The EU Cyber Resilience Act (CRA) became law in December 2024 – mandating that from 2027, products with digital elements and connectivity must adhere to a strict set of rules in their design, documentation, and support before they can be supplied into the EU.
In this article, David Pashley, Co-Founder & Managing Director at Direct Insight outlines what engineers need to be thinking about when designing their products – as well as what procurement professionals must consider when sourcing components.
What is the CRA?
The European Union’s Cyber Resilience Act (CRA) marks a transformative shift in how digital products must be designed, developed, and brought to market for use across the EU. While certain products – such as medical devices, aviation, and automotive products – are already covered by existing EU cybersecurity rules, as the first comprehensive EU-wide legislation of its kind, the CRA introduces mandatory cybersecurity requirements for virtually all hardware and software products with digital elements, fundamentally altering the compliance landscape for manufacturers, importers, and distributors.
The CRA became law in December 2024, extending the CE marking scheme by mandating that, from 2027, all products with digital elements that can be connected to a device or network must adhere to a strict set of rules in their design, documentation, and support before claiming conformance – a requirement for products to be supplied into the EU.
The CRA applies to any product available in the EU – regardless of whether it’s sold for payment or provided free of charge – that is supplied as part of a commercial activity. The location of the manufacturer or supplier – whether based inside or outside the EU – is irrelevant; if the product is accessible in the EU, then the CRA’s requirements will apply.
The legislation applies to a broad range of products with digital elements – essentially, any device or software whose intended use involves a direct or indirect connection to a device or network. As well as discrete items of software or hardware, this covers smart home and other IoT and connected devices, computers and mobile devices, wearables, operating systems, applications, embedded software, and even industrial components. Only products already covered by existing EU cybersecurity rules, such as medical devices, aviation, and automotive products, are exempt from the CRA. Open-source software can be excluded, but only where it is not made available in the EU market as part of a commercial activity.
To indicate compliance, products must bear the CE mark, a familiar symbol signifying conformity with EU safety, health, and environmental standards – while non-compliance can result in substantial fines of up to €15 million or 2.5% of global annual turnover, whichever is higher.
What does it mean for engineers & buyers?
The CRA represents a paradigm shift for all those involved in designing, developing, and manufacturing electronic products and embedded systems. It requires increased upfront investment, with security by design integrated into product development from the earliest stages, as well as ongoing obligations well beyond the point of sale, including the need for continuous vulnerability monitoring, incident reporting, and regular updates. It will have a significant impact on embedded design engineers, who may be unfamiliar with the world of CVEs (Common Vulnerabilities and Exposures) and SBOMs (software bill of materials) – and unprepared to implement requirements such as encryption, secure boot, and OTA (over-the-air) updating.
But in our opinion, developers should view the CRA as an opportunity, not a threat. Many discussions around the CRA and cybersecurity have revolved around whether this or that requirement can be rightfully avoided. In one sense, this is understandable, given the time and effort required for implementation. However, as customers increasingly (and rightfully) demand secure products, surely, we want to demonstrate that we’re meeting that demand, rather than tying ourselves in knots to avoid implementing the most basic forms of security?
Moreover, the CRA’s cybersecurity requirements extend beyond individual organisations and products, throughout the entire supply chain. Since OEMs must ensure security not only for their own products, but also for all third-party components, including opensource software, the CRA will impact procurement and how electronic components are sourced and used. With the onus on manufacturers, importers, and distributors (collectively termed ‘economic operators’) to ensure their products comply with the CRA, due diligence is required to verify that all components, whether manufactured in-house or purchased, carry the necessary CE marking and meet the CRA’s requirements.
For buyers, compliant components offer a massive commercial advantage over legacy products, so there is substantial benefit to be gained for manufacturers by ensuring their offering conforms now.
Conclusion
All products shipped in the EU must comply by December 2027, so it’s time to start planning. It’s hard not to contrast the challenge of facing cybersecurity requirements at short notice with the relative simplicity and lower cost of a more measured approach. Nearly all electronic products will be subject to the provisions of the Cyber Resilience Act in 2027. Easy steps taken by developers and procurement professionals today could help make CRA-compliance more of a breeze than an approaching storm.
By David Pashley Co-Founder & Managing Director, Direct Insight
This article originally appeared in the July/August issue of Procurement Pro.
