As connected devices proliferate across consumer, industrial, and automotive sectors, cybersecurity is becoming as fundamental to design as power efficiency or reliability. The European Union’s Cyber Resilience Act (CRA) introduces sweeping new cybersecurity requirements for connected products, creating both challenges and opportunities for electronics manufacturers and design engineers. This legislation will reshape how embedded systems and IoT products are designed, tested, and maintained worldwide — making “security-by-design” a core engineering principle rather than an afterthought.
Rethinking regulation: The CRA as an engineering standard
It’s easy to see the CRA as just another regulatory hurdle for design engineers to navigate, but that would be a major mistake. The act is poised to redefine how digital systems are conceived, built, and maintained, establishing engineering practices that will influence embedded system design, IoT development, and connected device security on a global scale.
It’s no exaggeration to say that the CRA is poised to redefine how digital systems are conceived, built, and maintained globally. It isn’t just compliance teams that need to concern themselves with the complexities of the new legislation; the CRA is going to make a fundamental difference to the design of embedded systems, IoT devices, and smart electronics on a global scale.
Security by design: the core shift
Drilling down into some of the details, the largest individual change that the new EU law brings in is the shift towards a ‘security-by-design’ approach. In other words, engineers and original equipment manufacturers (OEMs) must design systems from the very beginning with cybersecurity built in. It can no longer be a bolted-on afterthought. Another key factor is incident readiness, which means that designers must incorporate features such as logging, diagnostics, and telemetry into their systems so that any security breaches can be detected instantly and reported in real-time. Telemetry — the automated collection and transmission of data — must be integrated with these systems to support compliance and resilience.
Why the CRA exists
It’s also important to understand that the CRA is not just another piece of legislation introduced to make design engineers’ lives difficult. There are fundamental reasons why it was created.
According to the European Commission (EC), the CRA will address “the inadequate level of cybersecurity in many products and the lack of timely security updates for products and software”. It will also address the challenges that consumers and businesses currently face when trying to determine which products are cybersecure.
The CRA’s weighty tome says that the purpose of the regulation is to ensure hardware and software products “are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle.e
Perhaps most importantly, the act will inflict mandatory cybersecurity requirements on manufacturers and retailers at every link of the supply chain – particularly in the planning, design, development, and maintenance of products. That means, from the silicon vendor to the final manufactured product, everything must be compliant. Some products will not be able to be sold in the EU market until a third-party assessment has been carried out by an authorised body. Manufacturers will need to know whether their products fall into that category.
Deadlines, penalties, and compliance risks
In essence, the decisions a design engineer makes today when creating embedded systems can have legal and operational consequences tomorrow, as well as financial, because with the deadline for full implementation not that far away, manufacturers need to be aware that non-compliance can lead to severe penalties – currently €15 million or 2.5% of global annual revenue. That’s a major incentive to get everything in order before the legislation takes effect.
For manufacturers who are unfamiliar with this, the three important dates to note are: 11 June 2026, for conformity assessment bodies to comply; 11 September 2026, for manufacturers to report any exploitable vulnerabilities; and 11 December 2027, when the CRA will be fully enforced.
Balancing compliance and legislation
Are manufacturers worried about the legislation? You bet. Some have concerns that it could stifle innovation, while others fear that smaller businesses may struggle to absorb the costs of complying with this complex legislation. Those are two very significant reasons why it is essential for manufacturers to meet every single box when it comes to the new criteria. Spending all that time – and money – working to achieve compliance and then still being hit by a substantial levy because some element falls foul of the law is a double whammy that everyone will want to avoid.
A global engineering mindset
From a manufacturing perspective, Tria has been collaborating with sector-leading partners, including Qualcomm, NXP, Intel, and Renesas. Our focus has been on ensuring that customers’ products comply with CRA regulations by providing expert advice on end products that fall under the CRA’s jurisdiction. At the same time, we have ensured that designers and OEMs have access to the most advanced, customised embedded solutions for their products.
It is essential that manufacturers do not think that this legislation is just about Europe; it’s about creating a safer digital global environment. Also, it is about far more than compliance; it is concerned with nothing less than engineering trust into the fabric of our digital world.
Manufacturers who embrace the shift dictated by the CRA now will be better positioned to lead in the future. U.S. manufacturers must recognize that by integrating cybersecurity into the design of all their connected products, they are not only meeting regulatory requirements but also unlocking significant new value for customers, partners, and society as a whole.
Cyberattacks are a scourge, relentlessly exploiting vulnerabilities in global digital infrastructures and threatening the integrity, privacy, and resilience of systems that human beings depend on every day. The CRA is a crucial piece of legislation, and manufacturers worldwide have a duty to ensure their products comply.
More details can be found on Tria’s CRA page.
Leave a Reply