What Are The Requirements To Comply With CRA?

Stay Up-To-Date With The CRA
Get a head start on EU Cyber Resilience Act compliance with Embedded Linux

Product-related Essential Requirements

  • Products to be delivered without known exploitable vulnerability
  • Free Security Patches for 5 years or the lifetime of the product (whichever is shorter)
  • Security patches must be installed automatically over the air by default
  • Users must be able to decline, postpone, or disable the updates
  • Protect the device – Security by default
  • Reduce the Impact of security incidents
  • Availability of essential functions
  • Log certain events
  • Personal data and sensitive information must be encrypted at rest
  • Software integrity protection measures must be in place to prevent unauthorized modification of software or firmware

Vulnerability Handling Requirements

  • Document Software used - provide a Software Bill of Materials (SBOM)
  • Must notify relevant authorities upon discovering any sever incident--early warning within 24h, full notification within 72h
  • Address vulnerabilities and patch with no delay
  • Allow customers to report vulnerabilities
  • Provide a secure update mechanism

Information & Instruction

  • Communicate the expected lifetime and support period  of the product
  • Communicate the intended use of the product
  • How to remove data from the devices
  • Describe the security features of the product

Explore Our Recent Related Content