The Cyber Resilience Act

What is the Cyber Resilience Act? When will it come into effect? What is the impact on your products and activities? What will you need to do to comply?
This synthesis aims at answering all device makers’ concerns and providing them with a clear path towards cybersecurity compliance.

Download the pdf
Try our solutions

What is the Cyber Resilience Act?

The Cyber Resilience Act (or “CRA”) is a regulation from the European Union to make sure equipment manufacturers develop and maintain secure hardware and software products.

Read more

Who must comply with this regulation?

This regulation applies to all products with digital elements with a direct or indirect logical or physical data connection to a device or network.

Read more

Product categories: default, important & critical

The Cyber Resilience Act classifies products in three categories with distinct security requirements to meet. 

Read more

The Cyber Resilience Act deadlines are closer than you think

CRA deadlines are approaching very quickly: Reporting obligations regarding actively exploited vulnerabilities and incidents will begin in September 2026, while all other obligations will enter into force in December 2027.

Cyber Resilience Act harmonized standards timeline

Risks of non-compliance

fine in case of failure to meet cybersecurity requirements
0
fines in case of inaccurate information provided to authorities
0

Key activities to comply with the Cyber Resilience Act

Cybersecurity risk assessment

The CRA requires equipment manufacturers to do comprehensive security assessments of their products and share them in products technical documentations.

Read more

Secure by design development

“On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be made available on the market without known exploitable vulnerabilities”

Read more

Vulnerability monitoring & patching

Device makers are required by the Cyber Resilience Act to diligently manage and address security vulnerabilities in their products. 

Read more

Documentation

Product technical documentation will serve as a vector of information on security activities for verification authorities and end-customers.

Read more

Reporting

Equipment manufacturers must establish clear protocols for reporting cybersecurity incidents, both internally and to relevant stakeholders.

Read more

Conformity assessment

Before launching a new product, device makers must conduct an assessment to validate that it doesn’t present any known and exploitable vulnerability.

Read more

Our off-the-shelf solutions to comply with the Cyber Resilience Act

CVE Scan vulnerability remediation tool

The simplest path for accurate vulnerability monitoring & reporting

Discover more

Kamea device management platform

Deploy secure updates for IoT devices fleet quickly & simply.

Discover more

Welma Yocto Linux distribution

A CRA-compliant & production ready foundation for your Linux devices.

Discover more
Cyber Resilience Act CRA checklist

Download the checklist to be ready for the CRA

Download

Cyber Resilience Act (CRA): additional resources

European Cyber Resilience Act (CRA)

Cyber Resilience Act - Text adopted in March 2024

Read more
Linux vulnerability - 4 steps to monitor your CVEs

Linux vulnerability: 4 steps to monitor your CVE

Read more
The Embedded Kit - Reference DevOps platform for embdded Linux maintenance - CVE Scan and Pluma automated testing

The ABCs of maintenance activities for embedded Linux systems

Read more
embedded linux trends 2026

Embedded Linux trends for 2026

Read more
Witekio logo white
STMicroelectronics logo white - The Embedded Kit partner
Ezurio logo grey (ex - Boundary Devices by Laird Connectivity - Welma Yocto Linux
NXP logo white

Our partners can also help with your risk assessment and security developments

See our partners