Secured by Design: EU Cyber Resilience Act solutions

The EU Cyber Resilience Act (CRA), set to be officially published in November 2024, aims to revolutionize the cybersecurity landscape of connected devices in the EU single market. With a compliance deadline of December 2027, key provisions are already in effect, including mandatory reporting obligations under Article 14 (as of September 11, 2026). Additionally, key requirements such as the notification of Conformity Assessment Bodies (Chapter IV, Articles 35-51) will become enforceable on June 11, 2026, marking a significant milestone in the CRA's implementation. 

What is the EU Cyber Resilience Act?

The EU CRA is a regulatory framework that establishes essential cybersecurity requirements for IoT security standards, smart home devices, and all connected digital products within the EU single market. It enforces security by design and by default, facilitating products remain appropriately secure throughout their lifecycle.

This broad legislation applies to all hardware and software products with digital elements sold in the EU with only a few exceptions:

  • Non-commercial projects and services
  • Cloud services without physical components
  • Industries already covered by existing regulations, such as automotive, healthcare, and aviation

Compliance in Cybersecurity: Key Requirements

The compliance to the cybersecurity requirements of the CRA will be included into the well-known CE mark which will now mean “Safe and Secure". Manufacturers must take care their products are free from known vulnerabilities at launch and actively manage cybersecurity risks throughout the product's lifecycle. Failure to comply with the EU CRA may result in fines of up to 2.5% of annual worldwide revenue

CE Label
CE Label
CE Label
Contact us

EU Cyber Resilience Act

Key Provisions of the EU CRA: Strengthening Cybersecurity Compliance

The EU Cyber Resilience Act establishes essential cybersecurity requirements to enhance the security of connected devices and components. This includes stringent product security measures and robust vulnerability management processes to facilitate compliance in cybersecurity and regulatory standards.

Core Cybersecurity Compliance Requirements

  • Security by Design:
    Manufacturers must integrate security by design into the development lifecycle, facilitating that all IoT security standards and cybersecurity compliance requirements are met from the outset.

  • Security by Default:
    Devices must be pre-configured with optimal cybersecurity settings, minimizing the risk of cyber threats without requiring additional user intervention.

  • Vulnerability Disclosure & Management:
    Manufacturers must implement a vulnerability disclosure policy, supporting security researchers to report potential risks. Identified vulnerabilities must be addressed promptly to enable ongoing compliance in cybersecurity.

  • Incident Response & Risk Management:
    A structured incident response plan is mandatory, allowing manufacturers to mitigate security incidents quickly and comply with cybersecurity regulatory compliance obligations.

The EU CRA’s security-by-design approach enables that connected devices, including IoT products, smart home devices, and networked components, adhere to CE marking requirements while mitigating cybersecurity risks across the EU single market.

Europe Flags
Europe Flags
Europe Flags

The EU Cyber Resilience Act (EU CRA) enforces new cybersecurity compliance standards for connected devices, facilitating security across the European market

Learn more about the regulation of the European Commission on Cyber Resilience Act

Regulation (EU) 2024/2847 of 23rd October 2024

Benefits of the EU CRA

Home Appliance
Home Appliance
Home Appliance

The EU CRA offers several benefits for consumers, manufacturers, and the broader EU economy. Such as:

  • Improved Security: The EU CRA aims that connected devices are more secured, reducing the risk of cyber-attacks and enabling protection of consumer’s personal data.
  • Increased Trust: the EU CRA could increase trust in connected devices and enable growth of IoT markets by establishing a common set of security standards that need to be fulfilled to achieve the CE label mandatory for selling such devices in the EU single-market.

By implementing these measures, the EU CRA not only strengthens the security framework for digital products but also contributes to a more resilient and trustworthy digital ecosystem across Europe.

Mapping of applications to CRA categories

Please note that the table is indicative and based on preliminary guidance; it is subject to changes based on development of CRA harmonized standards, CRA implementation Acts, and any EU Commission- or ENISA- issued CRA guidance.

How Infineon Supports IoT Manufacturers in EU CRA Compliance

As a leading provider of semiconductor solutions, Infineon is committed to helping manufacturers meet EU Cyber Resilience Act (EU CRA) compliance with security-by-design solutions. Our comprehensive portfolio of hardware and software security solutions enables that connected devices fulfill essential cybersecurity requirements for CE marking and regulatory compliance

Infineon’s Security Solutions for IoT Manufacturers

Microcontrollers & SoCs

  • Security-hardened microcontrollers from the PSOC™ family
  • Wireless solutions from the AIROC™ family

Secure Elements for IoT Security

  • OPTIGA™ and SECORA™ security controllers provide a robust foundation for cybersecurity compliance and product security device design.

