The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to enhance the cybersecurity posture of digital products across the entire lifecycle—from design to end-of-life. It represents the first horizontal EU legislation to impose mandatory cybersecurity requirements on both hardware and software that can connect directly or indirectly to a network.
Approved in October 2024 and officially entered into force in December 2024, the CRA will become fully applicable starting December 2027. Its aim is to build a common cybersecurity baseline for digital products in the EU market, ensuring they are secure by design and by default.
What the CRA requires
Manufacturers must now incorporate security from the earliest development phases. This includes:
- Vulnerability management: Products must be equipped to monitor, detect, and handle vulnerabilities during their operational lifecycle.
- Security updates: Regular patches and secure update mechanisms must be in place.
- Secure development practices: Code must be developed following secure-by-design principles.
- SBOM (Software Bill of Materials): Developers must provide a clear inventory of software components used.
- Incident reporting: Significant security incidents must be reported to ENISA and affected users within 24 hours.
Additionally, manufacturers must define and communicate support timelines—including an explicit end-of-support date—so that users and authorities are informed about the product’s lifecycle.
Which products are covered
The CRA applies to all products with digital elements that are connected, directly or indirectly, to a device or network. This includes:
- IoT devices
- Wearables
- Consumer electronics
- Business software and applications
- Operating systems and embedded firmware
Open-source software is excluded from the regulation only if it is developed and supplied non-commercially. Commercial open-source products must comply with the CRA.
Certain vertical sectors with their own cybersecurity frameworks—like medical, automotive, and aviation—are excluded to avoid regulatory overlaps.
What happens if you’re not compliant?
From December 2027, non-compliant products will not be allowed on the EU market.
The penalties are significant: up to €15 million or 2.5% of global turnover, whichever is higher. Non-compliance may also result in:
- Product recalls
- Reputational damage
Legal liabilities in case of cybersecurity breaches
Challenges for embedded systems
The CRA poses unique challenges for Linux-based embedded systems (e.g., Yocto, Debian). These devices often rely on a complex ecosystem of third-party components and open-source packages.
To comply:
- Manufacturers must generate accurate SBOMs.
- Configure systems to minimize attack surface by enabling only essential services.
- Prepare infrastructure for secure updates, even post-deployment.
- Define an incident response plan to handle detected vulnerabilities quickly and transparently.
How Abinsula helps you comply
Navigating the CRA is complex—especially for teams unfamiliar with cybersecurity-by-design requirements or embedded system security.
Abinsula provides tailored consulting to support your CRA compliance journey:
- We help map regulatory obligations to your existing product portfolio
- Analyze gaps in development workflows, update mechanisms, and documentation
- Co-design a step-by-step compliance roadmap, including SBOMs, vulnerability handling, and support planning
Thanks to our expertise in embedded software, secure architectures, and EU regulations, we work alongside your engineering and product teams to ensure your digital products are CRA-ready.
Conclusions
The CRA marks a decisive move from optional best practices to mandatory security obligations for connected products in Europe.
Need guidance on CRA compliance?
Contact Abinsula today for a consultation.
