Exclusive Cyber Resilience Act Seminar Series
Check out the dates for our exclusive seminars and register for your preferred date to secure one of the limited spots.
Cyber Resilience Act
The Cyber Resilience Act of the European Union
The Cyber Resilience Act (CRA) is a European regulation that establishes minimum cybersecurity requirements for products containing digital components. The aim is to ensure the security of these products throughout their entire lifecycle and thereby better protect consumers and businesses from cyberattacks. The CRA took effect in December 2024 and will apply starting in December 2027. The reporting requirement begins in September 2026.
The scope of application is the European Economic Area (EEA), which includes all EU member states and the three member states of the European Free Trade Association (EFTA): Iceland, Liechtenstein, and Norway.
The regulation applies to all products sold in the EEA that contain digital elements. This includes electronic components and parts, as well as software and hardware with interfaces. Excluded are product categories such as medical devices, in vitro diagnostic medical devices, motor vehicles, and aeronautical products, which are governed by their own regulations.
Featured Products
ARK-3534
Intel® Core™ 12th/13th/14th Gen i3/i5/i7/i9 LGA1700 Expansion Fanless Box PC
Support Intel® Core™ 12th/13th/14th Gen i3/i5/i7/i9 processor
Triple independent display: HDMI + HDMI + Optional Display
DDR5 SO-DIMM ECC/non-ECC memory support up to 64 GB
9-36VDC wide range power input
Up to 3sets 2.5" hard drive bays, support Intel® SW RAID
Support up to 4GbE, 8USB, 8COM, 16bit DIO, 2CANBus, TPM2.0
SUSI API, WISE-DeviceOn, McAfee and Acronis bundled
Support Windows 11 IoT Enterprise LTSC
IEC 62443-4-2 Certified (Security Level 2), supporting compliance readiness for the EU Cyber Resilience Act
ARK-1222
Intel N97 and x7433RE Quad Core SoC with dual HDMI, dual LAN, four COM DIN-Rail Fanless Box PC
Intel N97 and x7433RE Quad Core SoC
DIN-Rail system with essential I/O ports on front-side bezel
Dual independent 4K HDMI
2 x Intel i226-IT and 4 x RS-232/422/485
2 x USB 3.2 and 2 x USB 2.0
8-bit Programmable GPIO
optional idoor supported
RSB-3810
MediaTek Genio 1200 Cortex A78 & A55 2.5" SBC with UIO40-Express
MediaTek Genio 1200 4 cores A78 & 4 cores A55
Onboard LPDDR4 8GB, 4000MT/s memory
HDMI 4k60fps, 1 x Dual Channel 24 bit LVDS
1 x 4-wire RS-232/422/485, 2 x USB3.2 Gen1 By 1, 2 x USB2.0, 1 x Micro SD, 1 x Mic. in / Line out
1 x M.2 3052 Key B for 5G, 1 x M.2 2230 Key E Slot for WiFi/BT
Support I/O Expansions by UIO40-Express I/O boards
Support Ubuntu and Android
IEC 62443-4-2 Certified (Security Level 2), supporting compliance readiness for the EU Cyber Resilience
STM 550x - Secure. Self-powered. Ready for smart buildings.
STM 550x is a batteryless multisensor module for IoT and building automation applications. Powered by an integrated solar cell, it measures temperature, humidity, light level, acceleration, and magnet contact status. Data is transmitted via EnOcean radio—periodically and instantly on events like acceleration or contact status changes.
To meet CRA requirements, EnOcean defines the risk context, performs targeted risk assessments, and implements essential safeguards plus continuous vulnerability handling.
Typical risks include data interception, telegram spoofing, replay attacks, or unauthorized local access. As a sensor component of CRA-covered systems, STM 550x provides the following built-in security measures to mitigate these risks:
- AES-128 encryption with CMAC authentication
- Device-unique, randomly generated keys
- Replay protection via 32-bit sequence counter
An NFC-based interface with hardware access protection ensures secure commissioning. Combined with EnOcean integration guidance, STM 550x enables reliable and secure deployment in its target applications.
