Future Electronics Mobile Header Logo

Cyber Resilience Act (CRA) - FAQs

Frequently Asked Questions

Overview

Impact

Timeline, verification, and penalizations ​

Technical details and compliance ​

Contact

What is the Cyber Resilience Act (CRA)?

The CRA is an EU regulation aimed at ensuring cybersecurity across the entire lifecycle of connected products*. Engineers must ensure products meet baseline security standards, not just during design, but also post-market through updates and monitoring. 

*For example, a simple LED bulb is not concerned, but a smart LED, connected through DALI or Bluetooth, is.  

Impact

The CRA applies to manufacturers, importers, and distributors of connected products with digital elements sold in the EU.  

This includes companies developing embedded systems, IoT devices, consumer electronics, industrial automation systems, and even standalone software—whether EU-based or not.   

Markets like automotive, medical, marine, defense, and aerospace (among others) already operate under different sets of robust regulatory bodies and, for this reason, are not considered under the CRA.  

Yes. Even if your company is based outside the EU, the CRA applies if you sell or distribute products with digital elements in the EU. This includes both finished products and embedded components.

Yes. The CRA is part of a broader global trend toward mandatory cybersecurity for connected products.  

Regions like the U.S., U.K., Japan, and Australia are proposing or implementing similar frameworks (e.g., the U.S. Cyber Trust Mark or the U.K. Product Security and Telecommunications Infrastructure Act).  

While the exact rules differ, the principles of secure-by-design, vulnerability management, and transparency are becoming international norms.  

Engineering teams should start designing for global compliance now. 

Timeline, verification, and penalizations

The Cyber Resilience Act was officially adopted in December 2024 with a grace period of 36 months for most products, and 21 months for vulnerability handling obligations. Starting compliance work early is critical. 

It includes two key compliance deadlines: 

By September 2026, manufacturers must have a vulnerability handling process in place. This includes mechanisms for receiving, assessing, and acting on security reports. 

By December 2027, products placed on the EU market must achieve full compliance, including CE marking and conformity assessment based on product classification. 

Engineering teams should begin aligning their development cycles and supplier relationships now to avoid bottlenecks and ensure a smooth path to compliance. 

Products are classified under the CRA based on product type. This classification determines the level of assessment required before placing a product on the EU market: 

Default Category 

  • Applies to: Most digital products and software that are not explicitly listed as important or critical. 
  • Assessment: Self-assessment by the manufacturer. 

 

Important Products 

  • Applies to: Specific product types with key security functionalities (e.g., VPNs, password managers, network devices). 
  • Assessment: Conformity assessment using harmonized standards or third-party certification. 

 

Critical Products 

  • Applies to: A subset of important products considered essential for cybersecurity (e.g., HSMs, secure elements). 
  • Assessment: Third-party certification, possibly under the EU Cybersecurity Certification Framework. 

 

Note: Exact definition will be in the CRA Implementing act which will be voted in December 2025. 

These include hardware and software with core security functions or significant potential impact: 

  • Identity management systems (e.g., biometric readers) 
  • Password managers 
  • VPN software 
  • Software for malware detection/removal 
  • Standalone & embedded web browsers 
  • Network management systems 
  • Security information & event management (SIEM) systems 
  • Boot managers 
  • PKI and digital certificate issuers 
  • Physical & virtual network interfaces 
  • Routers, modems, and network switches 
  • Microcontrollers and microprocessors with security functions 
  • Tamper-resistant microcontrollers/microprocessors 
  • ASICs and FPGAs with security functionalities 
  • Smartcards and secure elements 
  • Hardware security modules (HSMs) 
  • Smart home assistants (general purpose) 
  • Smart home products with security features (e.g., locks, cameras, baby monitors, alarms) 
  • Internet-connected toys with social or location features 
  • Wearables used by children or for health monitoring 
  • Hypervisors and container runtimes 
  • Industrial firewalls and intrusion detection/prevention systems 
  • Smart meter gateways 

 

Note: Exact definition will be in the CRA Implementing act which will be voted in December 2025. 

Penalties can include fines up to €15 million or 2.5% of global turnover, removal of products from the EU market, or recall orders. Non-compliance also increases reputational risk. 

Technical details and compliance

Both. The CRA applies to any product with digital elements that is connected, either physically or logically, to a device or network. This includes: 

  • Connected hardware (e.g., IoT devices, routers, smart home devices) 
  • Embedded systems and firmware 
  • Software platforms and applications 
  • Intermediate components such as microcontrollers (MCUs), microprocessors (MPUs), and software libraries that are integrated into connected products. 

Products that are not connected in any way (directly or indirectly) generally fall outside the scope of the CRA. 

To comply with the Cyber Resilience Act, manufacturers must meet both process requirements and technical requirements (also known as horizontal requirements) designed to ensure security throughout the product lifecycle. 

Technical (Horizontal) Requirements: 

  • No known exploitable vulnerabilities at the time the product is placed on the market 
  • Secure-by-default configuration 
  • Access control mechanisms, including logging of unauthorized access attempts 
  • Confidentiality and integrity protection for data that is stored, transmitted, or processed (e.g., personal data requires both, while program data requires integrity protection only) (including personal data and program data) 
  • Data minimization — only process what’s necessary 
  • Availability protection — resilience against Denial-of-Service (DoS) attacks 
  • Limited attack surface and measures to reduce incident impa 
  • Logging and monitoring of relevant internal activity 
  • Secure data and settings removal mechanisms for users 

 

Process Requirements: 

  • Risk assessment and mitigation before product release 
  • Vulnerability handling procedures (including coordinated disclosure) 
  • Security updates to patch vulnerabilities — must be: 
  • Automatic when possible 
  • Allow user opt-out or deferral options 

 

These requirements apply not just at launch, but throughout the product’s support lifecycle — including during development, release, and after-market support. 

If open-source or third-party components are integrated into commercial PDEs, the manufacturer is responsible for ensuring those components meet CRA requirements. This includes vulnerability tracking and patch management. 

  • Start integrating security-by-design practices, meaning ensuring threat analysis and risk assessments as a standard part of the design process.  
  • Perform a vulnerability audit on current products: 
  • Build a Software Bill of Materials (SBOM) — a detailed inventory of all software components, libraries, and dependencies used in a product. This helps identify and track potential vulnerabilities by cross-referencing those components with public vulnerability databases like NIST’s National Vulnerability Database (NVD) or MITRE’s CVE list. 
  • Design hardware capable of supporting cybersecurity features 
  • Implement secure update and patch management workflows 
  • Stay updated on the CRA’s standards roadmap to ensure timely access to official guidelines as they are published.  

Stay informed on evolving technical standards and risk categorizations 

Collaborate closely with your distributors to stay up to date on the latest news and evolving guidelines.  

Reach out to your trusted partners at Future Electronics to learn more about how you can stay ready, anticipate, and lead the market.  

The following form leads to our Global Engineering Solutions team.
For CRA specific inquiries, please send an email: Wireless-EMEA@FutureElectronics.com

Disclaimer: Dates and regulations are constantly evolving. We strive to keep this information as current as possible to bring you the latest updates. This document is intended to provide insights and should not be considered legal advice. It is not a legally binding document.

Last updated: 

May 28, 2025