Skip to content

EU CRA

Upper line: if an existing product is subject to a substantial modification, the CRA fully applies. Lower line: If an existing product never sees a substantial modification, the CRA never applies.

How Pre-2028 Products Might Avoid the Cyber Resilience Act

If a product is placed on the EU market before 11 December 2027 and is subject to a substantial modification after that date, it must satisfy all the rules of the Cyber Resilience Act (CRA) from the modification date onwards (Article 69.2). If we scrutinise this article, we detect its vulnerabilities. The definition of substantial modification is circular and hence largely void. Article 69.2 might even violate our constitutional right that law must not be applied retroactively.

Read More »How Pre-2028 Products Might Avoid the Cyber Resilience Act

EU CRA: Start, Length and End of Support Period

When we look closer at the support period, we’ll find more and more interesting questions.

  • Does the support period start, when the end user buys a product or when a product is released, manufactured or sold for the first time?
  • Can manufacturers set the length of the support period as they see fit?
  • Can manufacturers terminate the support period as they see fit?
  • What obligations do manufacturers have to satisfy during the support period? What after the support period?
  • Are there special rules for products released in the transitional period from 11 December 2024 to 10 December 2027?
  • Does the EU CRA apply to products released before 11 December 2024?
Read More »EU CRA: Start, Length and End of Support Period

EU CRA: Essential Requirements Related to Vulnerability Handling

According to Annex I Part II of the EU CRA, manufacturers must actively search for vulnerabilities in their embedded devices, fix them and publicly disclose them to their users and the cybersecurity authorities. Manufacturers must implement a process to release their devices without any know vulnerabilities and to keep their devices free of vulnerabilities during the whole product lifetime by providing security updates in a timely manner.

Read More »EU CRA: Essential Requirements Related to Vulnerability Handling
Embedded Systems must satisfy all the essential product requirements from Annex I Part I of the CRA.

EU CRA: Essential Requirements Related to Product Properties

Every manufacturer must implement the essential requirements in Annex 1 Part 1 of the EU CRA in their products. They must also document how they comply with the essential requirements in a conformity assessment. The wording of the essential requirements is very generic and hard to understand. Germany’s Federal Office of Information Security (BSI) published a Technical Guideline (PDF) that translates the legalese of the EU CRA into concrete and actionable requirements. I will add lots of examples from my work with embedded Linux devices to illustrate the requirements.

Read More »EU CRA: Essential Requirements Related to Product Properties

Embedded Devices Covered by EU Cyber Resilience Act (CRA)

Which devices are covered by the EU Cyber Resilience Act (EU CRA)?

  • An X-ray fluorescence (XRF) analyser connected with the Internet over WiFi.
  • A metal-sheet bending machine with an Ethernet port, which will only be used in the future.
  • The harvester ECUs connected over CAN bus.
  • A camera trap without any connectivity, where updates and photos are exchanged via SD card.
  • A full-body 3D X-ray scanner used by doctors.
Read More »Embedded Devices Covered by EU Cyber Resilience Act (CRA)