Trusted wireless connectivity for smart systems.
The TCM 615 is an EnOcean radio transceiver module enabling secure connectivity for building automation devices such as actuators, controllers, and gateways. Designed for always-on, line-powered applications, it features a secure execution environment and supports secure firmware updates.
In line with CRA requirements, EnOcean defines the risk context, performs targeted assessments, and implements essential safeguards with continuous vulnerability handling.
Typical risks include unauthorized telegram injection, eavesdropping, replay attacks, or firmware and interface compromise. As a connectivity component of CRA-covered systems, the TCM 615 is designed with built-in security in mind and mitigates these risks through proven security features:
- AES-128 encryption with CMAC authentication
- Replay protection via 32-bit sequence counter
- Rejection of unauthenticated messages
- Secure boot and execution with hardware-based Root of Trust
- Secure firmware update capability
These capabilities ensure robust protection and enable secure use in demanding applications such as IP-connected gateways.
Secure IoT data flows for smarter buildings with SmartStudio
SmartStudio is a secure, cloud-based IoT platform (SaaS) for commercial buildings. It connects devices, collects and processes data, and visualizes insights for indoor climate and energy use. It also enables workflow automation and integration with IP-based IT and BMS systems.
Devices communicate via EnOcean Protocol or EnOcean BLE through gateways. SmartStudio provides secure WAN interfaces, including REST APIs, webhooks, and MQTT—all protected by TLS. The platform is fully multi-tenant.
In line with CRA requirements, EnOcean defines the risk context, performs assessments, and applies essential safeguards with continuous vulnerability management.
Security is built in. SmartStudio mitigates key risks with strong protection mechanisms:
- Authentication and tenant-based access control
- Secure communication and data isolation
- Protected key and secret management with rotation
- Hardened interfaces with validation and rate limiting
Data is secured at rest with backup and recovery. Monitoring and logging support operations, while resilience and availability controls ensure reliable service. Continuous updates and advanced scanning keep the platform secure throughout its lifecycle.
OPTIGA™ TPM SLB 9673
OPTIGA™ TPM for platform integrity and attestation. Secured by design with TCG 2.0-compliant TPM; measured boot with PCRs; remote attestation. Strong key storage and crypto operations offload. Device identity anchored in hardware root-of-trust. Support for secured communication (TLS). Anchor SBOM integrity via sealed hash.
PSOC™ Control C3 Main Line
PSOC™ Control C3 is the world’s first CC certification for a security controller with a secured PQC implementation. The PSOC Control C3 Performance Line is the first Infineon MCU with accelerated PQC options. The PSOC™ Control C3 meets "Important Class I" CRA confirmance and offers protected Root of Trust, authenticated OTA updates, isolated key storage, and secured lifecycle management/provisioning/PSIRT.
SEMPER™ Secure NOR flash
SEMPER™ Secure is the world's most-secure NOR Flash, offering robust security with hardware root-of trust, end-to-end protection, and flexible architecture. SEMPER Secure is the first NOR Flash to combine safety with security, offering advanced functional safety and reliability, ISO 26262 ASIL-B compliance; ASIL-D ready, and real-time safety diagnostics. SEMPER Secure is also PSA Level 1 certified.
Intel Core Ultra Series 3 processors introduce a security-first architecture designed to meet evolving regulatory requirements, including the EU Cyber Resilience Act (CRA). The platform integrates hardware-based security features such as Intel Trust Domain Extensions (TDX), hardware root of trust, and secure boot mechanisms, enabling stronger isolation of sensitive workloads and protection against firmware and OS-level attacks. Additionally, built-in AI acceleration (NPU) supports real-time threat detection and behavioral analysis without exposing sensitive data externally.
From a CRA perspective, the platform enhances device-level resilience through measurable security capabilities, continuous update support, and enhanced platform integrity verification. Intel’s supply chain transparency and firmware resilience technologies help address CRA requirements for vulnerability management, secure design, and lifecycle support. Overall, Intel Core Ultra Series 3 aligns with CRA principles by combining advanced silicon-level protections with system-level security features, supporting compliant, secure-by-design computing environments for modern enterprise and edge deployments.
