On October 10, 2024, the EU Council officially adopted the Cyber Resilience Act (EU CRA). Shortly after, on November 20, 2024, the legislation was published in the European Union’s Official Journal, marking a significant milestone in cybersecurity compliance. The EU CRA is a groundbreaking regulation designed to enhance the security of connected devices across the EU single market, enabling that cybersecurity and compliance are embedded from the initial design phase.

The Act will be fully implemented by December 11, 2027, mandating that all products meet strict security-by-design requirements to obtain CE marking. However, some key provisions take effect earlier:

  • June 11, 2026 – Notification of Conformity Assessment Bodies (Chapter IV, Articles 35-51)
  • September 11, 2026 – Mandatory cybersecurity incident reporting (Article 14)

What is the EU Cyber Resilience Act?

The EU CRA is a regulatory framework that establishes essential cybersecurity requirements for IoT security standards, smart home devices, and all connected digital products within the EU single market. It enforces security by design and by default, facilitating products remain appropriately secure throughout their lifecycle.

This legislation applies to all hardware and software products with digital elements, except:

  • Non-commercial projects and services
  • Cloud services without physical components
  • Industries already covered by existing regulations, such as automotive, healthcare, and aviation

Compliance in Cybersecurity: Key Requirements

Manufacturers must take care their products are free from known vulnerabilities at launch and actively manage cybersecurity risks throughout the product's lifecycle. Failure to comply with the EU CRA may result in fines of up to 2.5% of annual worldwide revenue.

EU Cyber Resilience Act

The EU Cyber Resilience Act establishes essential cybersecurity requirements to enhance the security of connected devices and components. This includes stringent product security measures and robust vulnerability management processes to facilitate compliance in cybersecurity and regulatory standards.

Core Cybersecurity Compliance Requirements

  • Security by Design:
    Manufacturers must integrate security by design into the development lifecycle, facilitating that all IoT security standards and cybersecurity compliance requirements are met from the outset.

  • Security by Default:
    Devices must be pre-configured with optimal cybersecurity settings, minimizing the risk of cyber threats without requiring additional user intervention.

  • Vulnerability Disclosure & Management:
    Manufacturers must implement a vulnerability disclosure policy, supporting security researchers to report potential risks. Identified vulnerabilities must be addressed promptly to enable ongoing compliance in cybersecurity.

  • Incident Response & Risk Management:
    A structured incident response plan is mandatory, allowing manufacturers to mitigate security incidents quickly and comply with cybersecurity regulatory compliance obligations.

The EU CRA’s security-by-design approach enables that connected devices, including IoT products, smart home devices, and networked components, adhere to CE marking requirements while mitigating cybersecurity risks across the EU single market.

Europe Flags
Europe Flags
Europe Flags

The EU Cyber Resilience Act (EU CRA) enforces new cybersecurity compliance standards for connected devices, facilitating security across the European market

Learn more about the regulation of the European Commission on Cyber Resilience Act

Regulation (EU) 2024/2847 of 23rd October 2024

Home Appliance
Home Appliance
Home Appliance

The EU CRA offers several benefits for consumers, manufacturers, and the broader EU economy. Such as:

  • Improved Security: The EU CRA aims that connected devices are more secured, reducing the risk of cyber-attacks and enabling protection of consumer’s personal data.
  • Increased Trust: the EU CRA could increase trust in connected devices and enable growth of IoT markets by establishing a common set of security standards that need to be fulfilled to achieve the CE label mandatory for selling such devices in the EU single-market.

By implementing these measures, the EU CRA not only strengthens the security framework for digital products but also contributes to a more resilient and trustworthy digital ecosystem across Europe.

As a leading provider of semiconductor solutions, Infineon is committed to helping manufacturers meet EU Cyber Resilience Act (EU CRA) compliance with security-by-design solutions. Our comprehensive portfolio of hardware and software security solutions enables that connected devices fulfill essential cybersecurity requirements for CE marking and regulatory compliance

Infineon’s Security Solutions for IoT Manufacturers

Microcontrollers & SoCs

  • Security-hardened microcontrollers from the PSOC™ family
  • Wireless solutions from the AIROC™ family

Secure Elements for IoT Security

  • OPTIGA™ and SECORA™ security controllers provide a robust foundation for cybersecurity compliance and product security device design.

Software Libraries for Secure Development

  • Infineon Security Library offers cryptographic algorithms and security protocols to support secured device development.

Development Tools & Support

  • ModusToolbox™ and Infineon Developer Portal provide extensive resources to simplify IoT product security by design.

Facilitate Cybersecurity Compliance with Infineon

By leveraging Infineon’s security expertise, manufacturers can safeguard their devices against cybersecurity risks, facilitate compliance with the EU CRA, and reduce the risk of non-compliance penalties.

Learn more: Infineon Edge Protect

Iot Industry

 

Iot Industry

 

Iot Industry

 

The EU Cyber Resilience Act (EU CRA) enforces cybersecurity standards for industrial IoT, strengthening compliance and security in manufacturing.

