The European Union’s Cyber Resilience Act (CRA) is now in effect, setting higher standards for the security of connected devices. The regulation entered into force in late 2024, beginning a three-year transition period to achieve compliance. After that, any product with digital elements that is not compliant could be banned from sale in the EU market. This means cybersecurity will be a legal requirement for selling devices in Europe. The CRA applies to almost all smart and IoT products, so manufacturers must consider security from the outset and maintain it throughout the product’s life.
Full enforcement of the CRA will not start until late 2027, but some deadlines are coming up sooner. For example, some vulnerability reporting rules begin in late 2026. The main point is that manufacturers should start preparing now. Adding CRA compliance early in your development and operations is much easier than adding security at the last minute.
The timeline below highlights the key dates for device makers to keep in mind:
Meeting the CRA’s obligations can feel overwhelming because they affect many aspects of product development. The first step to compliance is identifying the scope of the product and which category of the CRA it falls under. The category determines the conformity assessment route and sets out clear expectations for the requirements manufacturers will need to meet.
At a high level, the regulation sets out five key, guiding requirements to achieve compliance. The key elements are:
- Cybersecurity risk assessment - performing thorough threat modeling and risk analysis as an integral part of the design process, forming risk mitigations that feed into security requirements
- Secure-by-design - ensuring security features, driven by the risk assessment, are built into the product from day one (e.g., secure boot, encryption, over-the-air updates)
- Vulnerability Management - reliably tracking and fixing new and existing vulnerabilities throughout the product lifecycle, and having mechanisms in place to report incidents;
- Continuous compliance - ensuring that vulnerabilities in devices are continuously tracked, patched, and updated throughout the product support period;
- Transparency and user documentation - providing and maintaining up-to-date technical documentation, including instructions for use, Software Bills of Materials (SBOMs), and security documentation, to demonstrate compliance.
If you’re not sure where to begin, Linaro’s new whitepaper, “Preparing for the EU Cyber Resilience Act (CRA)” can help. It explains the CRA’s main points, such as its requirements, timeline, and scope, and gives practical advice on how to meet them. The whitepaper covers what the CRA requires, why it matters to your business, what you risk if you fall behind, and how to get ready. It also shows how Linaro can help, from product classification and risk assessment to vulnerability management and long-term continuous compliance.
In relation to vulnerability management and continuous compliance, in a recent blog post, we deep-dive into how Linaro’s expertise in Software Supply Chain Management can help manufacturers effectively track vulnerabilities in their products’ third-party components to get prepared for the CRA. See here for more details.
Time is running out for connected device makers to meet these new rules. If you want to get ahead of the CRA requirements, our CRA self-assessment tool can help you understand your current readiness. Download the full whitepaper for more details, and reach out to us to discuss how Linaro can support your compliance journey.