The Cyber Resilience Act (CRA) introduces new requirements for connected products in the
European market, including the ability to deliver secure software updates, manage vulnerabilities,
and maintain devices throughout their lifecycle.
Nordic Semiconductor simplifies compliance by combining low-power wireless hardware with nRF
Cloud into a complete device lifecycle solution. From secure onboarding to long-term maintenance
and updates, developers can build products that are secure by design and continuously compliant
- without developing and operating complex cloud infrastructure.
nRF Cloud enables scalable Firmware Over-the-Air (FOTA) updates to keep devices secure in the
field, along with cloud-based monitoring, diagnostics, and lifecycle management to maintain
operational visibility and respond quickly to issues across the full product lifetime.
Key benefits include:
• Reliable, scalable FOTA for lifecycle security updates
• End-to-end lifecycle solution: onboarding, monitoring, maintenance, and updates
• Cloud-based device management and monitoring
• Faster time to market with pre-integrated services
• Flexible integration (device-to-cloud or cloud-to-cloud)
• EU-ready architectures with customer-controlled data routing
Accelerate your path to CRA readiness with Nordic’s integrated chip-to-cloud approach.
SECO's Cyber Security Package helps OEMs accelerate CRA readiness without building the full security stack on their own. Designed for connected industrial and embedded devices, it is built on a hardened Yocto-based Linux Distro, Clea OS, that ensures full compliance with RED DA 18031-1 and IEC 62443. It features secure boot, encrypted and signed A/B OS updates, failover and rollback, automated certificate rotation, SBOM management, CVE monitoring and patching, runtime threat detection, and audit-oriented security logging. Beyond the device foundation, Clea extends the operating model with secure device-to-cloud connectivity, structured data flows, remote device management, update orchestration, application deployment, and long-term fleet monitoring. This gives engineering, operations, and compliance teams a complete suite to ensure security across the whole lifecycle of a product. The result is a compliance-oriented offer that reduces certification effort, lowers redesign risk, and helps teams protect market access while keeping flexibility across x86, Arm, SECO hardware, and qualified third-party platforms.
ARK-3534
Intel® Core™ 12th/13th/14th Gen i3/i5/i7/i9 LGA1700 Expansion Fanless Box PC
Support Intel® Core™ 12th/13th/14th Gen i3/i5/i7/i9 processor
Triple independent display: HDMI + HDMI + Optional Display
DDR5 SO-DIMM ECC/non-ECC memory support up to 64 GB
9-36VDC wide range power input
Up to 3sets 2.5" hard drive bays, support Intel® SW RAID
Support up to 4GbE, 8USB, 8COM, 16bit DIO, 2CANBus, TPM2.0
SUSI API, WISE-DeviceOn, McAfee and Acronis bundled
Support Windows 11 IoT Enterprise LTSC
IEC 62443-4-2 Certified (Security Level 2), supporting compliance readiness for the EU Cyber Resilience Act
ARK-1222
Intel N97 and x7433RE Quad Core SoC with dual HDMI, dual LAN, four COM DIN-Rail Fanless Box PC
Intel N97 and x7433RE Quad Core SoC
DIN-Rail system with essential I/O ports on front-side bezel
Dual independent 4K HDMI
2 x Intel i226-IT and 4 x RS-232/422/485
2 x USB 3.2 and 2 x USB 2.0
8-bit Programmable GPIO
optional idoor supported
RSB-3810
MediaTek Genio 1200 Cortex A78 & A55 2.5" SBC with UIO40-Express
MediaTek Genio 1200 4 cores A78 & 4 cores A55
Onboard LPDDR4 8GB, 4000MT/s memory
HDMI 4k60fps, 1 x Dual Channel 24 bit LVDS
1 x 4-wire RS-232/422/485, 2 x USB3.2 Gen1 By 1, 2 x USB2.0, 1 x Micro SD, 1 x Mic. in / Line out
1 x M.2 3052 Key B for 5G, 1 x M.2 2230 Key E Slot for WiFi/BT
Support I/O Expansions by UIO40-Express I/O boards
Support Ubuntu and Android
IEC 62443-4-2 Certified (Security Level 2), supporting compliance readiness for the EU Cyber Resilience
STM 550x - Secure. Self-powered. Ready for smart buildings.
