Time to Read 2 min
On December 10, 2024, the Cyber Resilience Act (CRA) came into force. It sets a minimum level of cybersecurity for electronic products (hardware, software, remote data processing) for which there are no specific regulations on the European market (such as medical products or critical infrastructure, for which their own regulations apply). The regulation provides for a phased approach until it must be complied with for all new products from December 11, 2027.
It is important to know that actively exploited vulnerabilities and serious security incidents must be reported from September 11, 2026.
The CRA sets out specific requirements that must be taken into account during product development. The principles of security by design and security by default apply. The required risk assessment ensures that the CRA requirements are met and that possible threats are neither underestimated nor overestimated, thus avoiding the incorrect planning of measures.
Processes (e.g. IEC 62443) and the documentation of process results ensure compliance with the CRA. Depending on the product category, the security can be verified by oneself or a notified body needs to be involved.
CRA defines the categories “Standard/Basic Products”, “Important Products” and “Critical Products”. The product categories do not influence the required activities (processes), but only the conformity assessment procedures (provision of evidence).
Cybersecurity must be guaranteed for the expected lifetime of the product, but at least for 5 years. This is done by regular and effective cybersecurity tests (e.g. penetration tests). This also includes updating the risk assessment. Weak points in the product must be reported immediately and eliminated by means of software updates. All these activities must be planned and documented. Here, too, processes ensure that this is done.
Various aspects of the CRA are still unclear. There are no harmonized standards yet and no notified bodies. The latter should be available in 2026.
Products that are already on the market are not covered by the CRA as long as they are not significantly modified. Guidelines for defining a significant change have not yet been drawn up. However, the CRA provides indications of what could be a significant change. For example, new features or feature updates that could have an impact on cybersecurity risk are to be considered significant changes. It follows that the change must be checked and evaluated, which means that at least a risk assessment of the product must be carried out.
You can find more details in our FAQ for Embedded Security.
Alois Cavelti
Do you have additional questions? Do you have a different opinion? If so, email me or comment your thoughts below!
is Dipl. Elektroingenieur FH , co-founder, deputy managing director and software developer. He is a specialist for architectures and software in C, C++ and C#. He is committed to maintainable architecture, security and clean code. For this he likes to look beyond the "embedded" edge of his nose into other areas of software development. He is interested in overall systems of any kind and their interrelationships. Alois manages a 5'000 m2 biodiversity island and brings nature, horses and humans in harmony. He loves good (movie) stories and good food.
Projects? Ideas? Questions? Let's do a free initial workshop!
No Comments