The Cyber Resilience Act and its Impact on Embedded Systems

You want to classify your product and to understand the major obligations?
1. Introduction
The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to enhance the cybersecurity of digital products and services, with a particular focus on the growing risks in the digital supply chain. Set to come into force in late 2024, the EU Cyber Resilience Act aims to protect critical infrastructure by ensuring that all products with digital components meet strict security standards by 2027. The CRA represents a critical step towards building cyber-resilient systems in these sectors. It is important for companies to understand compliance requirements and how to effectively protect their embedded systems and products.
The blog post outlines the Cyber Resilience Act (CRA) and its implications for embedded systems, focusing on the need and important steps for manufacturers to meet strict cybersecurity requirements.
CRA Product Check
Not sure if your embedded product is compliant to the CRA? Find it out in only two weeks.
2. The Impact of EU CRA on Embedded Systems
Important things first: The CRA focuses on cybersecurity rules for the placing on the market of hardware and software in the EU. That means that manufacturers of devices based on micro-controllers, microprocessors and FPGA systems, as well as ASICs must take action.
The Cyber Resilience Act (CRA) places considerable demands on manufacturers and developers of such systems. Its requirements cover the entire lifecycle of an affected product: cybersecurity measures must be implemented from the initial design stage and maintained for a support period of at least five years. Furthermore, the CRA also considers the expected lifespan of the product.
The regulation states The CRA emphasizes a shift towards the principles of Secure by Design to ensure that embedded systems are built with robust security mechanisms and protocols from the start. The essential technical security requirements or product properties include different features that products with digital elements must meet depending on the level of risk identified in the risk assessment. A risk and threats assessement is an important first step to identify and assess potential security vulnerabilities. Manufacturers must assess which attacks and exploits can affect the device, regardless of an attacker's motives. Protection measures should be tailored to the device and it´s use in question, balancing the technical costs against the potential impact.
In the table below you can find all the (technical) security requirements and characteristics for the products mentioned in Annex I.
| a) Vulnerability Mitigation | Products must be free of known exploitable vulnerabilities | 
| b) Secure Default Configuration | Products should be delivered with a secure default configuration. | 
| c) Security Updates | Security updates shall be provided to fix security issues | 
| d) Access Control | Authentication and identity management shall be used to prevent unauthorized access | 
| e) Confidentiality Protection | Stored data must be protected e.g. by encryption | 
| f) Integrity Protection | Data must be protected against manipulation | 
| g) Data Minimization | Only relevant and necessary data shall be used | 
| h) Availability Protection | Essential and basic features must be protected all time - also after incidents | 
| i) Minimizing negative Impact | Other systems shall be protected by minimizing the impact of incidents to other systems | 
| j) Attack Surface Limitation | Devices need to have minimal attack surfaces incl. external interfaces | 
| k) Incident Impact Reduction | Suitable counter-exploitation strategies and methods to reduce the impact of incidents are necessary | 
| l) Recording and Monitoring | Security related information shall be supplied by logging and monitoring internal activity, also an opt-out for users needs to be provided | 
| m) Secure data removal | Users shall be enabled to delete all data and settings permanently and to ensure safe data transfers to other systems if necessary | 
In the table below you can find the vulnerability handling requirements for the products mentioned in Annex I.
| Part II - Vulnerability handling requirements | |
| Requirement | Description | 
| Identify and document | Identify and record vulnerabilities and components a software bill of materials (SBOM) | 
| Address Vulnerabilities | Manufacturers must address and correct vulnerabilities promptly through updates or mitigation. | 
| Regular Testing | Manufacturers must document and regularly test product security properties for correctness. | 
| Publish addressed Vulnerabilities | The manufacturer must inform users about vulnerabilities and their effects and remedy by using security advisories provided in a machine processable way. | 
| Coordinated Vulnerability Disclosure Policy | The manufacturer MUST have published and implemented a vulnerability disclosure process as specified. | 
| Sharing Information about Vulnerabilities | Manufacturer must take steps to enable the sharing of information about potential vulnerabilities | 
| Secure Distribution of Updates | The manufacturer provides a mechanism for the distribution of updates as specified. | 
| Dissemination of Updates | The manufacturer must provide update mechanisms and user documentation for applying updates as specified. | 
3. CRA Action Guide for Embedded Systems
The CRA requires a multi-faceted approach to securing embedded systems and addressing cybersecurity risks. Here are the recommended 8 key major steps manufacturers of embedded products need to focus on to ensure compliance with the EU Cyber Resilience Act.

