will move faster and build stronger commercial relationships,” she says.

“For us, we see that the best manufacturers treat compliance as part of product quality and business strategy, not as a last-minute hurdle.”

Image: Amy Mallia (second right) on a panel about the Cybersecurity Act in European Parliament, January 2026.