Raspberry Pi and the EU Cyber Resilience Act

The regulatory landscape for digital devices is changing, specifically for those that fall within the relatively wide definition given in the EU's new cybersecurity regulation:

…'product with digital elements' means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately…

If you manufacture and deploy digital products in the European Union, the EU Cyber Resilience Act (CRA) is something you need to understand. At Raspberry Pi, we've been monitoring the development closely and are ready to support customers integrating our computers into their designs.

What is the Cyber Resilience Act?

The CRA is the EU's primary legislation focused on the cybersecurity of digital products. It applies to any hardware or software with digital elements, including IoT devices, embedded systems, industrial controllers, smart home devices, and much more; if it's a connected product sold in Europe, it's almost certainly within scope. The CRA will follow the product compliance procedures established in the New Legislative Framework Regulation (EC) No 765/2008, commonly known as CE marking.

Manufacturers must begin with a cybersecurity risk assessment, evaluating how the digital product operates and where any potential vulnerabilities may lie. Depending on the outcome of the risk assessment, manufacturers may need to implement security features, securely maintain products throughout their lifecycle, provide vulnerability handling processes, and be transparent with customers about security capabilities and limitations.

Manufacturers must also take steps to improve the cyber resilience of their products - from the integrity of the communications they send and receive, through to the confidentiality of their data - by, among other things, carrying out regular reviews and security tests. Penalties for non-compliance can reach €15 million or 2.5% of global annual turnover.

Timelines and requirements

The full CRA will come into force on 11 December 2027, which is the date by which products must meet the requirements outlined in the Annex. These requirements include:

The December 2027 deadline still gives integrators time to implement the requirements of the legislation. However, for teams building products today - choosing silicon, designing firmware architectures, planning certification strategies - the decisions made now will determine whether they arrive at that deadline with confidence. When that time comes, all in-scope products must be CE-marked.

Vulnerability and incident reporting will become mandatory on 11 September 2026. Manufacturers marketing connected products in the EU must report any actively exploited vulnerabilities or severe security incidents affecting their products. They will have 24 hours to file an early warning and 72 hours to submit a full notification. Reports will be submitted via a new central reporting platform established by the CRA, enabling the secure exchange of data between European Computer Security Incident Response Teams (CSIRTs) and the European Network and Information Security Agency (ENISA).

We're here to help

Raspberry Pi products are at the heart of an enormous variety of connected applications, including industrial automation, smart building infrastructure, edge computing nodes, medical monitoring equipment, retail systems, and beyond. Many of these use cases fall within the scope of the CRA.

The CRA categorises products with digital elements according to risk - the majority fall within the default, lowest-risk category, but some fall within 'important' and 'critical' categories subject to more stringent assessment requirements. For many of our customers, the default category will apply, but those building more critical infrastructure will face proportionally more demanding obligations.

We understand that compliance isn't just a box to tick; it requires documented risk assessments, evidence of security testing, vulnerability disclosure procedures, and ongoing obligations that persist long after a product enters the market. Our customers are engineers and product designers, not regulatory specialists, and we work hard to make this process easier for them.

Our products can help you achieve compliance

When assessed against the CRA's essential cybersecurity requirements, our hardware and software products provide a strong foundation for compliant system design. Secure boot capabilities, encrypted storage options, robust update mechanisms, and strong cryptographic primitives are all native to the platform, and Raspberry Pi OS, our official operating system, ships with a hardened default configuration.

Compliance is a responsibility shared across the supply chain. When you design a product using Raspberry Pi technology, you're not starting from scratch - you're building on a platform that has already done much of the heavy lifting. Our security architecture is documented, our vulnerability disclosure process is mature, and our commitment to supporting products with long-term security updates is well established. We continue to support even our earliest computers in our latest Raspberry Pi OS builds.

Guidance and support for our customers

Demonstrating that a product complies with the CRA will require engineers and product designers to document all of their conformity and risk assessments, showing that the security measures currently in place are appropriate while also outlining their plans for ongoing security maintenance. That's why we're investing in support and guidance specifically aimed at helping our customers navigate the CRA.

Our Product Information Portal (PIP) already contains application notes and white papers explaining how to implement security measures. We will continue to provide more guidance as our internal working group monitors the development of the regulation and the publication of the harmonised standards that will underpin conformity assessments.

An excellent starting point for new designs

If you're starting to develop a new product, Raspberry Pi is an excellent choice. Engineering leaders should treat this window as their last chance to ensure compliance with the CRA, and integrating Raspberry Pi technology provides a substantial head start. Waiting until enforcement begins may cause delays, legal exposure, and unavoidable redesign work.

Choosing a platform that has invested in security, already has long-term support commitments and transparent vulnerability management, and is actively developing compliance guidance provides a solid security foundation. This means our customers can focus their engineering efforts on the application itself, rather than on building security infrastructure from the ground up.

The CRA raises the bar significantly for connected-device security. Encouraging engineers to make products secure by design will help ensure that customers and end users are better protected.