Cyber Resilience Act

With the Cyber Resilience Act (CRA) the European Union has created a regulatory framework that directly transfers cybersecurity into product liability. The regulation targets manufacturers, importers, and other economic actors who place products with digital elements on the European market. As a result, cybersecurity is no longer treated as a separate IT issue but as a fixed characteristic of a product.

For companies with hardware, Embedded Software, Whether it's industrial electronics, networked sensors, or standalone software products, the CRA is an operational issue. Requirements for development, documentation, maintenance, and vulnerability management will become part of regular product business. This is particularly relevant for industries with long lifecycles, technical variant statuses, and complex supply chains.

Scope

Products with digital elements

The CRA uses the term „products with digital elements.“ This refers to products whose function is wholly or partly characterized by software, firmware, data processing, or networking. This includes traditional consumer products as well as industrial systems, machine components, control devices, communication modules, or software-based applications.

For industry, it is crucial that many established products now include digital elements, even if they were historically understood as purely electronic or mechanical products. Control unit with an Ethernet interface, diagnostic access via USB, a web interface for parameterization, or a cloud-enabled gateway, a product enters an area where cybersecurity becomes regulatorily relevant.

The practical consequence is a reassessment of the portfolio. Companies must consider not only new products but also existing platforms, product families, and series products. Many organizations will find that a significant portion of their offering falls under the CRA.

The CRA distinguishes between general products with digital elements and particularly relevant product groups with increased requirements. A large portion of products fall into the area of regular conformity assessment with internal manufacturer responsibility. This includes numerous standard products from the software and consumer environment.

Infographic on product classification: Cyber Resilience Act: Self-assessment, Class I/II, 90% products, third-party assessment.
Product classification according to Cyber Resilience Act

Stricter requirements apply to defined product groups from Annex III. These products are divided into Class I and Class II. The key factors are technical function, area of application, and potential impact on safety and infrastructure.

Class I includes products such as network interfaces, firewalls, or certain microcontroller platforms. Evaluation typically takes place via harmonized standards or suitable testing procedures.

Class II particularly concerns highly sensitive or system-critical components such as processors, secure elements, operating systems, or industrial firewalls. In these cases, the regulatory audit depth increases, often involving external bodies.

Cybersecurity as part of the development discipline

The CRA anchors cybersecurity in the product's inception. Construction, electronics development, software development, and system architecture must consider security requirements early on. This affects not only visible security features but also fundamental design decisions.

An architecture with unnecessarily open interfaces, unprotected service access, or a lack of separation between trust zones creates risks that can only be corrected with significant effort later on. The CRA therefore increases the importance of early architectural decisions. Security aspects belong in requirements management, system design, interface definition, component selection, and integration concepts.

In embedded systems, this regularly concerns topics such as secure boot chains, protection of debug access, firmware integrity, rights concepts for maintenance functions, secure communication channels, and controlled update mechanisms. Also memory and runtime protection by MPU, TrustZone or comparable mechanisms is gaining importance.

Companies with established development processes can integrate these requirements in a structured manner. Organizations without clearly defined engineering gates will need to adjust more significantly, as security must be planned and implemented in a traceable way.

Vulnerability Management in Accordance with the Cyber Resilience Act

A central element of the CRA is ongoing post-market responsibility. Products remain relevant to safety even after delivery. Manufacturers need processes to record, assess, prioritize, and fix vulnerabilities.

This changes the classic view of many product companies. In numerous industries, the start of mass production was long considered the transition from development to support. The CRA shifts this model. Security work continues throughout the lifecycle. This includes reporting structures for external input, internal assessment of technical risks, development of corrective measures, testing of new software versions, and the regulated deployment of updates.

For products in the field, this immediately raises the question of technical updateability. Systems without a secure update function incur high operational costs in the event of a vulnerability, as service interventions, manual rework, or hardware replacements may be necessary. For this reason alone, updateability is not just a compliance issue, but an economic factor.

Documentation and traceability

The CRA requires provability. Companies must be able to demonstrate how security requirements have been implemented. This affects technical documentation as well as internal processes and compliance documents.

