EU Cyber Resilience Act: what embedded developers must know

However, even with many years of real-world experience in developing secure systems, it’s a complex, 338-page document. Here, David Pashley, MD, Direct Insight, brings clarity in a Q&A for Embedded Developers.

Is the CRA an enforceable law, when does it come into effect and what are the penalties?

Yes, Acts like the CRA have immediate force of law. The EU Cyber Resilience Act (CRA)  was voted through the EU Parliament in March 2024. When it receives EU Council assent in the coming weeks, it becomes EU law. After that, if you want your product to be CE marked, it will need it to be certified as compliant with the Cyber Resilience Act in addition to prior legislation. As with CE marking, for most product categories, companies ‘self-certify’ their products. The penalties for non-compliance start at €15 million.

Does the Cyber Resilience Act definitely affect me if I’m based in the UK, US, or elsewhere outside of the EU?

If you normally CE mark your products in order to sell them in the EU, then your products must comply, no matter where you are based. If you don’t ship to the EU, or your products are non-commercial, then compliance is not necessary.

What is required for an embedded system to comply with CRA? Just the highlights please.

The following instructions must be addressed:

•  “Secure by default configuration” and to “protect the integrity of stored data/programs” necessitates implementing Secure Boot as a minimum.
• “Encrypting relevant data at rest or in transit” requires secure storage, and/or TLS.
• “Ensure that vulnerabilities can be addressed through security updates”.  The manufacturer must have the ability to identify vulnerabilities as they arise, and the system must be field updatable.  The term “provide for mechanisms to securely distribute updates”, demands that vulnerabilities must be addressed for five years, with security updates distributed free-of-charge.
• “Identify and document vulnerabilities and components by drawing up a software bill of materials (SBOM)”. This may be delayed as the format is to be defined by a working group, but that’s not guaranteed, and you will probably need an SBOM to know where to check for vulnerabilities.

What about Open Source?

Open-source software is mentioned 59 times in the Act, but any protections are more aimed at the open-source community rather than, for example, OEMs using Linux. A special working group (“ADCO”) is to be set up. But I don’t see any special exemptions, and it will fall on developers and the open-source community to come up with compliance routes. No magic wands are being waved so far.

Seems quite onerous! Surely there’s a ‘grace period’?

A: Yes, there is a 36-month grace period after which it will apply to any product which is then first sold commercially or “substantially modified”. However the act does confer liability for significant vulnerabilities on the vendor 18 months before that.

Where can I read the full details?

https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf Enjoy!

What does this mean for embedded developers?

Most developers are currently working on products which will see the light of day within three years, so this far-reaching legislation will not apply (unless the product will be “substantially modified” in the future). But remember, if your project gets held up or changed and goes beyond the three year deadline, you will have to comply.

However, since Direct Insight operates within the safety-critical and medical product development fields, we’re already seeing what the impact of meticulous consideration of CRA in those projects. 

The most important items to consider are secure boot, and a secure update process (ideally OTA), as these may be difficult features to add retrospectively.

We expect to see a flurry of compliance concerns in general embedded markets as projects begin which may not ship by mid-2027. Customers may be encouraged to move to a commercial OS where some of the compliance work is already done by the vendor. Maybe a compliance route for Linux will emerge – I don’t know right now.