Cyber Resilience Act

With the Cyber Resilience Act (CRA), the European Union has created a regulatory framework that directly transfers cybersecurity into product liability.

The Cyber Resilience Act (CRAThis obligates companies with hardware, embedded software, industrial electronics, networked sensors, or standalone software products to make operational changes in engineering. Requirements for development, documentation, maintenance, and vulnerability management will become an integral part of regular product business. This is particularly relevant for industries with long life cycles, technical variant statuses, and complex supply chains. The regulation is aimed at manufacturers, importers, and other economic actors who make products with digital elements available on the European market. Consequently, cybersecurity is no longer treated as a separate IT issue, but rather as an inherent product feature.

Scope

Companies are rightly asking: What is the Cyber Resilience Act? It is an EU regulation that sets uniform cybersecurity requirements for products with digital elements, i.e., for hardware, software, and connected devices. For electronics, this means: devices such as IoT products, controllers, routers, sensors, smart home devices, or embedded systems must be developed securely from the design stage. Manufacturers must address vulnerabilities, provide security updates, and document how the product is protected against cyberattacks. Importers and distributors are also affected if they make such products available on the EU market. In practice, the CRA will lead to more effort in electronics for development, firmware updates, risk assessment, CE conformity, and product maintenance throughout the lifecycle.

Products with digital elements

The CRA uses the term „products with digital elements.“ This refers to products whose function is wholly or partially characterized by software, firmware, data processing, or networking. This includes classic consumer products as well as industrial systems, machine components, control units, communication modules, or software-based applications.

For industry, it is crucial that many established products now include digital elements, even if they were historically understood as purely electronic or mechanical products. A control unit with an Ethernet interface, diagnostic access via USB, a web interface for parameterization, or a cloud-capable gateway bring a product into an area where cybersecurity becomes regulatorily relevant.

The practical consequence is a reassessment of the portfolio. Companies must not only consider new products but also existing platforms, variant families, and series products. Many organizations will find that a significant portion of their offering falls under the CRA.

The CRA distinguishes between general products with digital elements and particularly relevant product groups with increased requirements. A large portion of products falls within the scope of regular conformity assessment with internal manufacturer responsibility. This includes numerous standard products from the software and consumer environment.

Infographic on product classification: Cyber Resilience Act: Self-assessment, Class I/II, 90% products, third-party assessment.
Product classification according to the Cyber Resilience Act

For defined product groups from Annex III, stricter requirements apply. These products are divided into Class I and Class II. The technical function, area of application, and potential impact on safety and infrastructure are decisive.

Class I includes products such as network interfaces, firewalls, and certain microcontroller platforms. Here, evaluation is typically carried out using harmonized standards or suitable testing procedures.

Class II particularly concerns highly sensitive or system-relevant components such as processors, secure elements, operating systems, or industrial firewalls. In these cases, the regulatory scrutiny depth increases, often with the involvement of external bodies.

Cybersecurity as part of the development discipline

The CRA anchors cybersecurity in product development. Construction, electronics development, software development, and system architecture must consider security requirements early on. This concerns not only visible security features but fundamental design decisions.

An architecture with unnecessarily open interfaces, unprotected service access, or a lack of separation between trust domains creates risks that can only be corrected later with significant effort. The CRA therefore increases the importance of early architectural decisions. Security aspects belong in requirements management, system design, interface definition, component selection, and integration concepts.

In embedded systems, this regularly concerns topics such as secure boot chains, protection of debug accesses, firmware integrity, rights concepts for maintenance functions, secure communication channels, and controlled update mechanisms. Memory and runtime protection through MPU, TrustZone, or comparable mechanisms is also gaining importance.

Companies with established development processes can integrate these requirements in a structured way. Organizations without clearly defined engineering gates will have to exert more control, because security must be planned and implemented in a traceable manner.

Vulnerability Management in Accordance with the Cyber Resilience Act

A central element of the CRA is ongoing responsibility after placing on the market. Products remain relevant to security even after delivery. Manufacturers need processes to record, assess, prioritize, and fix vulnerabilities.

This changes the classic view of many product companies. In numerous industries, the start of series production was long considered the transition from development to support. The CRA shifts this model. Security work continues throughout the entire lifecycle. This includes reporting structures for external information, internal assessment of technical risks, development of corrective measures, testing of new software versions, and the controlled deployment of updates.