STM 550x is a batteryless multisensor module for IoT and building automation applications. Powered by an integrated solar cell, it measures temperature, humidity, light level, acceleration, and magnet contact status. Data is transmitted via EnOcean radio—periodically and instantly on events like acceleration or contact status changes.
To meet CRA requirements, EnOcean defines the risk context, performs targeted risk assessments, and implements essential safeguards plus continuous vulnerability handling.
Typical risks include data interception, telegram spoofing, replay attacks, or unauthorized local access. As a sensor component of CRA-covered systems, STM 550x provides the following built-in security measures to mitigate these risks:
- AES-128 encryption with CMAC authentication
- Device-unique, randomly generated keys
- Replay protection via 32-bit sequence counter
An NFC-based interface with hardware access protection ensures secure commissioning. Combined with EnOcean integration guidance, STM 550x enables reliable and secure deployment in its target applications.
Trusted wireless connectivity for smart systems.
The TCM 615 is an EnOcean radio transceiver module enabling secure connectivity for building automation devices such as actuators, controllers, and gateways. Designed for always-on, line-powered applications, it features a secure execution environment and supports secure firmware updates.
In line with CRA requirements, EnOcean defines the risk context, performs targeted assessments, and implements essential safeguards with continuous vulnerability handling.
Typical risks include unauthorized telegram injection, eavesdropping, replay attacks, or firmware and interface compromise. As a connectivity component of CRA-covered systems, the TCM 615 is designed with built-in security in mind and mitigates these risks through proven security features:
- AES-128 encryption with CMAC authentication
- Replay protection via 32-bit sequence counter
- Rejection of unauthenticated messages
- Secure boot and execution with hardware-based Root of Trust
- Secure firmware update capability
These capabilities ensure robust protection and enable secure use in demanding applications such as IP-connected gateways.
Secure IoT data flows for smarter buildings with SmartStudio
SmartStudio is a secure, cloud-based IoT platform (SaaS) for commercial buildings. It connects devices, collects and processes data, and visualizes insights for indoor climate and energy use. It also enables workflow automation and integration with IP-based IT and BMS systems.
Devices communicate via EnOcean Protocol or EnOcean BLE through gateways. SmartStudio provides secure WAN interfaces, including REST APIs, webhooks, and MQTT—all protected by TLS. The platform is fully multi-tenant.
In line with CRA requirements, EnOcean defines the risk context, performs assessments, and applies essential safeguards with continuous vulnerability management.
Security is built in. SmartStudio mitigates key risks with strong protection mechanisms:
- Authentication and tenant-based access control
- Secure communication and data isolation
- Protected key and secret management with rotation
- Hardened interfaces with validation and rate limiting
Data is secured at rest with backup and recovery. Monitoring and logging support operations, while resilience and availability controls ensure reliable service. Continuous updates and advanced scanning keep the platform secure throughout its lifecycle.
OPTIGA™ TPM SLB 9673
OPTIGA™ TPM for platform integrity and attestation. Secured by design with TCG 2.0-compliant TPM; measured boot with PCRs; remote attestation. Strong key storage and crypto operations offload. Device identity anchored in hardware root-of-trust. Support for secured communication (TLS). Anchor SBOM integrity via sealed hash.
PSOC™ Control C3 Main Line
PSOC™ Control C3 is the world’s first CC certification for a security controller with a secured PQC implementation. The PSOC Control C3 Performance Line is the first Infineon MCU with accelerated PQC options. The PSOC™ Control C3 meets "Important Class I" CRA confirmance and offers protected Root of Trust, authenticated OTA updates, isolated key storage, and secured lifecycle management/provisioning/PSIRT.
