Dijital Ürün Yaşam Döngüsünde Siber Güvenlik: Siber Dayanıklılık Yasası Eksenli AB Düzenleyici Çerçevesi

Year 2025, Volume: 29 Issue: 4, 1729 - 1760, 14.10.2025

Esma Muheyne Doğan

https://doi.org/10.34246/ahbvuhfd.1678639

Abstract

Dijital ürünlerin yaşam döngüsünde siber güvenliğin sağlanması, günümüz teknoloji ekosisteminin en kritik konularından biri haline gelmiştir. Avrupa Birliği’nin (AB) dijital dönüşüm sürecinde ortaya çıkan siber güvenlik risklerine karşı geliştirdiği Siber Dayanıklılık Yasası (Cyber Resilience Act, CRA), kapsamlı ve çok katmanlı bir düzenleyici çerçevenin merkezi bileşeni olarak öne çıkmaktadır. Bu çalışma, CRA’nın dijital bile-şenli ürünlerin tüm yaşam döngüsü boyunca siber güvenliğini sağlama hedefini detaylı biçimde analiz etmektedir. Araştırmanın ikinci bölümünde, CRA’nın Yapay Zekâ Yasası (AI Act) ile kesişim noktasındaki yapay zekâ sistemlerinin güvenli gelişimini sağlama amacı ve Ürün Sorumluluğu Di-rektifi’nin (PLD) bu iki düzenlemeyi tamamlayarak dijital çağın gereklilik-lerine uygun modernize edilmiş bir sorumluluk rejimi sunması incelen-mektedir. Çalışma ayrıca, bu düzenleyici çerçevenin üreticiler ve paydaş-lar için getirdiği yükümlülükleri ve zorlukları ele almaktadır. Sonuç ola-rak, CRA eksenli AB düzenleyici çerçevesinin yalnızca güvenlik standartla-rı getirmekle kalmayıp, dijital ürün ekosisteminde “güvenlik kültürü” oluş-turarak uzun vadeli ve sürdürülebilir bir siber dayanıklılık stratejisi sun-duğu ortaya konmaktadır.

Keywords

Siber dayanıklılık , Ürün sorumluluğu , Yapay zekâ , Dijital dönüşüm , Siber güvenlik

CYBERSECURITY IN DIGITAL PRODUCT LIFECYCLE: THE CYBER RESILIENCE ACT CENTERED EU REGULATORY FRAMEWORK

Abstract

Ensuring cybersecurity throughout the lifecycle of digital products has emerged as one of the most critical issues in today’s technological ecosystem. The Cyber Resilience Act (CRA), adopted by the European Un-ion in response to cybersecurity risks arising from digital transformation, stands out as the central component of a comprehensive and multi-layered regulatory framework. This study analyzes in detail the CRA’s objective of ensuring cybersecurity of products with digital components throughout their entire lifecycle. The second part of the research examines the inter-section of the CRA with the Artificial Intelligence Act (AI Act) in ensuring the secure development of AI systems, and how the Product Liability Di-rective (PLD) complements these two regulations by providing a moderni-zed liability regime suitable for the digital age. The study also addresses the obligations and challenges this regulatory framework brings for ma-nufacturers and stakeholders. In conclusion, the research demonstrates that the CRA centered EU regulatory framework not only establishes se-curity standards but also offers a long-term and sustainable cyber resi-lience strategy by fostering a “security culture” within the digital product ecosystem.

Keywords

Cyber resilience , Product liability , Artificial intelligence , Digital trans-formation , Cybersecurity

