The Cyber Resilience Act

What is the Cyber Resilience Act? When will it come into effect? What is the impact on your products and activities? What will you need to do to comply?
This synthesis aims at answering all device makers’ concerns and providing them with a clear path towards cybersecurity compliance.

Download the pdf
Try our solutions

What is the Cyber Resilience Act?

The Cyber Resilience Act (or “CRA”) is a regulation from the European Union to make sure equipment manufacturers develop and maintain secure hardware and software products.

Read more

Who must comply with this regulation?

This regulation applies to all products with digital elements with a direct or indirect logical or physical data connection to a device or network.

Read more

Product categories: default, important & critical

The Cyber Resilience Act classifies products in three categories with distinct security requirements to meet. 

Read more

Key activities to comply with the Cyber Resilience Act

Cybersecurity risk assessment

The CRA requires equipment manufacturers to do comprehensive security assessments of their products and share them in products technical documentations.

Read more

Secure by design development

“On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be made available on the market without known exploitable vulnerabilities”

Read more

Vulnerability monitoring & patching during the product lifecycle

Device makers are required by the Cyber Resilience Act to diligently manage and address security vulnerabilities in their products. 

Read more

Documentation

Product technical documentation will serve as a vector of information on security activities for verification authorities and end-customers.

Read more

Reporting

Equipment manufacturers must establish clear protocols for reporting cybersecurity incidents, both internally and to relevant stakeholders.

Read more

Conformity assessment

Before launching a new product, device makers must conduct an assessment to validate that it doesn’t present any known and exploitable vulnerability.

Read more

When will the CRA be effective? Cyber Resilience Act timeline

To let OEMs the time to adapt to the new regulation, equipment manufacturers have 36 months from the regulation entry into force (December 11th, 2024) to organize themselves, except for reporting obligations regarding actively exploited vulnerabilities and incidents, which should apply 21 months from its entry into force.

Cyber Resilience Act harmonized standards timeline

Risks of non-compliance

fine in case of failure to meet cybersecurity requirements
0
fines in case of inaccurate information provided to authorities
0

Our off-the-shelf solutions to comply with the Cyber Resilience Act

Linux CVE scanner

Accurate vulnerability monitoring tool for embedded Linux systems

Discover more

Device management platform

Update your IoT devices fleet quickly, simply & safely.

Discover more

Yocto Linux distribution

Linux distribution based on Yocto, ready for production and maintenance

Discover more
Cyber Resilience Act CRA checklist

Download the checklist to be ready for the CRA

Download
Witekio logo white
STMicroelectronics logo white - The Embedded Kit partner
Ezurio logo grey (ex - Boundary Devices by Laird Connectivity - Welma Yocto Linux
NXP logo white

Our partners can also help with your risk assessment and security developments

See our partners

Cyber Resilience Act (CRA): additional resources

European Cyber Resilience Act (CRA)

Cyber Resilience Act - Text adopted in March 2024

Read more
Linux vulnerability - 4 steps to monitor your CVEs

Linux vulnerability: 4 steps to monitor your CVE

Read more
The Embedded Kit - Reference DevOps platform for embdded Linux maintenance - CVE Scan and Pluma automated testing

The ABCs of maintenance activities for embedded Linux systems

Read more
embedded linux trends 2026

Embedded Linux trends for 2026

Read more
The Embedded Kit purple penguin with helmet

Get in touch with our team

Need help with the Cyber Resilience Act? Just reach out to us!