SEMPER™ Secure NOR flash
SEMPER™ Secure is the world's most-secure NOR Flash, offering robust security with hardware root-of trust, end-to-end protection, and flexible architecture. SEMPER Secure is the first NOR Flash to combine safety with security, offering advanced functional safety and reliability, ISO 26262 ASIL-B compliance; ASIL-D ready, and real-time safety diagnostics. SEMPER Secure is also PSA Level 1 certified.
Intel Core Ultra Series 3 processors introduce a security-first architecture designed to meet evolving regulatory requirements, including the EU Cyber Resilience Act (CRA). The platform integrates hardware-based security features such as Intel Trust Domain Extensions (TDX), hardware root of trust, and secure boot mechanisms, enabling stronger isolation of sensitive workloads and protection against firmware and OS-level attacks. Additionally, built-in AI acceleration (NPU) supports real-time threat detection and behavioral analysis without exposing sensitive data externally.
From a CRA perspective, the platform enhances device-level resilience through measurable security capabilities, continuous update support, and enhanced platform integrity verification. Intel’s supply chain transparency and firmware resilience technologies help address CRA requirements for vulnerability management, secure design, and lifecycle support. Overall, Intel Core Ultra Series 3 aligns with CRA principles by combining advanced silicon-level protections with system-level security features, supporting compliant, secure-by-design computing environments for modern enterprise and edge deployments.
The Cyber Resilience Act (CRA) introduces new requirements for connected products in the
European market, including the ability to deliver secure software updates, manage vulnerabilities,
and maintain devices throughout their lifecycle.
Nordic Semiconductor simplifies compliance by combining low-power wireless hardware with nRF
Cloud into a complete device lifecycle solution. From secure onboarding to long-term maintenance
and updates, developers can build products that are secure by design and continuously compliant
- without developing and operating complex cloud infrastructure.
nRF Cloud enables scalable Firmware Over-the-Air (FOTA) updates to keep devices secure in the
field, along with cloud-based monitoring, diagnostics, and lifecycle management to maintain
operational visibility and respond quickly to issues across the full product lifetime.
Key benefits include:
• Reliable, scalable FOTA for lifecycle security updates
• End-to-end lifecycle solution: onboarding, monitoring, maintenance, and updates
• Cloud-based device management and monitoring
• Faster time to market with pre-integrated services
• Flexible integration (device-to-cloud or cloud-to-cloud)
• EU-ready architectures with customer-controlled data routing
Accelerate your path to CRA readiness with Nordic’s integrated chip-to-cloud approach.
SECO's Cyber Security Package helps OEMs accelerate CRA readiness without building the full security stack on their own. Designed for connected industrial and embedded devices, it is built on a hardened Yocto-based Linux Distro, Clea OS, that ensures full compliance with RED DA 18031-1 and IEC 62443. It features secure boot, encrypted and signed A/B OS updates, failover and rollback, automated certificate rotation, SBOM management, CVE monitoring and patching, runtime threat detection, and audit-oriented security logging. Beyond the device foundation, Clea extends the operating model with secure device-to-cloud connectivity, structured data flows, remote device management, update orchestration, application deployment, and long-term fleet monitoring. This gives engineering, operations, and compliance teams a complete suite to ensure security across the whole lifecycle of a product. The result is a compliance-oriented offer that reduces certification effort, lowers redesign risk, and helps teams protect market access while keeping flexibility across x86, Arm, SECO hardware, and qualified third-party platforms.
Rutronik Offers Comprehensive Services
Rutronik brings together the relevant expertise in an interdisciplinary team. Lawyers, engineers, process specialists, and other experts are available to assist you with all questions and issues related to the Cyber Resilience Act. We cover the entire development process: Even before preparing a quote, we will check databases for security reports and provide you with security-related information throughout the entire product lifecycle.
Contact: cyberresilienceact@rutronik.com
Product Security Incident Response Team
You can report any vulnerabilities in products from our retail and imported goods from third-party manufacturers, as well as from Rutronik System Solutions, at any time to psirt@rutronik.com. Please include the affected Rutronik part number and your customer number, as well as a description of how the vulnerability can be reproduced. Rutronik will forward every validated security report to the affected manufacturers, to ENISA (European Network and Information Security Agency), and to the CIRTs (Cyber Incident Response Teams) of EU countries.