Listen to our Podcast with

Preeti Ohri Khemani - Senior Director for IoT's Ecosystem Development at Infineon Technologies

Nitin Dahad - Editor-in-Chief of embedded.com

Preparing for CRA and Open-Source Silicon Security


As a device manufacturer, navigating the European Cyber Resilience Act (CRA) can be complex. To support you in your compliance journey, we have compiled a range of valuable resources to help you understand CRA and implement the necessary measures to be ready for CRA compliance. Below, you will find a collection of informative content, training, and practical tools to help you get started with your CRA compliance journey.

  • EU CRA On-demand Webinar: "Navigating the EU CRA with Infineon"

Watch our on-demand webinar to train yourself on EU CRA and gain a comprehensive understanding of its essential requirements. Our webinar covers the key requirements of the EU Cyber Resilience Act and its ongoing standardization work. Infineon experts explain how our products enable compliance with EU CRA´s essential product security requirements. Strategies for a timely compliance journey are also discussed.

  • Blog Article: "Europe's Cyber Resilience Act: More Security for Connected Devices from 2027"

Read our short blog  article to get ready for a new era of cybersecurity in the EU. This article provides an overview of the requirements, timelines, and best practices for device manufacturers to facilitate a smooth transition.

  • Podcast Interview: "Preparing for CRA"

Listen to our podcast interview with a Preeti Ohri Khemani, Infineon leading expert in the field, exploring the Cyber Resilience Act and its impact across the global supply chain.

  • Legislation: Regulations of the European Commission on Cyber Resilience Act

Access the official text of the EU Cyber Resilience Act (CRA) to stay up-to-date with the latest regulatory requirements. This resource provides device manufacturers with a direct link to the EU legislation, allowing you to have the most current information at your fingertips.

Frequently Asked Questions

Frequently Asked Questions

The EU CRA shall apply from 11th December 2027, and some of the key provisions, such as Chapter IV (Art. 35-51) on Notification of Conformity Assessment Bodies will become applicable from 11th June 2026. While the reporting obligations under Art. 14 will become applicable from 11th September 2026.

The EU CRA applies to all connected digital devices and components with hardware and software, that are sold within the EU single-market.

Manufacturers that fail to comply with the EU CRA may face may face significant fines and penalties, as determined by the relevant EU authorities.

The European Standardization organizations CEN-CENELEC and ETSI will be developing the harmonized European Standards for EU CRA for the next years

Manufacturers should consult the EU's guidelines and regulations, and consider partnering with security experts like Infineon to help your products meet the EU CRA's requirements.

This regulation applies to all products with digital elements that are capable to directly or indirectly connect with devices or networks, and that will be sold within the EU single-market.

Here are a couple of examples:

If your product is low security risk then it might fall under the CRA category "default"

Here are a couple of examples for this:

If your product is high security risk then it might fall under the CRA category "Important"

Here are a couple of examples for this:

Here are some examples of microelectronics components affected by CRA regulations:

The CRA conformity specifications will be developed by CENELEC as part of the CRA standardizations. The first drafts of the test catalogs are expected by end of 2025 for some of CRA aspects.

For third-party tests, the CE test labs – Notified Bodies are required.

Do you have any questions about the EU Cyber Resilience Act or how Infineon can help you comply? Contact us!

 

The EU Cyber Resilience Act establishes essential cybersecurity requirements to enhance the security of connected devices and components. This includes stringent product security measures and robust vulnerability management processes to facilitate compliance in cybersecurity and regulatory standards.

Core Cybersecurity Compliance Requirements

  • Security by Design:
    Manufacturers must integrate security by design into the development lifecycle, facilitating that all IoT security standards and cybersecurity compliance requirements are met from the outset.

  • Security by Default:
    Devices must be pre-configured with optimal cybersecurity settings, minimizing the risk of cyber threats without requiring additional user intervention.

  • Vulnerability Disclosure & Management:
    Manufacturers must implement a vulnerability disclosure policy, supporting security researchers to report potential risks. Identified vulnerabilities must be addressed promptly to enable ongoing compliance in cybersecurity.

  • Incident Response & Risk Management:
    A structured incident response plan is mandatory, allowing manufacturers to mitigate security incidents quickly and comply with cybersecurity regulatory compliance obligations.

The EU CRA’s security-by-design approach enables that connected devices, including IoT products, smart home devices, and networked components, adhere to CE marking requirements while mitigating cybersecurity risks across the EU single market.

Europe Flags
Europe Flags
Europe Flags

The EU Cyber Resilience Act (EU CRA) enforces new cybersecurity compliance standards for connected devices, facilitating security across the European market

Learn more about the regulation of the European Commission on Cyber Resilience Act

Regulation (EU) 2024/2847 of 23rd October 2024

Home Appliance
Home Appliance
Home Appliance

The EU CRA offers several benefits for consumers, manufacturers, and the broader EU economy. Such as:

  • Improved Security: The EU CRA aims that connected devices are more secured, reducing the risk of cyber-attacks and enabling protection of consumer’s personal data.
  • Increased Trust: the EU CRA could increase trust in connected devices and enable growth of IoT markets by establishing a common set of security standards that need to be fulfilled to achieve the CE label mandatory for selling such devices in the EU single-market.