References

• Arat, Ayşe/ Akıncı, Elif, “2022/0302 Sayılı Avrupa Birliği Yeni Ürün Sorumluluk Direktif Teklifinin Getirdikleri Üzerine Bir Değerlendirme”, İstanbul Hukuk Mecmuası, 2024, C. 82, S. 2, s. 363-407.
• Bagni, Filippo, “The Regulatory Sandbox and the Cybersecurity Challenge: From the Artificial Intelligence Act to the Cyber Resilience Act”, Rivista Italiana Di Informatica e Diritto, 2023, Vol.5, No. 2, s.201-217.
• Beardsley, Tod, "The resounding negative effects of silent patches", SC World, Vulnerability Management. (https://www.scworld.com/perspective/the-resounding-negative-effects-of-silent-patches, Erişim Tarihi: 22.08.2025 )
• Bolgouras, Vaios/ Zarras, Apostolis/ Leka, Christian/ Stylianou, Ioannis/ Farao, Aristeidis/ Xenakis, Christos, "Eu regulatory ecosystem for ethical AI", AI Ethics, 2025.
• Bradford, Anu, "The False Choice Between Digital Regulation and Innovation", Northwestern University Law Review, 2024, C. 118, S. 2.
• Burri, Mira/ Zihlmann, Zaira, "The EU Cyber Resilience Act – An Appraisal and Contextualization", Zeitschrift für Europarecht (EuZ), 2023, S. 2, s. B1-B45.
• Bygrave, Lee A, “Cyber Resilience versus Cybersecurity as Legal Aspiration”, 2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon), 2022, s. 27-43.
• Castro, Daniel/ McLaughlin, Michael, "Ten Ways the Precautionary Principle Undermines Progress in Artificial Intelligence", Information Technology & Innovation Foundation, 2019. (https://www2.itif.org/2019-precautionary-principle.pdf, Erişim Tarihi: 22.08.2025).
• Chiara, Pier Giorgio, "Towards a right to cybersecurity in EU law? The challenges ahead", Computer Law & Security Review, 2024, C. 53, s. 105961.
• Chiara, Pier Giorgio, “Understanding the Regulatory Approach of the Cyber Resilience Act: Protection of Fundamental Rights in Disguise?”, European Journal of Risk Regulation, European Journal of Risk Regulation, 2025, s.1–16.
• Commission Staff Working Document Impact Assessment Report: Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, 2022, (https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52022SC0282., Erişim Tarihi: 22.08.2025)
• Contreras, Ricardo Rodriguez, “COVID-19 and Digitalisation”, (https://www.eurofound.europa.eu/en/covid-19-and-digitalisation#:~:text=According%20to%20the%20Organisation%20for,models%2C%20the%20promotion%20of%20online., Erişim Tarihi: 22.08.2025)
• "Cyber Resilience Act Enters into Force to Make Europe’s Cyberspace Safer and More Secure", Shaping Europe’s Digital Future, (https://digital-strategy.ec.europa.eu/en/news/cyber-resilience-act-enters-force-make-europes-cyberspace-safer-and-more-secure, Erişim Tarihi: 22.08.2025)
• Çekin, Mesut Serdar, "Güncel Gelişmeler Işığında AB ve Türk Hukukunda Dijital Ürünlere İlişkin Ürün Sorumluluğu ve Ürün Güvenliği Düzenlemeleri Üzerine Değerlendirme", Türk-Alman Üniversitesi Hukuk Fakültesi Dergisi, 2025, C. 7, S. 1, s. 156-202.
• Del-Real, Cristina/ De Busser, Els/ van den Berg, Bibi, "Shielding software systems: A comparison of security by design and privacy by design based on a systematic literature review", Computer Law & Security Review, 2024, C. 52, s. 105933.
• "Directive on Measures for a High Common Level of Cybersecurity across the Union (NIS2 Directive)- FAQs", Shaping Europe’s Digital Future.(https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs, Erişim Tarihi: 22.08.2025)
• Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive), Official Journal of the European Union L 194 (http://data.europa.eu/eli/dir/2016/1148/oj/eng, Erişim Tarihi: 22.08.2025)
• Directive (EU) 2024/2853 of the European Parliament and of the Council of 13 March 2024 on liability for defective products (Product Liability Directive), Official Journal of the European Union L, (https://data.europa.eu/eli/dir/2024/2853/oj/eng, Erişim Tarihi: 22.08.2025)