We are currently developing a solution to streamline this process via a form. This will increase the transparency of incidents and reduce errors when cross-referencing different databases (e.g., due to typos).
Our Service – Your Benefit
Customers who have purchased CRA-relevant products from Rutronik will automatically be notified of available security updates, patches, or workarounds in the future. Our existing customers are already familiar with this through PCN (Product Change Notifications) and EOL (End of Life) notifications. This service now also extends to cybersecurity-related notifications. Simply log in to our customer portal at www.rutronik24.com to view them.
Automatic Security Checks Even Before You Place an Order
Are you interested in a product and would like a quote? Even before preparing a quote, Rutronik runs a database search for known security alerts. Another search is conducted before every shipment.
If a security alert is found, we will contact you to discuss the matter.
This gives you the assurance that products purchased from us are free of security flaws. Furthermore, we will inform you immediately of any cyber threats that arise in the future.
FAQs
Scope of the CRA
The CRA applies to all products with digital elements that are placed on the EU market, including both hardware and software. However, certain categories such as medical devices are explicitly excluded if they are already governed by other sector-specific regulations like IEC 81001-5-1. Embedded systems are included if they have interfaces that could be manipulated externally.
The CRA applies to all products sold on or after the enforcement date (December 12, 2027). Products already in use before this date are not retroactively affected unless they are significantly modified. Devices without internet connectivity may still fall under the CRA if they have any interface (e.g., USB) that could be exploited.
Prototypes that are not placed on the market are not subject to CRA requirements. However, once a prototype evolves into a marketable product, full CRA compliance is required. There are no exemptions for small or medium-sized enterprises (SMEs) or low-volume production runs.
Manufacturers who integrate components and place the final product on the market are considered the responsible party under the CRA. They must ensure full compliance, including documentation, risk assessment, and incident management—even if the components themselves are pre-certified.
Definitions & Terminology
“Digital elements” refer to components or systems that include a microcontroller or similar digital logic and have an interface to the outside world. This includes even simple devices if they can be manipulated externally.
A product is considered connected if it has any interface that allows external communication or manipulation—regardless of whether it uses the internet, a VPN tunnel, USB, or other physical or wireless connections. What matters is the technical possibility of access, not the type of connection. If a product has an interface and/or connection, it can be networked. It is not important whether a customer uses this interface and/or connection.
Yes. If a device has a microcontroller and any form of external interface, it may be subject to CRA requirements—even if it does not connect to the internet.
Technical Requirements & Components
Yes. All components that contribute to the digital functionality of a product must be considered in the CRA compliance process. Even if components are pre-certified, the final product must be assessed as a whole.
If such systems have external interfaces that could be exploited, they fall under the CRA. A risk assessment must be conducted to evaluate potential vulnerabilities based on the system architecture and use cases.
The CRA requires that products be updatable for at least five years. Manufacturers should incorporate sufficient memory for future updates, especially for security patches. This may influence hardware design decisions such as selecting microcontrollers with adequate storage.
Incident Reporting & Processes
Incidents must be reported within 24 hours of detection. There are no exceptions for weekends or holidays. While the CRA does not specify exact timelines for resolving vulnerabilities, it requires that they be addressed “as soon as possible” and that appropriate processes be in place to manage them.
All customer-reported vulnerabilities must be evaluated and, if confirmed, reported within the 24-hour window. The CRA expects manufacturers to have internal processes for triaging, documenting, and responding to such reports.
Under the CRA, the primary reporting authority for product-related incidents in Germany is the BSI (Federal Office for Information Security). The details of responsibility may still change. The LKA (State Criminal Police Office) may still be involved in criminal investigations, but CRA compliance is managed through the BSI.
In other countries, different organizations are responsible.
Risk Assessment & Tools
Yes. A risk assessment must be conducted for every product with digital elements. Even if a product does not have internet connectivity, it must be evaluated for potential vulnerabilities through other interfaces such as USB or serial ports.
