Came across the European Union law which will impact any products you plan to manufacture and sell in EU. I have tried to summarize whatever I have understood below.
CRA is an EU law for products with digital elements. If you ship hardware with firmware into the EU, you’re in scope. It entered into force in Dec 2024. Reporting starts on Sep 2026. Most requirements apply from Dec 2027. Cybersecurity becomes part of CE. It will be mandatory for your product to be “CE” compliant.
If you are building a product, then you are mandated to do a cybersecurity risk assessment and build to it. You would have to keep an update path that can push security patches quickly and, by default, automatically with an opt-out if users wish to. You should provide security updates free of charge during your support period. Support periods are to be around 5yrs for consumer gear (Unless expected usage time is shorter) and longer for industrial. Your technical file must prove all of this for CE.
For hardware teams, the first practical step is to map your device to the CRA lists. Annex III in the bill names important product categories. If you make routers or modems, operating systems on devices, microcontrollers or FPGAs with security functions, or smart home locks and cameras, you likely sit in Class I. Firewalls and tamper-resistant microcontrollers fall into Class II. Class II expects a third-party assessment path such as EU-type examination plus production control. If it’s not in any of these, you can do self assessment. Read the document properly.
There is some leniency for FOSS non-commercial projects or if your product is in alpha/beta prototype stage.
0 Comments
Comments are closed.