Cyber Resilience Act (CRA)
On this page:
- What is the Cyber Resilience Act (CRA)?
- What products will the Cyber Resilience Act impact?
- When does the Cyber Resilience Act take effect?
- What do OEMs need to know about the CRA?
- What should electronic engineers do to comply with the CRA?
What is the CRA?
The CRA will be an act of law, created by the European Union. Its aim is to protect consumers from cybercriminals attempting to gain access to connected products for illegal purposes. The CRA will do that by forcing manufacturers to consider cyber threats as part of the product development and lifecycle.
All manufacturers and companies bringing connected products to market in the EU will need to comply with the act. Although other cyber initiatives already exist, this is the only one that will be passed into law, making it mandatory and compulsory, rather than voluntary or optional.
It joins a growing portfolio of European regulations and acts designed to protect the industry and consumers.
What products will the Cyber Resilience Act impact?
The short answer is any electronic products that make use of online connectivity. Manufacturers inside and outside the EU will need to comply if they, or their agents, put those products onto the EU market.
The long answer is products with digital elements (PDEs), which covers both hardware and software. If a PDE’s intended or foreseeable use includes a direct or indirect logical or physical connection to a device or network, it will likely be subject to CRA legislation. The internet is the world’s biggest network and represents the biggest cyber threat.
The CRA is complementary to but different from the existing Cyber Security Act, which is non-binding and not uniform across the EU. All EU member states will have to adopt the CRA and put it into law in their own countries.
When does the Cyber Resilience Act take effect?
The Cyber Resilience Act (CRA) was proposed by the European Commission on September 15th, 2022, and received its first reading on March 12th, 2024, when it was adopted by 517 votes to 12, with 78 abstentions. The Act has now been published in the Official Journal of the European Union and will become fully applicable on 11 December 2027 (36 months after entry into force).
Key milestones include:
- Notification of Conformity Assessment Bodies (Chapter IV, Art. 35-51): Applicable from 11 June 2026.
- Reporting Obligations (Art. 14): Applicable from 11 September 2026.
This transition period allows OEMs time to bring their products into compliance. EBV, alongside partners such as software specialist Witekio, is here to help you navigate these changes.
Explore the SOLUTIONS we offer today and connect with our PARTNERS ready to support your compliance journey.
What do OEMs need to know about the CRA?
Complying with the CRA is compulsory and as with other legislation will be demonstrated by affixing the CE mark to a product. This is similar to EMC compliance.
While EMC compliance often requires extensive testing, even when self-certifying, OEMs will be able to self-certify many products for CRA without the need to test. However, documentation will be essential.
Due to the nature of online threats, compliance with the CRA will require ongoing diligence. As well as completing a security risk during development, which involves documenting and identifying any vulnerabilities, the OEM will need to perform regular tests and remediate any vulnerabilities that emerge after the product goes into service. Any vulnerabilities discovered while a product is in service must also be reported.
OEMs may be expected to maintain this diligence for the product’s entire lifecycle, or five years, whatever is shortest (subject to final legislation details).
Some critical products will need to be independently verified by a third part. EBV can help OEMs navigate this process.
Non-compliance, if proven, will incur fines and penalties. These could be as high as €15 million or 2.5% of the company’s total worldwide annual turnover.
Products already in the market are exempt from the CRA. New products in development may be subject to the CRA, depending on when they are brought to market.
What should embedded electronic engineers do to comply with the CRA?
All new products, as well as new generations of existing products, must comply with the CRA when it comes into law.
Compliance should start with a risk assessment of a product’s potential vulnerabilities. Both hardware and software can contain vulnerabilities that represent a cyber attack vector.
Physical and cyber access points to a product should be considered vulnerabilities unless they can be shown to be invulnerable to attacks.
To learn more about the assistance EBV can provide, look at our SOLUTIONS and PARTNERS pages.
Engineers should develop and adopt best-practices to demonstrate and maintain CRA compliance. These may include:
- Consider possible vulnerabilities and look for them in your product design, at the earliest stage and throughout the product’s lifecycle.
- Change your organization’s culture to include Software Bill of Material (SBOM) documentation for every project.
- Create a preferred product list.
- Develop a reporting structure to manage vulnerability tracking and reporting.
- Support your engineers in becoming experts in deploying firmware over-the-air (FOTA) updates.