Software Libraries for Secure Development

  • Infineon Security Library offers cryptographic algorithms and security protocols to support secured device development.

Development Tools & Support

  • ModusToolbox™ and Infineon Developer Portal provide extensive resources to simplify IoT product security by design.

Facilitate Cybersecurity Compliance with Infineon

By leveraging Infineon’s security expertise, manufacturers can safeguard their devices against cybersecurity risks, facilitate compliance with the EU CRA, and reduce the risk of non-compliance penalties.

Learn more: Infineon Edge Protect

Iot Industry

 
Iot Industry

 
Iot Industry

 

The EU Cyber Resilience Act (EU CRA) enforces cybersecurity standards for industrial IoT, strengthening compliance and security in manufacturing.

Listen to our Podcast with

Preeti Ohri Khemani - Senior Director for IoT's Ecosystem Development at Infineon Technologies

Nitin Dahad - Editor-in-Chief of embedded.com

Preparing for CRA and Open-Source Silicon Security

EU CRA Starter Guide

As a device manufacturer, navigating the European Cyber Resilience Act (CRA) can be complex. To support you in your compliance journey, we have compiled a range of valuable resources to help you understand CRA and implement the necessary measures to be ready for CRA compliance. Below, you will find a collection of informative content, training, and practical tools to help you get started with your CRA compliance journey.

  • Insights on the Cyber Resilience Act: interview with Thomas Rosteck, CSS President at Infineon Technology

As the world becomes increasingly connected, cybersecurity has emerged as a top priority. The European Union's Cyber Resilience Act (CRA) is set to revolutionize the way we approach security in IoT products. In an exclusive interview, Thomas Rosteck, Division President of Connected Secure Systems at Infineon Technologies, shares his insights on the CRA's objectives, its impact on global and Indian manufacturers, and how companies can stay ahead of evolving cybersecurity regulations. Read the full article to learn more about the CRA's implications, Infineon's approach to cybersecurity, and the future of security technologies.

  • EU CRA On-demand Webinar: "Navigating the EU CRA with Infineon"

Watch our on-demand webinar to train yourself on EU CRA and gain a comprehensive understanding of its essential requirements. Our webinar covers the key requirements of the EU Cyber Resilience Act and its ongoing standardization work. Infineon experts explain how our products enable compliance with EU CRA´s essential product security requirements. Strategies for a timely compliance journey are also discussed.

  • Blog Article: "Europe's Cyber Resilience Act: More Security for Connected Devices from 2027"

Read our short blog  article to get ready for a new era of cybersecurity in the EU. This article provides an overview of the requirements, timelines, and best practices for device manufacturers to facilitate a smooth transition.

  • Podcast Interview: "Preparing for CRA"

Listen to our podcast interview with a Preeti Ohri Khemani, Infineon leading expert in the field, exploring the Cyber Resilience Act and its impact across the global supply chain.

  • Legislation: Regulations of the European Commission on Cyber Resilience Act

Access the official text of the EU Cyber Resilience Act (CRA) to stay up-to-date with the latest regulatory requirements. This resource provides device manufacturers with a direct link to the EU legislation, allowing you to have the most current information at your fingertips.

CRA Compliance made easy: Expert insights for C-Level Executives

Watch our training video to gain a comprehensive understanding of the EU Cyber Resilience Act and learn how to integrate its requirements into your business strategy,  for a more secured and future ready organization

Frequently Asked Questions

Frequently Asked Questions

The EU CRA shall apply from 11th December 2027, and some of the key provisions, such as Chapter IV (Art. 35-51) on Notification of Conformity Assessment Bodies will become applicable from 11th June 2026. While the reporting obligations under Art. 14 will become applicable from 11th September 2026.

The EU CRA applies to all connected digital devices and components with hardware and software, that are sold within the EU single-market.

Manufacturers that fail to comply with the EU CRA may face may face significant fines and penalties, as determined by the relevant EU authorities.

The European Standardization organizations CEN-CENELEC and ETSI will be developing the harmonized European Standards for EU CRA for the next years

Manufacturers should consult the EU's guidelines and regulations, and consider partnering with security experts like Infineon to help your products meet the EU CRA's requirements.

