The Cyber Resilience Act (CRA) has become a security baseline for selling all the embedded products involving Hardware, software and networking connectivity in EU Market. According to this act, any embedded products not fulfilling CRA compliance can’t be sold in European markets from 2027. Let’s see what makes an embedded device ‘Covered’ Under the EU CRA compliance today. 

The EU Cyber Resilience Act (CRA) is an EU Regulation that provide uniform cybersecurity guidelines for all the products with digital elements (PDE’s) especially embedded systems. The main goal of this Act is to ensure the EU users data security, and protection against cyberattacks as much as possible.  

All the stake holders selling Digital embedded product based on Microcontroller, Microprocessors, FPGA and ASICs in EU Market are very keen to learn CRA regulations in details and how their products can comply under the EU CRA compliance. This article will provide all the checklists for the embedded systems to comply for EU CRA. So, let’s get started!

Why Embedded Systems Specifically Falls Under CRA regulations? 

In this digital age, most of the consumer products such as smart door locks, video doorbells, automated coffee machines and Industrial control systems are embedded systems, where digital devices are controlled and monitored via mobile phones and smart dashboards. Therefore, any security breach in such small devices can put the entire network at risk. That’s why embedded systems have become the entry point for cyber-attacks in the past few years. 

When CRA will be applicable? 

The CRA compliance has officially started from the December 11, 2024. However, the companies are given time to prepare for CRA compliance by December 11, 2027. 

How Embedded Systems Comply for EU CRA? 

To comply for EU CRA, the embedded systems must fulfil the following requirements. 

1. Secure Boot: All the products must allow only signed and secure firmware to run on embedded systems and block the execution of malicious using secure boot techniques. 
2. Secure OTA Updates: The embedded products must have a very secure and robust mechanism to provide Over-the –Air updates to roll out patches for security vulnerabilities and updates in the future 
3. SBOM Generation: SBOM, also known as Software Bill of Materials, must be maintained and documented for embedded products, including the open-source software used in the products 
4. Vulnerability Analysis and Mitigation: Implementation of proper vulnerability analysis system in software at development time and process for future vulnerabilities mitigation in deployed hardware via OTA must be necessary 
5. Logging and Monitoring: Logging and monitoring of critical events in embedded systems on regular basis and mechanism for mitigation is a must for CRA compliance 
6. Access Control: Proper Identity and Authentication management is necessary for CRA compliance to prevent the unauthorized access. It also reduces the attack surface in case of cyberattacks. 
7. Data Encryption: The user and system data stored in the device must be encrypted or should be stored in some encrypted partitions. To prevent the data breaches. The data must be protected against manipulation also 
8. Secure Data Removal: The user should have access to delete all data and settings in the device permanently. Besides, users should also be capable to transfer data securely across other systems 

Violation of CRA and Its Consequences: 

Currently, EU market has given time to companies to comply for CRA by December 11, 2027. However, after the deadline, the following consequences can happen for violating the CRA  

1. Heavy fines that can go up to 15 million euros or 2.5% of the relevant company worldwide turnover 
2. Complete Ban of the products from European Market 
3. Loss of European Customers trust and decreased sales 
4. Liability Risk in the security breach events 

Final Words: 

All the people involved in embedded systems design or sales process must understand the CRA details and its potential impacts on the product in the future. If the product is not yet ready for CRA compliance, it should be planned to stay relevant in market from 2027 and avoid hefty fines.