• dos Santos, Daniel, "The risks of silent patching and why it must end", TechTarget IoT Agenda, 29.12.2021. (https://www.techtarget.com/iotagenda/post/The-risks-of-silent-patching-and-why-it-must-end, Erişim Tarihi: 22.08.2025)
• Dupont, Benoît, “The Cyber-Resilience of Financial Institutions: Significance and Applicability”, Journal of Cybersecurity, 2019, Vol.5, No. 1, s.1-17.
• ElSayed, Zag/ Abdelgawad, Ahmed/ Elsayed, Nelly, "Cybersecurity and Frequent Cyber Attacks on IoT Devices in Healthcare: Issues and Solutions", arXiv preprint arXiv:2501.11250, 2025.
• European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, "Joint Communication to the European Parliament and the Council: The EU’s Cybersecurity Strategy for the Digital Decade", (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=JOIN%3A2020%3A18%3AFIN, Erişim Tarihi: 22.08.2025)
• European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, "Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Cybersecurity Strategy of the European Union – An Open, Safe and Secure Cyberspace", JOIN (2013) 1 final. (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=JOIN:2013:1:FIN, Erişim Tarihi: 22.08.2025)
• European Commission, "Q&As on the Revision of the Product Liability Directive", (https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_5791, Erişim Tarihi: 22.08.2025)
• European Law Institute, “Guiding Principles for Updating the Product Liability Directive for the Digital Age”. Innovation Paper Series, 2021. (https://europeanlawinstitute.eu/fileadmin/user_upload/p_eli/Publications/ELI_Guiding_Principles_for_Updating_the_PLD_for_the_Digital_Age.pdf., Erişim Tarihi: 22.08.2025)
• Fahey, Elaine, "The evolution of EU–US cybersecurity law and policy: on drivers of convergence", Journal of European Integration, 2024, C. 46, S. 7, s. 1073-1088.
• Federal Office for Information Security,"2024 State of IT Security in Germany Report", (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2024.html?nn=1021082., Erişim Tarihi: 22.08.2025)
• Google Threat Intelligence Group, "Cybercrime: A Multifaceted National Security Threat", Google Cloud Blog, 2025. (https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat, Erişim Tarihi: 22.08.2025)
• GOV.UK, “The UK Product Security and Telecommunications Infrastructure (Product Security) Regime”, (https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime., Erişim Tarihi: 22.08.2025)
• Grau, Guillem Izquierdo, “The Development Risks Defence in the Digital Age”,European Journal of Risk Regulation, 2025, Vol.16, s.197–216.
• Güçlütürk, Osman Gazi, "Avrupa Birliği Yapay Zeka Tüzük Tasarısı ve Siber Güvenlik", Gelişen Teknolojiler ve Hukuk IV: Siber Güvenlik içinde, (Ed. E. Eylem Aksoy Retornaz/ Osman Gazi Güçlütürk), On İki Levha Yayıncılık, İstanbul, 2023, s. 207-222.
• Huang, Keman/ Siegel, Michael/ Madnick, Stuart, "Cybercrime-as-a-Service: Identifying Control Points to Disrupt", Cybersecurity Interdisciplinary Systems Laboratory (CISL) Working Paper, 2017, S. 2017-17, s. 1-30.
• Kamara, Irene, “European cybersecurity standardisation: a tale of two solitudes in view of Europe’s cyber resilience”. Innovation: The European Journal of Social Science Research, Vol.37, No.5, s.1441–1460.
• Koch, Robert/ Golling, Mario, “Silent Battles: Towards Unmasking Hidden Cyber Attack”, 2019 11th International Conference on Cyber Conflict (CyCon), 2019, s.1-20.
• Lallie, Harjinder Singh/ Shepherd, Lynsay A./ Nurse, Jason R.C./ Erola, Arnau/ Epiphaniou, Gregory/ Maple, Carsten/ Bellekens, Xavier, “Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic”. Computers & Security,2021, Vol. 102248.
• Li, Yuchong/ Liu, Qinghui, "A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments", Energy Reports, 2021, C. 7, s. 8176-8186.
• Li, Shu/ Schütte, Béatrice, "The proposal for a revised Product Liability Directive: The emperor's new clothes?", Maastricht Journal of European and Comparative Law, 2023, s. 1-24.