This regulation applies to all products with digital elements that are capable to directly or indirectly connect with devices or networks, and that will be sold within the EU single-market.

Here are a couple of examples:

If your product is low security risk then it might fall under the CRA category "default"

Here are a couple of examples for this:

If your product is high security risk then it might fall under the CRA category "Important"

Here are a couple of examples for this:

Here are some examples of microelectronics components affected by CRA regulations:

The CRA conformity specifications will be developed by CENELEC as part of the CRA standardizations. The first drafts of the test catalogs are expected by end of 2025 for some of CRA aspects.

For third-party tests, the CE test labs – Notified Bodies are required.

Do you have any questions about the EU Cyber Resilience Act or how Infineon can help you comply? Contact us!

 

Key Provisions of the EU CRA: Strengthening Cybersecurity Compliance

The EU Cyber Resilience Act establishes essential cybersecurity requirements to enhance the security of connected devices and components. This includes stringent product security measures and robust vulnerability management processes to facilitate compliance in cybersecurity and regulatory standards.

Core Cybersecurity Compliance Requirements

  • Security by Design:
    Manufacturers must integrate security by design into the development lifecycle, facilitating that all IoT security standards and cybersecurity compliance requirements are met from the outset.

  • Security by Default:
    Devices must be pre-configured with optimal cybersecurity settings, minimizing the risk of cyber threats without requiring additional user intervention.

  • Vulnerability Disclosure & Management:
    Manufacturers must implement a vulnerability disclosure policy, supporting security researchers to report potential risks. Identified vulnerabilities must be addressed promptly to enable ongoing compliance in cybersecurity.

  • Incident Response & Risk Management:
    A structured incident response plan is mandatory, allowing manufacturers to mitigate security incidents quickly and comply with cybersecurity regulatory compliance obligations.

The EU CRA’s security-by-design approach enables that connected devices, including IoT products, smart home devices, and networked components, adhere to CE marking requirements while mitigating cybersecurity risks across the EU single market.

Europe Flags
Europe Flags
Europe Flags

The EU Cyber Resilience Act (EU CRA) enforces new cybersecurity compliance standards for connected devices, facilitating security across the European market

Learn more about the regulation of the European Commission on Cyber Resilience Act

Regulation (EU) 2024/2847 of 23rd October 2024

Benefits of the EU CRA

Home Appliance
Home Appliance
Home Appliance

The EU CRA offers several benefits for consumers, manufacturers, and the broader EU economy. Such as:

  • Improved Security: The EU CRA aims that connected devices are more secured, reducing the risk of cyber-attacks and enabling protection of consumer’s personal data.
  • Increased Trust: the EU CRA could increase trust in connected devices and enable growth of IoT markets by establishing a common set of security standards that need to be fulfilled to achieve the CE label mandatory for selling such devices in the EU single-market.

By implementing these measures, the EU CRA not only strengthens the security framework for digital products but also contributes to a more resilient and trustworthy digital ecosystem across Europe.

Mapping of applications to CRA categories

Please note that the table is indicative and based on preliminary guidance; it is subject to changes based on development of CRA harmonized standards, CRA implementation Acts, and any EU Commission- or ENISA- issued CRA guidance.

How Infineon Supports IoT Manufacturers in EU CRA Compliance

As a leading provider of semiconductor solutions, Infineon is committed to helping manufacturers meet EU Cyber Resilience Act (EU CRA) compliance with security-by-design solutions. Our comprehensive portfolio of hardware and software security solutions enables that connected devices fulfill essential cybersecurity requirements for CE marking and regulatory compliance

Infineon’s Security Solutions for IoT Manufacturers

Microcontrollers & SoCs

  • Security-hardened microcontrollers from the PSOC™ family
  • Wireless solutions from the AIROC™ family

Secure Elements for IoT Security

  • OPTIGA™ and SECORA™ security controllers provide a robust foundation for cybersecurity compliance and product security device design.

Software Libraries for Secure Development

  • Infineon Security Library offers cryptographic algorithms and security protocols to support secured device development.

Development Tools & Support

  • ModusToolbox™ and Infineon Developer Portal provide extensive resources to simplify IoT product security by design.

Facilitate Cybersecurity Compliance with Infineon

By leveraging Infineon’s security expertise, manufacturers can safeguard their devices against cybersecurity risks, facilitate compliance with the EU CRA, and reduce the risk of non-compliance penalties.