In practice, a general product description is not sufficient for this. Understandable information about architecture, digital functions, components used, relevant interfaces, security mechanisms, update concepts, and vulnerability management processes are required. Audits, validations, and approvals are also gaining importance.

Many companies possess extensive development data but lack structured security documentation. Therefore, the CRA often does not lead to entirely new activities, but rather to the necessity of making existing technical work systematically documentable.

For engineering organizations, this is an important point: Whoever cleanly manages architectural decisions, tests, and releases significantly reduces later effort for evidence.

Supply chains and purchased components

Digital products rarely consist solely of in-house development. Operating systems, middleware, radio modules, libraries, open-source components, semiconductor platforms, and external software modules are standard. The CRA thus automatically increases the relevance of supplier management.

A manufacturer needs to know which components are used in the product, what dependencies exist, and how supply chain security updates become available. Particularly critical are building blocks without long-term maintenance, undocumented third-party software, or platforms with an unclear security roadmap.

In the embedded environment, this affects microcontroller SDKs, Linux distributions, communication stacks, wireless modules, or proprietary third-party libraries, for example. Lack of transparency creates risks in maintainability and traceability.

This is why Software Bill of Materials logic is becoming more important in the software sector. Software Bill of Materials, version control, and regulated releases are becoming standard tools for many manufacturers.

Meaning for Industrial Electronics and Mechanical Engineering

The CRA is often associated with Consumer IoT. It is equally relevant for industrial applications. Modern machines, controllers, and plants incorporate network technology, remote maintenance, data logging, fieldbus gateways, and serviceable embedded systems. This raises the same fundamental questions as in other digital products.

In industrial environments, additional requirements come into play. Lifecycles are longer, release processes are stricter, modifications in the field are more complex, and downtime is expensive. A security update here cannot be viewed in isolation but must align with operations, validation, and production reality.

This requires robust engineering processes. Companies need clear strategies on how security updates are tested, approved, and rolled out without jeopardizing the availability of technical systems.

Organizational consequences within the company

The CRA is not the responsibility of individual security specialists. Product management, development, quality, purchasing, service, documentation, and management are affected. Roles and responsibilities must be clearly defined.

Product management must steer requirements and market responsibility. Development must implement technical measures. Purchasing must assess supplier capability. Service needs processes for field actions. Quality and management require transparency on risks, maturity, and evidence.

This will create a formalized product security structure for the first time in many medium-sized companies. This can be achieved through dedicated roles, clear approval mechanisms, or integrated responsibilities within the existing quality management.

Cybersecurity for products with digital elements is therefore a continuous development process from requirements, architecture, and implementation to verification, penetration testing, updates, and vulnerability management. The CRA strengthens precisely this lifecycle approach, where TARA, security requirements, and regular re-assessment cycles become an integral part of product maintenance.

CRA Diagram: Safety Goals, Functions, and Tests – Focus on Embedded Software and Functional Safety.
CRA: Security goals, functions, and tests become processes

Secure Engineering and Security by Design

Companies that view CRA solely from a legal perspective are falling short. The real work lies in the engineering. Security architecture, update capability, component strategy, testability, and technical documentation determine how complex compliance will actually be.

Those who develop products with a modular software structure, clean interface separation, and traceable configuration create more favorable conditions. Those who operate historically grown platforms with unmaintained legacy components will see higher costs.

Therefore, the CRA is also a driver of modernization. Many necessary measures not only improve the regulatory situation but also maintainability, product quality, and manageability of complex systems.

As soon as electronics are controlled by firmware or software and also have interfaces to networks, service devices, or other participants, an attack surface is created. This is precisely where the CRA comes in. The regulation does not demand individual isolated security functions, but rather a traceable security approach throughout the entire product lifecycle.

For companies, this means that security must be organized as a technical development process.

Measures for electronics development

From the CRA's perspective, a device with Ethernet, Wi-Fi, Bluetooth, CAN-over-IP, mobile radio, USB service port, web interface, remote maintenance, or data exchange with other participants is a relevant digital product. Internal networks in machines, plants, or vehicles are also technically significant because communication always opens up potential attack vectors. The term "network" is deliberately used very broadly.