For products in the field, this immediately raises the question of technical updateability. Systems without a secure update function incur high operational costs in the event of a vulnerability, as service calls, manual rework, or hardware replacements may be required. Therefore, updateability is not only a compliance issue but also an economic factor.

Documentation and traceability

The CRA requires provable traceability. Companies must be able to demonstrate how security requirements have been implemented. This includes technical documentation as well as internal processes and compliance documents.

In practice, a general product description is not sufficient for this. Understandable information is required regarding architecture, digital functions, components used, relevant interfaces, security mechanisms, update concepts, and processes for handling vulnerabilities. Tests, validations, and approvals are also gaining importance.

Many companies possess extensive development data, but lack structured security documentation. Therefore, the CRA often does not lead to entirely new activities, but to the necessity of systematically documenting existing technical work.

For engineering organizations, this is an important point: those who cleanly manage architectural decisions, tests, and releases significantly reduce later effort for documentation.

Supply chains and purchased components

Digital products rarely consist solely of in-house development. Operating systems, middleware, radio modules, libraries, open-source components, semiconductor platforms, and external software components are standard. The CRA therefore automatically increases the relevance of supplier management.

A manufacturer needs to know which components are used in the product, what dependencies exist, and how security updates from the supply chain become available. Particularly critical are building blocks without long-term maintenance, undocumented third-party software, or platforms with an unclear security roadmap.

In embedded environments, this affects microcontroller SDKs, Linux distributions, communication stacks, wireless modules, or proprietary third-party libraries, for example. A lack of transparency creates risks in maintainability and traceability.

That's why Bill of Materials logic is becoming more important in the software sector. Software Bill of Materials, version control, and regulated approvals are becoming standard tools for many manufacturers.

Meaning for Industrial Electronics and Mechanical Engineering

The CRA is often associated with consumer IoT. It is equally relevant for the industrial sector. Modern machines, controls, and systems include network technology, remote maintenance, data logging, fieldbus gateways, and service-enabled embedded systems. This raises the same fundamental questions as in other digital products.

In industrial environments, additional requirements are added. Lifecycles are longer, release processes are stricter, changes in the field are more complex, and downtime is expensive. A security update cannot be considered in isolation here, but must align with operations, validation, and production reality.

This requires robust engineering processes. Companies need clear strategies for how security updates are tested, approved, and rolled out without compromising the availability of technical systems.

Organizational consequences within the company

The CRA is not a task for individual security specialists. Product management, development, quality, purchasing, service, documentation, and management are affected. Roles and responsibilities must be clearly defined.

Product management must steer requirements and market responsibility. Development must implement technical measures. Purchasing must evaluate supplier capabilities. Service needs processes for field actions. Quality and management require transparency regarding risks, maturity, and evidence.

This will create a formalized product security structure for the first time in many medium-sized companies. This can be achieved through dedicated roles, clear release mechanisms, or integrated responsibilities within existing quality management.

Cybersecurity is therefore a continuous development process for products with digital elements, from requirements, architecture, and implementation to verification, penetration testing, updates, and vulnerability management. The CRA strengthens precisely this lifecycle approach, where TARA, security requirements, and regular re-assessment cycles become an integral part of product maintenance.

CRA Diagram: Safety Goals, Functions, and Tests – Focus on Embedded Software and Functional Safety.
CRA: Security goals, functions, and tests become processes

Secure Engineering and Security by Design

Companies that view the CRA purely from a legal perspective are falling short. The real work lies in engineering. Security architecture, update capability, component strategy, testability, and technical documentation determine how complex compliance actually becomes.

Those who develop products with modular software structures, clean interface separation, and traceable configurations create more favorable conditions. Those who operate historically grown platforms with unmaintained legacy components will see higher costs.

This is why the CRA is also a driver of modernization. Many necessary measures not only improve the regulatory situation but also maintainability, product quality, and the controllability of complex systems.

Once electronics are controlled by firmware or software and also have interfaces to networks, service devices, or other participants, an attack surface is created. This is precisely where the CRA comes in. The regulation does not demand individual isolated security functions, but rather a understandable security approach throughout the entire product lifecycle.

For companies, this means security must be organized as a technical development process.

Measures for electronics development

From the CRA's perspective, a device with Ethernet, Wi-Fi, Bluetooth, CAN-over-IP, cellular, USB service port, web interface, remote maintenance, or data exchange with other participants is considered a relevant digital product. Internal networks in machines, plants, or vehicles are also technically significant because communication always opens up potential attack vectors. The term "network" is intentionally used very broadly here.

