EU Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.

Manufacturers shall assess the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases [Article 13(2)]

The Cyber Resilience Act (CRA) sets harmonised cybersecurity rules for digital products, covering their entire lifecycle from design to maintenance. It mandates secure boot with hardware-based authentication, filesystem encryption using device-specific hardware, and Transport Layer Security (TLS) for all interfaces. An approved Software Bill of Materials (SBOM) underpins initial vulnerability assessments and mitigation plans, with ongoing monitoring and secure, free Over-the-Air (OTA) updates required. The Act also enforces compliant documentation, threat assessments, and formal conformity evaluations to ensure robust cybersecurity standards.



Manufacturers and developers of products with digital elements, covering both hardware and software, will be required to comply with the legislation by following certain cyber security requirements which aim to improve the overall cyber security to safeguard products with digital elements against emerging cyber threats. Here are some of the key obligations that companies can expect under the CRA, including but not limited to the following:

Comprehensive risk assessments will be mandatory throughout the product development and lifecycle. This would include evaluating and mitigating cybersecurity risks associated with the product across its entire lifecycle.

Companies are expected to deliver products that are secure from known vulnerabilities. This requires implementing vulnerability management practices to identify and address security weaknesses promptly.

It is required to provide free security updates following the product's release, meeting customer expectations. This will be crucial for ensuring that products remain resilient against emerging threats.

Adhering to the act may require meeting standardised requirements or engaging external auditing authorities, depending on the product's risk classification.