The scope of EU Cyber Resilience Act (CRA) compliance

Understanding the scope of the CRA is the next critical step. It’s vital to grasp how products with digital elements (PDEs) fall under the CRA, the specific categories of software and hardware impacted, and key sectors that remain excluded from these regulations.

Understanding the scope of CRA compliance

The Cyber Resilience Act (CRA) focuses on ensuring that products with digital elements (PDEs) meet stringent cybersecurity standards throughout their lifecycle. PDEs encompass a wide range of hardware and software devices that connect to the internet or other networks and can be updated remotely. These products are required to maintain security, integrity, and transparency, ensuring that vulnerabilities are addressed and products are continuously monitored for risks.

Products with Digital Elements (PDEs) under CRA

PDEs include any product that contains software or relies on digital infrastructure, such as smart devices, IoT systems, embedded software, and equipment with cloud connectivity. The CRA mandates that manufacturers implement processes to secure these products throughout the entire lifecycle, for example, during development, distribution, and post-market. The requirements are deeper than simply securing the software itself; manufacturers must go further and guarantee they distribute updates safely, address vulnerabilities promptly, and provide transparency across the entire product lifecycle.

Impacted categories of PDEs

The CRA impacts a broad spectrum of software and hardware-software combinations, including:

• Embedded systems: Industrial controllers, sensors, and appliances that rely on integrated software.
• IoT devices: Smart home gadgets, connected devices, and other internet-enabled equipment usually used throughout daily life.
• Software platforms: Cloud-based services and applications that offer digital services to multiple users or businesses for remote data processing,including infrastructure, databases, and many software-as-a-service SaaS offerings.
• Firmware: Any underlying software that helps manage hardware resources and software ecosystems. The CRA applies from the firmware level all the way up to the full operating system (OS) architecture. 

The CRA’s broad scope means that nearly every connected product must be compliant, and manufacturers need to ensure their devices are equipped to handle secure updates and protect users from potential cyber threats.

Key sectors excluded from the CRA

While the CRA takes a horizontal approach to cover all PDEs under market activity, specific sectors remain excluded from these regulations due to their unique nature or pre-existing regulatory oversight. These include:

• Medical devices: Regulated by specialized health and medical authorities, such as the European Medical Device Regulation (MDR).
• Military hardware: Defense-related equipment is regulated separately, with security standards tailored to military and national security concerns.
• Motor vehicles: Sector-specific regulations addressing safety and cybersecurity concerns govern automotive hardware and software. With the increased prominence of software-defined vehicles (SDVs), regulations outside the CRA cover the automotive sector.

Apart from these exceptions, all other commercial PDEs are regulated, and noncompliance will be heavily penalized. 

Mender: The go-to professional OTA solution for CRA compliance 

The Cyber Resilience Act upholds horizontal requirements across products with digital elements (PDEs) to bolster cybersecurity and protect consumers and data in the connected digital ecosystem. For manufacturers that fail to comply, the CRA imposes strict penalties that can fully remove products from the market in the European Union; because of these consequences, noncompliance is out of the question.

Proactive strategies are key to navigating these challenges to maintain compliance in the wake of CRA. Ensuring seamless, secure updates and ongoing vulnerability management is not just about meeting regulatory requirements; it’s about protecting the integrity of products and the safety of end users. To ensure security and maintain focus on growth, partnering with Mender, the best-in-class OTA solution, offers scalable security while navigating the CRA. 

Mender’s OTA solution provides the comprehensive, secure, and scalable infrastructure necessary to confidently meet CRA compliance. With real-time patch management, continuous vulnerability tracking, segregated network support, and robust auditing capabilities, Mender ensures your product lifecycle is managed securely from development to deployment and beyond. Manufacturers can simplify CRA compliance by partnering with Mender while focusing on innovation, customer security, and long-term success.

Learn how Mender can help you stay compliant with the Cyber Resilience Act and protect your digital products from cyber threats

Read the report