CONTACT US TO FIND OUT HOW EBV CAN HELP YOU
EBV Tech Days Webinar - on demand
The EU Cyber Resilience Act (CRA) brings significant challenges and opportunities to the industry. Are you ready to navigate these changes?
Key take aways:
- CRA Essentials: Understand the EU Cyber Resilience Act (CRA), its legal framework, and key industry requirements.
- Compliance action: Identify urgent actions and specific considerations for ensuring CRA compliance in your product development.
- Optimized design: Learn best practices to optimize your product designs for security and future-proofing under the CRA.
- Expert insights: Gain practical insights from industry experts of EBV´s leading supplier partners on the CRA's impact and explore real-world solutions.
- Strategic Edge: Stay ahead of regulatory demands and drive innovation to maintain a competitive edge in your organization.
Keynote Speech: Understanding the EU Cyber Resilience Act
According to the European Commission, "the Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component."
Join us for this keynote speech as we explore and understand the EU Cyber Resilience Act.
VIEW ON DEMAND
The Cyber Resilience Act: New Challenges and Potentials in Product-related Cyber Security
In this presentation we are explaining the core requirements of the upcoming EU Cyber Resilience Act (CRA) and give an outlook what product designers need to do, to make products CRA compliant.
We are covering:
- Which products are affected?
- CRA timeline
- Product requirements
- Process requirements
- Hardware features, relevant for CRA compliance.
Panel Discussion: Practical impacts of the CRA on Product Development
In this panel discussion, we will discuss EU Cyber Resilience Act (CRA) and the requirements involved for product development.
VIEW ON DEMAND
The Cyber Security Act (CRA): A Paradigm Shift in the EU Market
The presentation commences by elucidating the European Commission's (EC) motivation behind the introduction of the new security regulation. It then delves into the scope of the regulation, outlining the stringent requirements for product development and after-sales services. The speech also guides how to effectively address vulnerabilities, emphasizing the importance of comprehensive documentation and the mandatory reporting of vulnerabilities to the relevant public authorities. Furthermore, it highlights the penalties for non-compliance. The presentation concludes by explaining the conformity requirements necessary for obtaining the coveted CE marking. Finally, it will demonstrate how the Infineon product portfolio is aligned with and supports the new regulation, ensuring a seamless transition for customers.
VIEW ON DEMAND
Radio Equipment Directive & Cyber Resilience Act – Impact on Your MCU Related Cyber Security Applications
The Radio Equipment Directive (RED) and Cyber Resilience Act (CRA) are quickly approaching, bringing significant changes to the landscape of cyber security applications in the MCU domain. Understanding these directives and their implications is crucial for businesses aiming to remain compliant and competitive.
Join us for an insightful webinar where Thierry Crespo and Souhir Mhira will explore the impact of RED and CRA on your business operations. Discover how STMicroelectronics is leading the way in helping organizations meet these new requirements. This presentation will provide an in-depth look at ST's strategic approach to ensuring a smooth transition to compliance, equipping you with the knowledge and tools needed to navigate these regulatory changes effectively.
Don't miss this opportunity to stay ahead of the curve and safeguard your cyber security applications. Register now to secure your spot!
VIEW ON DEMAND
NXP Offering to Comply With CRA
NXP offers a comprehensive portfolio for CRA compliance, including Secure Microcontrollers (MCUs), Secure Microprocessors (MPUs), and Secure Elements. With our advanced Secure Enclave technology now available in the latest MCUs and MPUs, we will explore what the Secure Enclave entails, how it differs from the Secure Element, and when to use each. Additionally, you will learn about EdgeLock2Go, an easy solution for securely provisioning your MPU, MCU, or Secure Element.
VIEW ON DEMAND
Renesas Solutions to Support CRA Requirements
Introduction to Renesas MCU and MPU security features
which are suitable to cover the CRA requirements in industrial applications.
Dealing With CRA: From Initial Cybesecurity Risk Assessment to Maintenance in Secure Condition
The European Cyber Resilience Act introduces various obligations for product manufacturers, among them the a formal cybersecurity risk assessment, and the need to monitor new vulnerabilities and incidents and react appropriately all along the products lifetime. While we are waiting for harmonised standards, I will propose an overview of the concrete requirements and impacts entailed by these obligations from the perspective on an embedded device developer.
VIEW ON DEMAND