Navigate EU CRA Compliance with Confidence

Under the CRA, manufacturers must integrate security practices throughout the product lifecycle, including

• Secure boot
• Access controls
• Encryption
• Default security settings
• Lifecycle security management

IoT manufacturers must proactively manage vulnerabilities and respond swiftly to security incidents with

• Continuous monitoring
• Formal reporting processes
• 24hr disclosure periods
• Secure patch distribution
• End-of-life policy for legacy devices

The CRA improves software supply chain transparency by imposing specific security requirements on manufacturers, such as

• including proprietary & open-source components in SBOMs & updating them with each modifcation
• Including hardware & software configurations, security features, update protocols, & maintenance guidelines in technical documentation

The EU CRA demands product lifecycle support to keep devices secure through their operational lifespan, including

• Defined End-of-Life policies
• Long-term maintenance commitments
• Provision for timely security updates
• Incident response planning

Reliance on third-party software increases attack surfaces, which is why the CRA requires

• Comprehensive assessments of third-party suppliers
• Continuous vulnerability scanning
• Robust logging & auditing practices
• Open source risk management practices

The CRA introduces mandatory conformity assessments aligned to product risk categories

• Self-assessments: Default & Important Class I (with exceptions)
• 3rd-party assessments: Important Class II
• European Common Criteria certification: Critical