By Murray Slovick, TTI Marketeye
Hardware and software products are increasingly subject to successful cyberattacks.According to the impact assessment report accompanying the European Commission’s Cyber Resilience Act [CRA], which bolsters cybersecurity rules to ensure more secure hardware and software products, it has been estimated that the annual costs of data breaches are at least $11.65 billion (€10 billion) and the annual costs of malicious attempts to disrupt traffic on the internet are at least $75.7 billion (€65 billion).
The CRA aims to address threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements as part of a wider set of European product legislation.
The CRA was first adopted in 2024, but there will be a transitional period until 2027 before the reporting requirements become mandatory and subject to penalties for non-compliance. The Act is being introduced in two phases. The first requires compliance by September 11, 2026, for importers of equipment and the second by December 11, 2027, for all the requirements of the CRA. On September 11, 2026, manufacturers of connected products will be subject to mandatory reporting of vulnerabilities and incidents.
The primary focus of the CRA is on companies developing and commercializing non-embedded software. As a result, embedded system developers will face significant challenges over the next two years as the CRA regulations come into effect.
The aim of the CRA is to ensure that hardware and software products are placed on the market with less vulnerability and to ensure that manufacturers take security seriously throughout a product’s life cycle.
All products sold in the EU that contain digital elements must fulfill the essential requirements of the CRA. This includes low-cost consumer products as well as B2B software and complex high-end industrial systems. Products with digital elements are defined in the CRA as products that can be connected to a device or a network and include both hardware products with networked functions (such as smartphones, watches, internet connected toys and laptops but also microprocessors and smart meters) and pure software products.
The CRA applies to economic operators such as manufacturers, software developers, distributors, importers and other economic players (e.g. resellers) who supply digital products to the European market. The CRA puts the responsibility with those that place their products on the market. It includes:
- Rules for the placing on the market products with digital elements to ensure cybersecurity
- Essential requirements for the vulnerability of handling processes put in place by manufacturers to ensure the cybersecurity of products during their entire life cycle and obligations for economic operators in relation to these processes
- Manufacturers will have to report actively exploited vulnerabilities and incidents as well as develop secure over-the-air firmware updates
- Rules on market surveillance, enforcement,risk assessment and secure-by-design integration
Risk Assessment
Manufacturers must undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with a view to minimizing cybersecurity risks, preventing incidents and minimizing their impact, including in relation to the health and safety of users.
When placing a product on the market, the manufacturer must include the cybersecurity risk assessment in the technical documentation.
There are some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, for example, on medical devices, civil aviation software or cars.
Free and open-source software as well as pure Software as a Service (SaaS) software does not fall under the purview of the CRA. However, open-source software from which its developers derive some sort of commercial activity are subject to the Act’s requirements. Examples of commercial activities include:
- Charging for the software itself or technical support beyond actual costs
- Monetization through platforms or services linked to the software
- Requiring personal data processing for purposes other than security, compatibility or interoperability
- Accepting donations exceeding development and provision costs
This CRA does not apply to products developed or modified exclusively for national security or defense purposes.
The Regulation also does not apply to spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications as the components that they are intended to replace.
For the first time, a software bill of materials (SBoM) will apply to a wide range of products sold in the European Union from December 2027 onward. Manufacturers must document all software and hardware components in this SBoM. For a product based on Android or Linux you will need the software bill of materials from the supplier.
Example: Microcontroller Certification
Renesas Electronics, for example, has already certified several ranges of its microcontrollers for CRA by introducing an extension to its certification that addresses the compliance requirements of the CRA.
This certification, evaluated by Applus+ Laboratories, encompasses the RA4L1 MCU Group featuring low power, 32-bit microcontrollers (MCUs) based on the Arm Cortex-M33 (CM33) core with Arm TrustZone technology, delivering low voltage operation, low power consumption and high performance.
The integrated low-power features, advanced security engine and communication interfaces make these devices well-suited for many industrial automation, home appliances, smart home, consumer, building/home automation and medical/healthcare applications.