By implementing these measures, the EU CRA not only strengthens the security framework for digital products but also contributes to a more resilient and trustworthy digital ecosystem across Europe.

As a leading provider of semiconductor solutions, Infineon is committed to helping manufacturers meet EU Cyber Resilience Act (EU CRA) compliance with security-by-design solutions. Our comprehensive portfolio of hardware and software security solutions enables that connected devices fulfill essential cybersecurity requirements for CE marking and regulatory compliance

Infineon’s Security Solutions for IoT Manufacturers

Microcontrollers & SoCs

  • Security-hardened microcontrollers from the PSOC™ family
  • Wireless solutions from the AIROC™ family

Secure Elements for IoT Security

  • OPTIGA™ and SECORA™ security controllers provide a robust foundation for cybersecurity compliance and product security device design.

Software Libraries for Secure Development

  • Infineon Security Library offers cryptographic algorithms and security protocols to support secured device development.

Development Tools & Support

  • ModusToolbox™ and Infineon Developer Portal provide extensive resources to simplify IoT product security by design.

Facilitate Cybersecurity Compliance with Infineon

By leveraging Infineon’s security expertise, manufacturers can safeguard their devices against cybersecurity risks, facilitate compliance with the EU CRA, and reduce the risk of non-compliance penalties.

Learn more: Infineon Edge Protect

Iot Industry

 

Iot Industry

 

Iot Industry

 

The EU Cyber Resilience Act (EU CRA) enforces cybersecurity standards for industrial IoT, strengthening compliance and security in manufacturing.

Listen to our Podcast with

Preeti Ohri Khemani - Senior Director for IoT's Ecosystem Development at Infineon Technologies

Nitin Dahad - Editor-in-Chief of embedded.com

Preparing for CRA and Open-Source Silicon Security


As a device manufacturer, navigating the European Cyber Resilience Act (CRA) can be complex. To support you in your compliance journey, we have compiled a range of valuable resources to help you understand CRA and implement the necessary measures to be ready for CRA compliance. Below, you will find a collection of informative content, training, and practical tools to help you get started with your CRA compliance journey.

  • EU CRA On-demand Webinar: "Navigating the EU CRA with Infineon"

Watch our on-demand webinar to train yourself on EU CRA and gain a comprehensive understanding of its essential requirements. Our webinar covers the key requirements of the EU Cyber Resilience Act and its ongoing standardization work. Infineon experts explain how our products enable compliance with EU CRA´s essential product security requirements. Strategies for a timely compliance journey are also discussed.

  • Blog Article: "Europe's Cyber Resilience Act: More Security for Connected Devices from 2027"

Read our short blog  article to get ready for a new era of cybersecurity in the EU. This article provides an overview of the requirements, timelines, and best practices for device manufacturers to facilitate a smooth transition.

  • Podcast Interview: "Preparing for CRA"

Listen to our podcast interview with a Preeti Ohri Khemani, Infineon leading expert in the field, exploring the Cyber Resilience Act and its impact across the global supply chain.

  • Legislation: Regulations of the European Commission on Cyber Resilience Act

Access the official text of the EU Cyber Resilience Act (CRA) to stay up-to-date with the latest regulatory requirements. This resource provides device manufacturers with a direct link to the EU legislation, allowing you to have the most current information at your fingertips.

Frequently Asked Questions

Frequently Asked Questions

The EU CRA shall apply from 11th December 2027, and some of the key provisions, such as Chapter IV (Art. 35-51) on Notification of Conformity Assessment Bodies will become applicable from 11th June 2026. While the reporting obligations under Art. 14 will become applicable from 11th September 2026.

The EU CRA applies to all connected digital devices and components with hardware and software, that are sold within the EU single-market.

Manufacturers that fail to comply with the EU CRA may face may face significant fines and penalties, as determined by the relevant EU authorities.

The European Standardization organizations CEN-CENELEC and ETSI will be developing the harmonized European Standards for EU CRA for the next years

Manufacturers should consult the EU's guidelines and regulations, and consider partnering with security experts like Infineon to help your products meet the EU CRA's requirements.

This regulation applies to all products with digital elements that are capable to directly or indirectly connect with devices or networks, and that will be sold within the EU single-market.

Here are a couple of examples:

If your product is low security risk then it might fall under the CRA category "default"

Here are a couple of examples for this:

If your product is high security risk then it might fall under the CRA category "Important"

Here are a couple of examples for this:

Here are some examples of microelectronics components affected by CRA regulations:

The CRA conformity specifications will be developed by CENELEC as part of the CRA standardizations. The first drafts of the test catalogs are expected by end of 2025 for some of CRA aspects.

For third-party tests, the CE test labs – Notified Bodies are required.

Do you have any questions about the EU Cyber Resilience Act or how Infineon can help you comply? Contact us!