The EU Cyber Resilience Act: What It Is and How to Prepare

It's a common developer scenario. You're about to launch your latest IoT product when you learn that you must adhere to new cybersecurity guidelines or regulations that were not taken into account during the development process. Perhaps you learn that you cannot sell into a planned market, like the European Union (EU). With the Cyber Resilience Act (CRA), this is a very real possibility.

A sweeping new regulation for cybersecurity, the CRA applies to virtually all connected devices - and any device with the capability to connect directly or indirectly to another device or network - that is to be sold or distributed in the EU.

Officially adopted at the end of 2024, the CRA enforcement deadlines are rapidly approaching. In this blog post, we explain what manufacturers, OEMs (Original Equipment Manufacturers) and distributors need to know about the CRA and how to begin laying the groundwork for compliance.

• What Is the Cyber Resilience Act (CRA)?
• Who Is Affected by the Cyber Resilience Act?
• What Are the Key CRA Requirements?
• When Does the Cyber Resilience Act Go Into Effect?
• How Digi Can Support CRA Compliance
• Next Steps: Getting Ready for the EU Cyber Resilience Act

What Is the Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act is a regulatory framework aimed at strengthening cybersecurity across digital products. Unlike earlier regulations focused on data protection, the CRA addresses the security of products themselves. It requires protections to be built in from the design phase and maintained through post-market support.

What is cyber resilience act legislation? The Cyber Resilience Act CRA legislation applies to nearly any product with digital elements. To be sold or distributed in the EU, covered products must comply with the CRA and carry a CE marking to demonstrate conformity.

At its core, the CRA benefits consumers and businesses by establishing a baseline for cybersecurity practices that protects them from rising IoT security risks. In addition, it supports a more transparent digital ecosystem within the European market.

Who Is Affected by the Cyber Resilience Act?

The CRA has an exceptionally broad scope, impacting any organization that develops, manufactures, imports or distributes products with digital elements for the EU market. It is not limited to companies based in Europe. Any business placing a qualifying product on the EU market must comply, regardless of the location of its manufacturing facilities.

The regulation establishes a shared responsibility model, with defined obligations for stakeholders across the product lifecycle. This has far-reaching implications for the digital supply chain.

Industries and Roles Impacted by the CRA

While manufacturers have the most extensive obligations, the CRA impacts a wide range of companies, including:

• Hardware suppliers providing components with digital elements
• Software vendors whose applications have connectivity features
• System integrators combining third-party components into complete solutions
• Importers or distributors of connected products

To meet the CRA requirements, purchasing managers, product managers, security professionals and technical decision-makers must work together to ensure compliance.

Products Impacted by the CRA

CRA products span virtually every market segment, including:

• Industrial controllers, gateways and sensor networks
• Connected infrastructure for energy, transportation and public services
• Retail point-of-sale systems (POS), interactive kiosks and remote-learning equipment

In short, if a product includes digital elements and connects - either directly or indirectly - to other devices or networks, it likely falls under the CRA unless specifically exempted by other cybersecurity regulations.

What Are the Key CRA Requirements?

Under the CRA guidelines, manufacturers and vendors are expected to adopt a stance of continuous accountability. They must begin by following "secure-by-design" best practices and then maintain vigilance against emerging vulnerabilities.

These requirements extend far beyond traditional point-of-sale certification, for example, creating ongoing obligations to keep end users and regulators well informed throughout the product lifecycle.

Secure-By-Design Principles

The CRA pushes manufacturers to consider cybersecurity from the earliest stages of development. Devices must undergo a formal cybersecurity risk assessment and incorporate appropriate protections. This entails, among others:

• Ensuring that products ship without any known exploitable vulnerabilities
• Using secure default configurations out of the box
• Implementing authentication systems to prevent unauthorized access
• Protecting data confidentiality through state-of-the-art encryption mechanisms
• Minimizing attack surfaces by reducing unnecessary interfaces and exposure

For many manufacturers, compliance with CRA guidelines will require fundamental changes to design workflows. The regulation affects not only device architecture but also firmware development and product documentation.

Ongoing Risk Monitoring and Updates

Security is not a onetime obligation. Under the CRA, manufacturers must monitor new threats throughout the product's support period. When a security issue is identified, security updates must be delivered without delay.

These updates must be free of charge and easy for users to apply. They must also be distributed securely, in order to ensure that vulnerabilities are fixed or reduced promptly and, where applicable for security updates, automatically.

These requirements necessitate services like Digi ConnectCore^® Cloud Services that ensure secure edge-to-cloud communications supporting Transport Layer Security (TLS), certificate-based authentication and encryption. Vulnerabilities can be addressed by leveraging the secure software update feature included in our cloud services to securely and reliably deploy such patches and fixes remotely over-the-air (OTA). Additionally, with the templates functionality, OEM device fleets can be automatically scanned, updated and maintained in compliance with the established configuration. By leveraging templates, OEM customers can save time, reduce errors, minimize effort, and manage scale when configuration updates are needed, as well as ensure consistency and standardization across all devices deployed in the field.

