The Cyber Resilience Act (Annex I, Part I(2)(e)) requires that products with digital elements are designed and produced to record and monitor relevant internal activity, including the access to or modification of data, services, or functions, in order to protect the availability, authenticity, integrity, and confidentiality of the data they process or transmit. Without effective incident detection, security breaches can go unnoticed for extended periods, compounding the damage to users and making it significantly harder to meet the obligation to report actively exploited vulnerabilities and severe incidents under Article 14.
Design the product to log security relevant events with enough detail to support incident investigation, covering at a minimum access to sensitive data, authentication events, configuration changes, and anomalous behavior. Establish a defined and repeatable approach for analyzing log data to detect potential security incidents affecting the product or its users. The frequency and depth of analysis should be aligned with the product's criticality and the risk exposure of its users, ensuring that higher risk products receive proportionally greater scrutiny.
Document the incident detection processes and ensure they are consistently followed across the organization. Detection capabilities should be validated periodically to confirm they remain effective as the product evolves and the threat landscape changes. Retain detection related documentation and evidence as part of the product's operational security practices, supporting both internal response readiness and the ability to demonstrate due diligence to market surveillance authorities.