Market Outlook


Navigating the Cyber Resilience Act (CRA): 101 for embedded systems & IoT developers


Companies that want to CE mark their products for sale into Europe need to understand the Cyber Resilience Act (CRA) – a wide-ranging new EU regulation that became law in December 2024, setting out cybersecurity requirements for products with digital elements. But it’s a lengthy, complex legal document – hard going, even for developers with years of real-world experience in designing secure digital and embedded systems. In this introductory Q&A, CRA subject matter expert, Direct Insight co-founder & managing director David Pashley provides a clear, simple explainer for embedded developers.


Q: Is the CRA an enforceable law? When will it come into effect? And what are the penalties? A: Yes, while EU directives set out a goal that EU states must achieve (via each country’s own legislation), EU regulations like the CRA have immediate force of law (albeit they may specify a later date from which compliance will apply) across the EU (European Union). The Cyber Resilience Act (CRA) received formal approval by the European Parliament in March 2024 – and was adopted by the EU Council in October 2024, entering into force on 10th December 2024.


Under the CRA, if you want your product to carry the CE mark – a requirement for products to be sold in the EEA (European Economic Area) – it will need to be certified as compliant with the Cyber Resilience Act, in addition to applicable prior legislation. As with existing CE marking, for most categories, companies will ‘self-certify’ their products. However, penalties for non-compliance can reach €15 million (or up to 2.5 per cent of annual global turnover, whichever is higher).


Q: Will the Cyber Resilience Act apply to my company’s products, even if it is based in the UK, US, or elsewhere outside of the EU? A: If you normally CE mark your products (in order to sell them into the EEA), then your products must comply – no matter where you are based. If you don’t ship to the EU, or your products are non- commercial, then compliance is not required.


14 December/January 2025


Q: OK, what is required for an embedded system or digital/ connected smart/IoT product to comply with CRA? Just the highlights please… A: The following instructions from the CRA must be addressed: The terms “secure by default


Components in Electronics


configuration” and to “protect the integrity of stored, transmitted or otherwise processed data/programs” necessitate implementing Secure Boot as a minimum.


“encrypting relevant data at rest or in transit” demands secure storage, and/or TLS (Transport Layer Security).


“ensure that vulnerabilities can be addressed through security updates” means the manufacturer must have the ability to identify vulnerabilities as they arise, and the system must be field-updatable.


The section outlining that manufacturers must “provide for


www.cieonline.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68