The CRA sets out specific requirements that must be taken into account during product development. The principles of security by design and security by default apply. The required risk assessment ensures that the CRA requirements are met and that possible threats are neither underestimated nor overestimated, thus avoiding the incorrect planning of measures.
And: demands on development processes will also increase, meaning that process descriptions, reviews, testing, coding guidelines, etc., will be required.
Processes (e.g. IEC 62443-4-1) and the documentation of process results ensure compliance with the CRA. Depending on the product category, the security can be verified by oneself or a notified body needs to be involved.
CRA defines the categories “Standard/Basic Products”, “Important Products” and “Critical Products”. The product categories do not influence the required activities (processes), but only the conformity assessment procedures (provision of evidence).
Cybersecurity must be guaranteed for the expected lifetime of the product, but at least for 5 years. This is done by regular and effective cybersecurity tests (e.g. penetration tests). This also includes updating the risk assessment. Weak points in the product must be reported immediately and eliminated by means of software updates. All these activities must be planned and documented. Here, too, processes ensure that this is done.
Various aspects of the CRA are still unclear. There are no harmonized standards yet and no notified bodies. The latter should be available in 2026. For information on harmonized standards, visit Cyber Regulation: CRA and NIS.
Products already on the market are not subject to the CRA as long as they are not substantially modified; however, the same products (i.e., the same „model,” „series,” or „type”) will be subject to the CRA after December 11, 2027. This means that all legacy products must also be CRA-compliant. At least a risk assessment must be conducted for each product family.
You can find more details in our FAQ for Embedded Security.
Alois Cavelti
Do you have additional questions? Do you have a different opinion? If so, email me or comment your thoughts below!
Projects? Ideas? Questions? Let's do a free initial workshop!
No Comments