Cyber Resilience Act - A brief overview to when, who and what

The EU Cyber Resilience Act (CRA) came into force on 10^th December 2024, with a 36 month period permitted for its previsions to be implemented. We are now roughly halfway through that implementation period, so time is getting short to ensure product compliance. The obligation to report “severe incidents and security breaches” starts even sooner, being required from September 10^th this year.

Implications for a Module Maker

As a module maker, Insight SIP is only indirectly affected by this. Our technology and IP is focused on RF, antennas and integration, and as such, we don’t produce in house “Digital Elements” in the sense of the CRA. However our customers (product vendors) and suppliers (semiconductor manufacturers) certainly are affected by it, and so understanding the CRA and its implications is important to us.

Semiconductor Suppliers and PSA

Our chosen Semiconductor suppliers that incorporate programable microcontrollers are Nordic Semiconductor and NXP. Their latest generation products incorporate a high level of security features, and are either already or in the process of becoming PSA certified. PSA – Platform Security Architecture – is an industry standard for security aimed at IOT device manufacturers. It was originally developed by ARM, and has since evolved into a multivendor industry standard to define the level of security features available in products. It was originally aimed at chip manufacturers, but has since broadened to encompass software products as well . For examples of our modules with advanced security features here (ISP2454 Bluetooth Low Energy 6.0 Module) and here (Wi-Fi 6 and Bluetooth Low Energy / 802.15.4 ISP5261 Modules)

Authorized Test Houses can independently verify that a product achieves a certain level of security according to the PSA framework.

Note that PSA is separate from the CRA; however using PSA certified products is a strong foundation for building secure devices that can conform to the requirements of the CRA.

Our other silicon suppliers offer only transceiver products that are not programmable.

Product Manufacturer Customers

Having security features available in devices used to build an OEM product is a starting point; however, these need to be used or implemented correctly for such features to be useful. Using PSA certified semiconductors is not a requirement for compliance with the CRA; however it offers an assurance that vulnerabilities are not being “built-in” to a solution.

The key elements to ensure CRA compliance are as follows:

• “Security by Design” - considering security aspects of a product at the design stage, analyse potential threats and risks and takes steps to mitigate against these.
• Exercise due diligence when integrating third party components (hardware and software)
• Have procedures to handle vulnerabilities discovered or reported in products whilst in service, and a method to report such vulnerabilities.
• Provide support for at least 5 years (or the product lifetime if it is withdrawn prior to this)
• Ensure security updates are available for at least 10 years.

Most standard IOT products – meaning those which do not primarily perform a critical security function, such as firewall, or smartcard – are under the “Default” category. Under this, compliance with the CRA can be self-assessed, although a manufacturer would be wise to keep a record of the process, and have a demonstrable vulnerability management process. Of course, there is nothing to stop any manufacturer engaging a third party to asses compliance, which might be advisable at the initial stages.

The full text of the CRA is available here.

What Products are covered

Most electronic products are covered by the CRA; however there are some exceptions.

• Medical Devices are excluded, as they are covered by separate medical device specific regulations based on the class of medical device.
• Similarly Automotive products are covered by their own regulatory framework.
• Military Products, which are subject to special regulations

Existing Products

Here things get a little bit tricky. In principle, the core aspects of the CRA do NOT apply to products “placed on the market” prior to 11 December 2027. However if a product has a “substantial change” after this date, it would then come under the auspices of the CRA.

What constitutes a “substantial change”? That is not entirely clear. Any change to the core hardware components (an updated processor, for example) probably would represent a substantial change, where as changes to graphical elements would not.

If major new features are added as a software upgrade onto an existing hardware platform, then things could get awkward, as the CRA would then apply, whilst older hardware components may have limited security features.

One aspect of the CRA that does apply to products regardless of the date of introduction is to report detected or reported security vulnerabilities, and take steps to mitigate them. Again, this could be awkward for products originally released more than 5 years ago, for which there may not be a process in place to provide security updates.

Conclusions

Like it or not, the CRA is coming to force, and Product Vendors will have to adapt. This may seem onerous for specialist product vendors that are not producing in high volumes; however, a major security breach could represent a serious cost both directly and in reputational damage to a product manufacturer. For any products in the development pipeline today it is essential to undertake actions to prepare for conformity to the CRA. Putting in a process to track security breaches and vulnerabilities is now a matter of urgency.