Risk assessments can be performed using tools ranging from Excel spreadsheets to specialized software like Ansys Medini. Methodologies such as TARA (Threat Analysis and Risk Assessment) are also often recommended. The choice of tool depends on the complexity of the product and the organization’s internal capabilities.
Standards, Regulations & Certifications
These standards are not mandatory under the CRA but are highly relevant. IEC 62443 is particularly important for industrial and automation systems. ISO 21434 applies to the automotive sector. While not officially harmonized with the CRA yet, they provide valuable guidance and are expected to align closely in the future.
EN18031 and RED-DA apply to radio interfaces and require specific documentation and testing. CRA requirements are layered on top of these, meaning that products with radio interfaces must comply with both sets of regulations in order to obtain CE certification.
In many cases, yes. For non-critical products, a self-assessment and declaration of conformity may be sufficient. However, for high-risk or critical products, additional certification or third-party evaluation may be required.
Open Source & Firmware Maintenance
If open-source software is integrated into a commercial product, the manufacturer is responsible for ensuring that it complies with CRA requirements. This includes maintaining the software and addressing vulnerabilities throughout the product lifecycle and for five years after the last day of sale.
Manufacturers must provide security updates for at least five years after the last day of sale of the product. This includes ensuring that the update process is secure, authenticated, and accessible—ideally through remote update mechanisms.
Legacy Products & Market Placement
Yes, if those products are placed on the market after December 12, 2027. The date of sale—not the date of manufacture—determines CRA applicability. Products in storage must be CRA-compliant if sold after the enforcement date.
They may no longer be legally placed on the market. A new Declaration of Conformity must be issued in accordance with CRA requirements for continued distribution.
If a product undergoes a major change—such as the addition of a new control unit or connectivity feature—it must be reassessed for CRA compliance. Even replacement parts may trigger CRA obligations if they introduce new digital functionality.
Implementation & Support
Yes. Various commercial tools and consulting services are available to support CRA implementation, including risk assessment platforms, compliance management systems, and automated documentation tools.
A self-assessment includes identifying digital elements, evaluating risks, documenting security measures, and preparing a Declaration of Conformity. It is similar in structure to ISO 9001 internal audits but focused on product cybersecurity.
SIL (Safety Integrity Level) certification addresses functional safety, not cybersecurity. CRA compliance must be evaluated separately, especially for digital interfaces and update mechanisms.
It depends on the risk profile and system architecture. A hardened MCU with an integrated secure element may be sufficient, but for high-security applications, an external secure element can provide additional protection for critical assets like credentials.
On-demand content
Yes, the webinars can be found on our YouTube channel or here
Yes, the webinar presentations can be downloaded here
Discover our Webinars
Cyber Resilience Act: What Every Electronic Device Manufacturer Must Know to sell products in the EU after November 2027
The Cyber Resilience Act is a groundbreaking regulation to improve the cybersecurity of digital products and services in the EU. It introduces strict requirements for manufacturers and service providers around the world to ensure that their products are inherently secure and resilient to cyber threats when they are launched in the European Union. Fines up to several million euros makes it worth to invest time to learn more about the details. Therefore, we offer this free webinar from relevant top-level speakers at three different times to address customers from all around the world.
The agenda in brief
Stefan Würth from TÜV Süd, will provide an overview of the certifications and penalties for non-compliance required under the Cyber Resilience Act and the penalties for non-compliance.
Sergejs Rogovs, Chief Engineer Cyber Security at 1 acue, will explain new legislation in European industry, including the Machinery Directive, Cybersecurity Directive IEC 62443, Cyber Resilience Act, Network and Information Security Directive (NIS-2), and ETSI/RED.
Preeti Khemani, Senior Director at Infineon, and Dr. Detlef Houdeau, Cyber Security Expert at Infineon, will present how Infineon as a leading European semiconductor supplier, is supporting its customers to comply with the Cyber Resilience Act.
Join our joint webinar with Infineon, 1acue, and TÜV Süd.
Session in English
Session in German