Learn how Digi ConnectCore Cloud Servicessimplifies security compliance for large fleets of IoT devices.

Mandatory Incident Reporting

If a vulnerability is actively exploited or a significant security incident occurs, the CRA requires manufacturers to notify both the European Union Agency for Cybersecurity (ENISA) and a designated Computer Security Incident Response Team (CSIRT). Initial alerts must be submitted within 24 hours, with follow-up required by the 72-hour, 14-day and 30-day marks, as set out in Article 14, "Reporting obligations of manufacturers".

These strict deadlines place a premium on rapid detection and response. Failure to comply can result in significant consequences, including fines of up to €15 million or 2.5% of global annual turnover.

Product Documentation and Compliance

To demonstrate CRA compliance, manufacturers must maintain documentation that outlines how their products meet regulatory requirements at least during the support period. This includes, among others, a copy of the EU declaration of conformity, technical files, conformity assessments, and the software bill of materials (SBOM).

This level of documentation represents one of the more resource-intensive aspects of CRA readiness - especially for companies managing large fleets of connected devices. Keeping records up to date across product lines, tracking firmware changes and ensuring traceability of security measures will require strong internal processes and services like Digi ConnectCore Security Services that can help automate compliance documentation.

When Does the Cyber Resilience Act Go into Effect?

Despite common misconceptions that the CRA is a distant concern, key obligations are approaching rapidly.

Importantly, the CRA applies not only to new designs but also to product refreshes. Any significant update made to an existing product after December 2027 is likely to trigger compliance requirements.

To this we must add an exception in Article 69, "Transitional provisions". The obligations set out in Article 14, "Reporting obligations of manufacturers", will apply to all products falling within the scope of this regulation and placed on the market before December 2027.

Given the depth of the technical and organizational changes involved, manufacturers, OEMs and systems integrators should begin preparing now.

Watch our webinar to learn more about how to meet the CRA compliance deadlines.

How Digi Can Support CRA Compliance

Meeting the comprehensive requirements of the CRA requires a holistic approach to embedded security. Digi stands ready to assist, with integrated Digi ConnectCore Embedded Solutions that support secure product development, remote lifecycle management, vulnerability reporting and documentation.

More than just a solution provider, Digi aims to be a long-term partner for secure product innovation in the EU market. We have been tracking the CRA since its earliest drafts and are committed to helping our customers meet evolving compliance needs.

We work with each customer to develop a tailored service package aligned with their specific objectives.

Built-in Security with Digi TrustFence

Digi TrustFence^® is a foundational security framework integrated into Digi's hardware platforms. It enables manufacturers to apply secure-by-design principles, helping meet the CRA requirements from day one. TrustFence includes features such as secure boot, identity management, encrypted storage and secure firmware updates - creating a strong basis for lifelong resilience.

These built-in protections reduce the risk of costly redesigns that might otherwise result from discovering vulnerabilities late in the development process. Plus, they support compliance with the CRA requirements, for example, secure default configurations, data confidentiality and attack surface reduction.

Lifecycle Security with Digi ConnectCore Security Services and Digi ConnectCore Cloud Services

Digi ConnectCore Security Services help meet the CRA post-market requirements by monitoring devices for vulnerabilities throughout their lifecycle. Thanks to Digi ConnectCore Cloud Services, OEMs can securely deliver firmware updates and maintain visibility across a product fleet. Features like automated reporting of Common Vulnerabilities and Exposures (CVE), available within our security services, and automated patch deployment, available within our cloud services, support continuous compliance and rapid vulnerability response.

Simplifying Documentation and Compliance Readiness

The CRA requires comprehensive technical documentation, well-maintained records and a description of the vulnerability handling processes put in place. Digi ConnectCore Security Services support these requirements by automatically scanning custom SBOMs to triage CVEs, removing false positives and enabling OEMs to focus on the most critical ones. Additionally, OEMs can take advantage of our meta-digi-security layer that includes a collection of pre-integrated security patches for Digi Embedded Yocto (DEY), board support package (BSP), Linux kernel and bootloader. This data streamlines the creation of technical files and helps support the CRA reporting obligations, including ENISA and CSIRT notifications and conformity assessments.

By centralizing security-related data collection, Digi reduces the documentation workload on engineering and compliance teams - making it easier to maintain audit readiness across embedded deployments.

Next Steps: Getting Ready for the EU Cyber Resilience Act

The clock is ticking on the CRA. While full enforcement is still months away, preparation should begin immediately to protect your access to the EU market. Take these proactive steps to ensure a smoother transition:

• Assess the cybersecurity posture of current and upcoming products
• Review your development, monitoring and documentation practices
• Evaluate suppliers and partners for CRA-aligned capabilities
• Create or update vulnerability and incident-response plans
• Build a roadmap for compliance across your product lifecycle

Don't wait until the final hour. Start now to turn CRA compliance into a competitive advantage.

Watch our deep dive into cybersecurity requirements and preparing for the CRA.

Cyber Resilience Act FAQ