3.1 Product Assessment
First the affected product needs to be identified and classified according to the CRA categories. The regulation divides the products concerned into different risk categories.
- Products with digital elements (default) - The majority of all products fall into this category. Self-certification by the manufacturer is possible for such products.
- 
Important products class I - Standard (non-critical products) such as microprocessors, microcontrollers and FGPAs with security-related functionalities. Self-certification by the manufacturer is possible for such products if harmonized standards does exist. Otherwise certification by a notified body is required. 
- 
Important products class II (important products), for example tamper-resistant microprocessors and microcontrollers Certification by a notified body is required for products in this risk class. 
- 
Critical products for instance hardware devices with security boxes, smart meter gateways and smartcards or similar devices including secure elements 
The same product requirements apply to all risk classes. The main difference is the conformity assessment. As the risk class increases, the criteria become stricter and the assessment process becomes more extensive. For class II and critical products, assessments by independent bodies are also mandatory, and certification in accordance with a European certification scheme may also be required.
3.2 Threat analysis and risk assessment
The CRA requires embedded system manufacturers to conduct a risk assessment as part of the initial product development and throughout the product lifecycle. This means identifying, evaluating, and mitigating potential cybersecurity risks based on intended use, foreseeable conditions and expected lifespan. The goal is to proactively address these risks by implementing security features.
For embedded hardware this may include identifying hardware vulnerabilities like design flaws, side-channel vulnerabilities, tampering risks, or weaknesses that could be exploited through physical access to the device and can be prevented through hardware security features like secure boot mechanisms.
Risk assessment for software involves identifying potential vulnerabilities in the code and its execution environment. This includes issues such as buffer overflows, improper input validation, and reliance on outdated or vulnerable software libraries. It's essential to evaluate the software supply chain for potential third-party vulnerabilities. The Secure Development Lifecycle (SDL) helps to mitigate these risks by incorporating secure coding practices, code reviews, and static analysis tools to identify software vulnerabilities early in development.
3.3 Secure by Design
Secure by design refers to the philosophy of incorporating robust security measures into the design and architecture of embedded systems from the very start. This includes adopting security practices such as using secure coding techniques, implementing hardware-based security features, and ensuring that firmware and software updates can be done securely. For compliance with the CRA, embedded systems must be resilient to a range of cyber threats, and the design must integrate security controls that can withstand future vulnerabilities.
3.4 Software Bill of Materials (SBOM)
The SBOM is a key component of the CRA's cyber security framework. It is essentially a detailed inventory of all software components used in an embedded system, listing several properties of each individual component. By providing a complete SBOM, manufacturers make it easier to identify and fix security flaws and comply with the CRA's vulnerability management requirements.
3.5 Documentation
To ensure full traceability of embedded systems and their security measures, proper documentation is required. Manufacturers must provide clear records of the design process, risk assessments, testing protocols and security controls in place. This documentation is important not only for compliance, but also for customers, auditors and regulators who may need to verify the security measures taken to ensure a product's security. Documentation must be retained for 10 years after product launch or for the duration of support, whichever is longer.
- 
The technical documentation must include relevant cyber security aspects such as identified vulnerabilities, third-party information and risk assessment updates. 
- 
The EU declaration of conformity demonstrates compliance with the essential requirements 
- 
User information and guidance must be provided leading to safe installation and operation. 
3.6 Vulnerability reporting
The CRA requires manufacturers to establish a system to report any vulnerabilities found in their embedded systems. This includes reporting to both end users and regulators. Timely reporting ensures that threats are publicly known immediately and resolved or mitigated quickly. This step also helps build consumer confidence and ensures that embedded systems remain secure and compliant.
3.7 Conformity assessment
Manufacturers must conduct conformity assessments to demonstrate that their embedded systems meet the cyber security requirements set out in the CRA. This may involve independent testing or self-certification, depending on the complexity of the product and its intended use. This process ensures that the product meets all required safety standards.
3.8 CE marking
Finally, the CE marking for your embedded systems confirms that your product complies with the Cyber Resilience Act and is safe for use on the EU market. This marking indicates that all required safety measures have been taken and that the product meets the standards set by the EU.
4. How KiviCore can help
KiviCore offers comprehensive services to help manufacturers ensure compliance with the Cyber Resilience Act (CRA) for embedded systems. With decades of experience in embedded system design and cryptography, we offer tailored solutions that address the specific needs of your products. KiviCore combines cost-effective service with high availability, ensuring a swift, efficient process that aligns with your project timelines, all while maintaining a strong focus on long-term partnerships and support.
Our Cyber Resilience Act Services
1. Consulting & Analysis
- CRA consulting for embedded products
- Product assessment
- Threat analysis & risk assessment
- Gap analysis
2. Architecture & Concepts
- Definition of security requirements based on analysis and gap analysis
- Development of concepts and architectures
3. Design & Implementation
- Secure development of embedded products
- Hardening of secure embedded systems
- Integration & configuration of security mechanisms
- Secure boot
- Secure life cycle
- Secure key exchange
- Secure communication
- Secure updates
 
4. Documentation
- Support in creating the SBOM
- Support in creating technical documentation and information and instructions for the user
- Support in creating documents for the conformity assessment
5. Testing
- Development of test concepts
- Testing of security mechanisms and functions
5. Conclusion
In summary, the Cyber Resilience Act (CRA) sets new standards for cybersecurity in embedded systems and requires manufacturers to adopt more stringent security measures and ensure compliance through risk assessments, secure design practices and continuous vulnerability management. Once the regulation comes into force, companies will need to understand and implement these requirements to protect their products and meet EU market standards. While the CRA presents challenges, it also offers manufacturers the opportunity to improve the resilience of their embedded systems and overall security. By proactively addressing CRA obligations, companies can ensure their products are prepared for the evolving regulatory landscape. Our team will support you every step of the way, from identifying and mitigating risks, implementing hardware or software implementations, to preparing for conformity assessments to get your product CE marked. With a cost-effective and responsive approach as well as decades of staff expertise, KiviCore provides the expertise needed to meet CRA requirements while ensuring safety and compliance.
 
      
      
    
       
  
 
         
        