Learn more: Infineon Edge Protect

Iot Industry

 
Iot Industry

 
Iot Industry

 

The EU Cyber Resilience Act (EU CRA) enforces cybersecurity standards for industrial IoT, strengthening compliance and security in manufacturing.

Listen to our Podcast with

Preeti Ohri Khemani - Senior Director for IoT's Ecosystem Development at Infineon Technologies

Nitin Dahad - Editor-in-Chief of embedded.com

Preparing for CRA and Open-Source Silicon Security

EU CRA Starter Guide

As a device manufacturer, navigating the European Cyber Resilience Act (CRA) can be complex. To support you in your compliance journey, we have compiled a range of valuable resources to help you understand CRA and implement the necessary measures to be ready for CRA compliance. Below, you will find a collection of informative content, training, and practical tools to help you get started with your CRA compliance journey.

  • Insights on the Cyber Resilience Act: interview with Thomas Rosteck, CSS President at Infineon Technology

As the world becomes increasingly connected, cybersecurity has emerged as a top priority. The European Union's Cyber Resilience Act (CRA) is set to revolutionize the way we approach security in IoT products. In an exclusive interview, Thomas Rosteck, Division President of Connected Secure Systems at Infineon Technologies, shares his insights on the CRA's objectives, its impact on global and Indian manufacturers, and how companies can stay ahead of evolving cybersecurity regulations. Read the full article to learn more about the CRA's implications, Infineon's approach to cybersecurity, and the future of security technologies.

  • EU CRA On-demand Webinar: "Navigating the EU CRA with Infineon"

Watch our on-demand webinar to train yourself on EU CRA and gain a comprehensive understanding of its essential requirements. Our webinar covers the key requirements of the EU Cyber Resilience Act and its ongoing standardization work. Infineon experts explain how our products enable compliance with EU CRA´s essential product security requirements. Strategies for a timely compliance journey are also discussed.

  • Blog Article: "Europe's Cyber Resilience Act: More Security for Connected Devices from 2027"

Read our short blog  article to get ready for a new era of cybersecurity in the EU. This article provides an overview of the requirements, timelines, and best practices for device manufacturers to facilitate a smooth transition.

  • Podcast Interview: "Preparing for CRA"

Listen to our podcast interview with a Preeti Ohri Khemani, Infineon leading expert in the field, exploring the Cyber Resilience Act and its impact across the global supply chain.

  • Legislation: Regulations of the European Commission on Cyber Resilience Act

Access the official text of the EU Cyber Resilience Act (CRA) to stay up-to-date with the latest regulatory requirements. This resource provides device manufacturers with a direct link to the EU legislation, allowing you to have the most current information at your fingertips.

CRA Compliance made easy: Expert insights for C-Level Executives

Watch our training video to gain a comprehensive understanding of the EU Cyber Resilience Act and learn how to integrate its requirements into your business strategy,  for a more secured and future ready organization

Frequently Asked Questions

Frequently Asked Questions

The EU CRA shall apply from 11th December 2027, and some of the key provisions, such as Chapter IV (Art. 35-51) on Notification of Conformity Assessment Bodies will become applicable from 11th June 2026. While the reporting obligations under Art. 14 will become applicable from 11th September 2026.

The EU CRA applies to all connected digital devices and components with hardware and software, that are sold within the EU single-market.

Manufacturers that fail to comply with the EU CRA may face may face significant fines and penalties, as determined by the relevant EU authorities.

The European Standardization organizations CEN-CENELEC and ETSI will be developing the harmonized European Standards for EU CRA for the next years

Manufacturers should consult the EU's guidelines and regulations, and consider partnering with security experts like Infineon to help your products meet the EU CRA's requirements.

This regulation applies to all products with digital elements that are capable to directly or indirectly connect with devices or networks, and that will be sold within the EU single-market.

Here are a couple of examples:

If your product is low security risk then it might fall under the CRA category "default"

Here are a couple of examples for this:

If your product is high security risk then it might fall under the CRA category "Important"

Here are a couple of examples for this:

Here are some examples of microelectronics components affected by CRA regulations:

The CRA conformity specifications will be developed by CENELEC as part of the CRA standardizations. The first drafts of the test catalogs are expected by end of 2025 for some of CRA aspects.

For third-party tests, the CE test labs – Notified Bodies are required.

Do you have any questions about the EU Cyber Resilience Act or how Infineon can help you comply? Contact us!