One Microcontroller without a classic internet connection can be affected if it is accessible via a gateway, exchanges diagnostic data, or is part of a larger networked system.

This leads to a central interpretation: It is not the industry that determines relevance, but the technical exposure of the product.

TARA: Threat And Risk Assessment

A central tool for practical implementation is the Threat Analysis and Risk Assessment The CRA does not use the term TARA, but it requires precisely this approach in terms of content: identifying risks, assessing threats, and deriving protective measures.

For electronics with software, this means that the system architecture must first be understood. Assets are then identified. These include firmware, bootloader, key material, configuration data, communication channels, measured values, actuators, safety functions, or production parameters.

In the next step, threats will be investigated. Typical examples include:

  • Firmware manipulation
  • Unauthorized access to maintenance functions
  • Network attacks on services and ports
  • Denial of Service against tax functions
  • Theft of cryptographic keys
  • Replay or spoofing attacks
  • Rightward expansion through software bugs
  • Abuse of insecure update paths

This analysis results in technical requirements. Without TARA, there is no solid basis for determining which protective measures are actually necessary.

Security by Design

The CRA requires that security not be added as an afterthought. For electronic products, this means that Security must already be anchored in architecture, hardware selection, and software structure.

A typical embedded system should therefore answer the following questions as early as the concept phase:

How is trust built in the system?
Which component starts first?
How is firmware tested?
Which interfaces are active in the field?
What rights does a service technician have?
How are keys stored?
How are logs generated?
How can an update be installed safely?

Security by Design regularly leads to measures such as Secure Boot, signed images, disabled debug interfaces in the field, segmentation of internal functions, role-based access, and hardened communication protocols.

If this is only taken into account late, effort, costs, and technical risks increase significantly.

Hardware and Software Requirements

Many companies primarily view security as a software issue. This falls short when it comes to interconnected electronics. The CRA affects the overall system. Therefore, hardware and software requirements must be considered separately and jointly.

On the hardware side, the following are frequently relevant:

  • Secure Elements or HSM
  • secure key storage
  • Debug Port Control
  • MPU / Memory Protection
  • TrustZone or comparable insulation
  • Physical tamper resistance depending on product class
  • Secure reset and recovery paths

On the software side, the following are regularly required:

  • secure authentication
  • Role and permission concepts
  • Hardening of Network Services
  • Input Validation
  • Memory error avoidance
  • Update and Rollback Concepts
  • Logging of security-relevant events
  • Secure default configuration

Only the interplay of both levels creates a robust security level.

Penetration Testing

The CRA requires effective security measures. In practice, mere documentation is not sufficient. Companies must verify that protective measures are actually working. Penetration testing is a key tool for this.

For embedded products, this typically includes:

  • Network scans and service analysis
  • Authentication Checks
  • Test insecure default credentials
  • Update manipulation attempts
  • Web Interface Tests
  • API Tests
  • Protocol fuzzing
  • Hardware access via UART, JTAG, SWD, or similar interfaces
  • Firmware and Secret Extraction
  • Review of Rights Escalations

Penetration testing should be planned based on risk. Critical functions, external interfaces, and privileged access should be prioritized.

For many companies, this is the transition from theoretical security to measurable product security.

Regular process

Perhaps the most important interpretation of the CRA is: Cybersecurity is not a project with an end date. It is an ongoing process.

A product released today can be affected tomorrow by new vulnerabilities, new attack methods, or new dependencies. Therefore, manufacturers must establish recurring processes:

  • regular re-evaluation of TARA
  • Vulnerability monitoring for deployed components
  • Open-Source Dependency Management
  • Security Regression Tests
  • Re-penetration tests for major releases
  • Patch and update processes
  • Incident Response
  • Documentation maintenance

Especially for products with long field lifetimes, this process determines actual compliance.

Conclusion

The Cyber Resilience Act makes cybersecurity a mandatory product feature in the European market. For manufacturers of digital products, this creates ongoing responsibility from the architectural decision to the end of the support period. Particularly in embedded systems, industrial electronics, and connected devices, the focus shifts to clean technical structures, documented processes, and maintainable platforms.

Companies that align engineering, supply chain, and lifecycle management with these requirements early on create resilient foundations for future product generations.