Contact us

Cyber Resilience Act (CRA):
Build, Ship, and Maintain Secure Connected Devices

The EU’s new cybersecurity law takes effect in 2027.Whether you’re a US device maker entering the European market or an EU manufacturer managing an existing portfolio, the CRA changes what it means to ship a connected product. This page walks you through the four phases: from understanding the regulation to maintaining compliance over a 10-year product lifecycle.
Case studies
Get in touch

Explore the 4 steps of CRA Compliance

1. Scoping
2. Risk Assessment
3. Implementation
4. Maintenance

Step 1 - Scope, Requirements and deadlines

The CRA applies to any “Product with Digital Elements” (PDE) placed on the EU market, regardless of where the manufacturer (OEM) is headquartered.
In practice, any device with a processor that connects to a network or another device. This covers everything from a simple sensor to an industrial gateway or a medical monitor.

For US & Global OEMs: Access to the EU market now requires a strategic shift. Unlike the US landscape—which relies largely on voluntary frameworks (e.g. NIST IR 8425, U.S. Cyber Trust Mark)—the CRA is a legally binding regulation. It also introduces mandatory vulnerability handling and post-market obligations, extending beyond initiatives such as Executive Order 14028.

Default (majority of products):
Most products fall into this category and follow a self-assessment conformity process.

Important Products:

  • Class I (Includes products such as identity management systems, browsers, and certain network-related components): these may be assessed without an external 3rd party by following an harmonized standard
  • Class II (Includes high-impact components such as operating systems, hypervisors, and cryptographic infrastructure): these will require an external assessment by an authorized 3rd party

    • Critical products:
    Smart cards, smart meters, HSMs: these require an external assessment following a suitable european cybersecurity scheme (a.k.a. EUCC)

  • Security by Default: Minimal attack surface and no generic default passwords.
  • Access Control: Robust authentication and unauthorized access prevention.
  • Confidentiality: Appropriate encryption for data at rest and in transit.
  • Integrity: Mechanisms such as Secure Boot to prevent unauthorized code execution.
  • Data Minimization: Processing only data necessary for the product’s intended purpose.
  • Vulnerability Handling: Processes to identify, manage, and remediate vulnerabilities throughout the lifecycle.
  • Secure Development & Delivery: Avoidance of known exploitable vulnerabilities at release.
  • SBOM: Ability to provide a Software Bill of Materials (machine-readable where applicable).
  • Updates: Capability to deliver security updates in a secure and reliable manner.
  • Secure Decommissioning: Ability to securely erase or protect user data at end-of-life.
  • Incident Reporting: Notification of actively exploited vulnerabilities and incidents to competent authorities within required timelines (e.g. initial notification within 24h).
  • Availability & Resilience: Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks
  • Network Protection: Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks
  • Attack Surface Limitation: Be designed, developed and produced to limit attack surfaces, including external interfaces
  • Security Monitoring: Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user
Full enforcement is expected by December 2027, with earlier obligations regarding incident and vulnerability reporting obligations will apply in September 2026.

Many manufacturers are currently focused on the Radio Equipment Directive (RED) Article 3.3 (mandatory in 2025). While RED focuses on wireless interfaces, the CRA extends similar security principles to all products with digital elements. Note that from December 2027, the CRA will replace the cybersecurity requirements of the RED (the RED Delegated Act).

Meeting RED requirements is a strong starting point, but the CRA introduces broader and stricter obligations, particularly in areas such as vulnerability management, lifecycle security, and software transparency (e.g. SBOM).

The CRA Explained in 2 Minutes!

Explore
More Resources

Step 2 - Strategy & Risk Assessment

The CRA mandates a documented Cybersecurity Risk Assessment. At Witekio, we turn this legal requirement into a three-step engineering roadmap where we prioritize a pragmatic approach to help you reach compliance without stalling your R&D.

hardware picture

Attack Path Mapping

We identify realistic entry points (physical ports, wireless, boot process) based on your hardware’s actual attack surface.
Learn More
Difficulty in patching and updating connected devices

Countermeasure Impact

Our experts assess how security mechanisms (encryption, isolation) effectively block those paths and impact your system performance.
Learn More
GUI development

Defined Security Objectives

We define clear security objectives for both the product (hardened features) and its operational environment (manufacturing, deployment, and updates)
Learn More

The Cyber Resilience Act – Avoid Penalties and Enhance Security

An in-depth technical deep dive co-hosted with EBV Elektronik. This session explores the intersection of software and hardware compliance, offering practical strategies for SBOM generation and automated CVE scanning. It also features a hardware vendor shootout (NXP, ST, Infineon, etc.) to help you select the right components to meet CRA security standards.

Step 3 - Security by Design

hardware picture

Architecture & Core Security

The CRA requires products to include Secure Boot, Trusted Execution Environments (TEE), and hardware-backed key storage. We help you go further to harden critical components, integrate automated security checks, and enforce strong cryptography from the very first design, so your architecture is secure by default.
Learn More
Difficulty in patching and updating connected devices

Validation & SBOM

Compliance with the CRA means providing a Software Bill of Materials for all relevant components. To make this practical and reliable, we recommend automating SBOM generation within your CI/CD pipeline, running continuous security validations, and pre-checking for known vulnerabilities before each release. This ensures that what you ship is both compliant and resilient.
Learn More
GUI development

Long-Term Support & OTA

The CRA mandates that products include a mechanism to securely deliver updates throughout their lifecycle. Our approach goes beyond mere compliance: we implement robust OTA pipelines with package signing and anti-rollback protections, automate patch deployment, and continuously monitor vulnerabilities, so your devices remain safe and compliant long after they leave the factory.
Learn more

Explore
More Resources

Step 4 - Long-Term Maintenance & CVE Management

The CRA requires manufacturers to provide security support for the full expected lifetime of their products, often several years after market launch. We offer you the infrastructure to meet these requirements.

hardware picture

Continuous monitoring

Your SBOM is scanned 24/7 against live vulnerability databases using our CVE Scanner. You maintain visibility on newly disclosed vulnerabilities affecting your software stack
CVE Scanner
Difficulty in patching and updating connected devices

Hardware-specific triage

Not all vulnerabilities apply to your product. Our engineers assess each issue in the context of your specific configuration (kernel, hardware, usage) to focus only on relevant threats
Learn More
GUI development

Patch delivery

When remediation is required, we develop, test, and deliver appropriate fixes. Our Long-Term Support programs are designed to help maintain security and compliance throughout the operational life of your product
Learn More

Not sure where to start?

If you’re early in the process, an orientation call is the fastest way to understand what applies to your product and what doesn’t.
Contact us

We transform your device vision into reality

We support your teams in designing, building, and running innovative products, from embedded software to application development
flag_line

4 Countries

4 countries

iso_27001_02-1024x704

ISO 27001 certified

ISO 27001 certified

Avnet_logo

fortune 500 owned

fortune 500 owned

Get in touch