• Ludvigsen, Kaspar Rosager, "Creating Cybersecurity Regulatory Mechanisms, as Seen Through EU and US Law", arXiv preprint arXiv:2503.07250, 2025.
• McAfee ,Andrew, "EU proposals to regulate AI are only going to hinder innovation", Financial Times, 2021. (https://www.ft.com/content/a5970b6c-e731-45a7-b75b-721e90e32e1c, Erişim Tarihi:22.08.2025)
• McGlave, Claire/ Neprash, Hannah/ Nikpay, Sayeh, "Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients", SSRN Electronic Journal, 2023.
• "Microsoft Digital Defense Report 2024", (https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024, Erişim Tarihi: 22.08.2025)
• Mueck, Markus Dominik/ On, Amit Elazari Bar/ Du Boispean, Stephane, "Upcoming European Regulations on Artificial Intelligence and Cybersecurity", IEEE Communications Magazine, 2023, C. 61, S. 7, s. 98-102. "New Legislative Framework", European Commission. (https://single-market-economy.ec.europa.eu/single-market/goods/new-legislative-framework_en, Erişim Tarihi: 22.08.2025)
• Papakonstantinou, Vagelis/ De Hert, Paul, "The Regulation of Digital Technologies in the EU: The law-making phenomena of "act-ification", "GDPR mimesis" and "EU law brutality"", Technology and Regulation, 2022, s. 48-60.
• Parvanov, Krasen Anatoliev, From Legislation to Practice- a Structured Guide for the EU’s Cyber Resilience Act : Utilizing Design Science Research to Bridge Theory and Practice, Yayımlanmamış Yüksek Lisans Tezi, Skövde, 2024.
• Pranggono, Bernardi/ Arabo,Abdullahi, “COVID-19 Pandemic Cybersecurity Issues”. Internet Technology Letters,2021, Vol.4, No. 2, s.1-6.
• Regulation (EU) 2024/2847 of the European Parliament and of the Council of 13 March 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (Cyber Resilience Act), Official Journal of the European Union L. (https://data.europa.eu/eli/reg/2024/2847/oj/eng, Erişim Tarihi: 22.08.2025.
• Ruohonen, Jukka/ Timmers, Paul, “Vulnerability Coordination Under the Cyber Resilience Act”, (https://doi.org/10.48550/arXiv.2412.06261, Erişim Tarihi: 22.08.2025)
• Saeed, Saqib/ Altamimi, Salha A./ Alkayyal, Norah A./ Alshehri, Ebtisam/ Alabbad, Dina A., "Digital Transformation and Cybersecurity Challenges for Businesses Resilience: Issues and Recommendations", Sensors, 2023, C. 23, S. 15, s. 6666.
• Schoo, Peter. “Navigating the CRA: A Brief Analysis of European Cyber Resilience Act and Resulting Actions for Product Development”, Proceedings of the 9th International Conference on Internet of Things, Big Data and Security, 2024, s.245-251.
• Schütte, Béatrice, "Product Liability in the Future framework of AI (Technology) Regulation", EU law in the digital age: Swedish Studies in European Law içinde, Hart Publishing, 2025, C. 19, S. 6, s. 85-104.
• Shaffique, Mohammed Raiz, "Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT devices or a shot in the dark?", Computer Law & Security Review, 2024, C. 54, s. 106009
• "Study on the Need of Cybersecurity Requirements for ICT Products", Shaping Europe’s Digital Future. (https://digital-strategy.ec.europa.eu/en/library/study-need-cybersecurity-requirements-ict-products., Erişim Tarihi: 22.08.2025)
• Tang, Xunzhu/ Kim, Kisub/ Ezzini, Saad/ Song, Yewei/ Tian, Haoye/ Klein, Jacques/ Bissyande, Tegawende, "Just-in-Time Detection of Silent Security Patches", arXiv preprint arXiv:2312.01241, 2023.
• Tartaro, Alessio/ Smith, Adam Leon/ Shaw, Patricia, "Assessing the Impact of Regulations and Standards on Innovation in the Field of AI", SSRN Electronic Journal, 2023.
• Timis, David, "How to regulate AI without stifling innovation", World Economic Forum, 2023. (https://www.weforum.org/stories/2023/06/how-to-regulate-ai-without-stifling-innovation, Erişim Tarihi: 22.08.2025)
• Wagner, Gerhard, “Liability Rules for the Digital Age- Aiming for the Brussels Effect”, Journal of European Tort Law, 2022, Vol. 13, No. 3, s. 191-243.