A microcontroller without a classic internet connection can be affected if it is accessible via a gateway, exchanges diagnostic data, or is part of a larger networked system.

This leads to a central interpretation: It is not the industry that determines relevance, but rather the technical exposure of the product.

Cyber Security for Embedded Systems

Develop robust and cyber-secure electronics with PICKPLACE.
Request a project now and efficiently implement your electronic system.

TARA: Threat And Risk Assessment

A central tool for practical implementation is the Threat Analysis and Risk Assessment (TARA). The CRA does not use the term TARA, but it requires exactly this approach in terms of content: identify risks, assess threats, derive protective measures.

For electronics with software, this means that the system architecture must first be understood. Then, assets are identified. These include firmware, bootloaders, key material, configuration data, communication channels, measured values, actuators, safety functions, or production parameters.

In the next step, threats will be investigated. Typical examples include:

  • Firmware manipulation
  • Unauthorized access to maintenance functions
  • Network attacks on services and ports
  • Denial of Service against tax functions
  • Theft of cryptographic keys
  • Replay or spoofing attacks
  • Right expansion via software error
  • Abuse of insecure update paths

This analysis generates technical requirements. Without TARA, there is no solid foundation for determining which security measures are actually necessary.

Security by Design

The CRA requires that security not be an afterthought. For electronic products, this means that Security must already be anchored in architecture, hardware selection, and software structure.

A typical embedded system should therefore answer the following questions as early as the concept phase:

How is trust built in the system?
Which component starts first?
How is firmware tested?
Which interfaces are active in the field?
What rights does a service technician have?
How are keys stored?
How are logs generated?
How can an update be installed safely?

Security by Design regularly leads to measures such as secure boot, signed images, disabled debug interfaces in the field, segmentation of internal functions, role-based access, and hardened communication protocols.

If this is considered late, effort, costs, and technical risks will increase significantly.

Hardware and Software Requirements

Many companies primarily view security as a software issue. This is not enough for interconnected electronics. The CRA affects the overall system. Therefore, hardware and software requirements must be considered separately and jointly.

On the hardware side, the following are often relevant:

  • Secure Elements or HSM
  • secure key storage
  • Debug Port Control
  • MPU / Memory Protection
  • TrustZone or comparable isolation
  • Physical tamper resistance depending on product class
  • Secure reset and recovery paths

On the software side, the following are regularly required:

  • secure authentication
  • Role and permission concepts
  • Hardening of network services
  • Input Validation
  • Memory error avoidance
  • Update and Rollback Concepts
  • Logging of security-relevant events
  • Secure default configuration

Only the interplay of both levels creates a robust security level.

Penetration Testing

The CRA requires effective security measures. In practice, mere documentation is not sufficient for this. Companies must verify that protective measures actually work. Penetration testing is a key tool for this.

For embedded products, this typically includes:

  • Network scans and service analysis
  • Authentication checks
  • Test of insecure default access credentials
  • Update manipulation attempts
  • Web Interface Tests
  • API Tests
  • Protocol fuzzing
  • Hardware access via UART, JTAG, SWD, or similar interfaces
  • Firmware and Secret Extraction
  • Review of rights escalations

Penetration testing should be planned based on risk. Critical functions, external interfaces, and privileged access should be prioritized.

For many companies, this is the transition from theoretical security to measurable product security.

Regular process

Perhaps the most important interpretation of the CRA is: Cybersecurity is not a project with an end date. It is an ongoing process.

A product released today can be affected tomorrow by new vulnerabilities, new attack methods, or new dependencies. Therefore, manufacturers must establish recurring processes:

  • regular reassessment of the TARA
  • Vulnerability monitoring for deployed components
  • Open Source Dependency Management
  • Security Regression Tests
  • re-penetration tests for major releases
  • Patch and update processes
  • Incident Response
  • Documentation maintenance

This process is decisive for actual compliance, especially with products that have long field operating times.

Cyber Resilience Act Summary

The Cyber Resilience Act makes cybersecurity a mandatory product feature in the European market. Manufacturers of digital products face ongoing responsibility from architectural decisions through the end of the support period. Particularly in embedded systems, industrial electronics, and connected devices, the focus is shifting towards clean technical structures, documented processes, and maintainable platforms.

Companies that align engineering, supply chain, and lifecycle management with these requirements early on create resilient foundations for future product generations.