Skip to content

Cyber Resilience Act (CRA)

CRA for Embedded Systems

 

The Cyber Resilience Act (CRA) places significant pressure on manufacturers and developers of embedded systems.
The CRA emphasizes a shift towards secure by design principles, ensuring that embedded systems are built with robust security protocols from the outset. This includes incorporating risk assessments, secure coding practices, and addressing vulnerabilities early in the development cycle. Additionally, traceability and documentation are key, as manufacturers must provide detailed information on the software and hardware components of their embedded systems.
For embedded systems manufacturers, the CRA’s impact also extends to compliance testing and conformity assessment. Companies will need to undergo regular assessments to verify that their products meet the required cybersecurity standards. 
We help companies to adapt their embedded products to be compliant to CRA and to evaluate and implement suitable security measures

Our Cyber Resilience Act Services 

  • Provide CRA-compliant checklists
  • Support with risk assessment 
  • Specify and justify CRA compliant requirements and execute vulnerability handling
  • Specify and implement security measures
  • Develop test concepts
  • Support preparation for conformity assessment procedures (CAP) to get the product certified for EU CRA

Major steps to achieve conformity 

CRA-Action-Plan

Why KiviCore?

KiviCore´s employees have decades of experience in ASIC and FPGA design and embedded software development. We understand how embedded systems are affected by the Cyber Resilience Act and what technical measures need to be taken to make the product compliant with the CRA. We excel in classic crypto algorithms as well as in cutting-edge cryptographic technologies, including Post-Quantum Cryptography (PQC) and can help you to implement such functionalities into your system.

Customized
Tailored for Embedded Systems
We offer customized CRA compliance services tailored to the needs of embedded system manufacturers. We combine expertise in digital design with cyber security expertise.
Money
Affordable Expertise

Our experienced experts and our lean corporate structure enable us to offer our expertise quickly and at a competitive price.

Long-term
Long-term Partnership & Support

We not only advise you on the impact of the CRA on your product, but also support you with the technical implementation and security architecture that may be required based on the CRA assessment. 

Frequently Asked Questions

What are products with digital elements?

Products with digital elements are defined as products that can be connected to a device or a network and include both hardware products with networked functions and pure software products. For embedded developers this means, that both, hardware but also embedded software is affected.

Are there products which are not affected?

Yes, a few products are excluded from the CRA. The CRA does not apply to products that are already subject to specific cybersecurity requirements under other EU regulations.

These include, among others:

Medical devices (regulated by the Medical Devices Regulation), Vehicles (covered by the type approval regulations), Aviation products & Military products

These exemptions avoid double regulation, as these products already have to meet cybersecurity requirements through their own sectoral regulations.

Who must comply with this regulation?

The CRA applies to all companies that manufacture, import or distribute products with digital elements in the EU.

What is the timeline to comply?

The CRA was adopted by the Council of EU Home Affairs Ministers on October 10, 2024 and will become directly binding law due to its regulation status. Manufacturers and operators have until November 2027 to ensure that their newly introduced products comply with the CRA requirements. 

What are the consequences of non-compliance with CRA?

Non-compliance could result in high fines up tp 15 million Euros or 2.5% of the annual global turnover, whichever is higher.