Regulation

The EU Cyber Resilience Act

The Cyber Resilience Act (CRA) is the European Union's first binding regulation on the cybersecurity of products with digital elements — covering virtually all connected hardware and software sold in the EU market, including industrial IoT devices.

What is the Cyber Resilience Act?

Adopted by the European Parliament in March 2024 and entered into force in December 2024, the CRA (Regulation EU 2024/2847) establishes mandatory cybersecurity requirements for all products with digital elements placed on the EU market.

For the first time, manufacturers are legally required to ensure their products are secure by design and by default, to handle vulnerabilities throughout the entire product lifecycle, and to provide security updates for a defined support period (at least 5 years or the expected product lifetime, whichever is longer).

The CRA covers both hardware and software — from consumer IoT gadgets to industrial control systems, embedded Linux devices, gateways and PLCs.

Who is affected?

Any organisation that manufactures, imports or distributes a product with digital elements in the EU is subject to the CRA. This includes:

Industrial IoT Gateways, edge computers, sensors and embedded controllers deployed in factories, utilities and infrastructure.
Medical devices Connected diagnostic and monitoring equipment subject to both CRA and MDR/IVDR.
Automotive ECUs, telematics units and in-vehicle infotainment systems — alongside UN R155/ISO SAE 21434.
Smart Energy Grid-connected meters, inverters, SCADA endpoints and remote terminal units.
Digital signage & kiosks Any internet-connected display or payment terminal with an embedded OS.
General embedded Linux Any product running a networked Linux-based firmware, regardless of sector.

Key obligations for manufacturers

The CRA imposes requirements across the full product lifecycle:

Secure by design No known exploitable vulnerabilities at release. Minimal attack surface, least privilege, secure defaults.
Vulnerability handling Documented process to triage, patch and disclose vulnerabilities — including a coordinated disclosure policy.
Security updates Free security patches delivered promptly for the supported lifetime (minimum 5 years).
SBOM Software Bill of Materials — a machine-readable inventory of all software components and their versions.
Incident reporting Actively exploited vulnerabilities must be reported to ENISA within 24 hours of discovery.
EU Declaration of Conformity Manufacturers must self-certify (or use a notified body for critical products) and affix the CE mark.

Compliance timeline

December 2024
CRA enters into force
The regulation is published and legally binding. The compliance clock starts.
!
September 2026
Vulnerability & incident reporting obligations apply
Manufacturers must have processes in place to report actively exploited vulnerabilities to ENISA within 24 hours.
!
December 2027
Full compliance required for all new products
All products with digital elements placed on the EU market must meet CRA requirements in full, including CE marking.

Penalties for non-compliance

Non-compliant products can be banned from the EU market. Fines reach up to €15 million or 2.5% of global annual turnover (whichever is higher) for violations of the essential cybersecurity requirements. Administrative fines of up to €5 million or 1% of turnover apply for other infringements such as incorrect documentation or failure to report incidents.

How ATENYS supports CRA readiness

ATENYS is a production-ready Yocto layer designed to give your embedded Linux product a hardened, traceable security baseline that supports the technical requirements introduced by the CRA. Formal conformity assessment remains the responsibility of the manufacturer placing the product on the EU market:

CRA Requirement ATENYS capability
Secure by design & default ✓ SupportedSecure Boot chain, hardened RootFS, minimal attack surface enforced at build time.
Software Bill of Materials (SBOM) ✓ SupportedYocto generates a machine-readable SBOM automatically with every build.
Vulnerability management ✓ SupportedCVE Inspection Pipeline monitors NVD and vendor feeds against your exact software stack.
Security updates (OTA) ✓ SupportedRAUC A/B atomic updates ensure patches are delivered safely without downtime or brick risk.
Data protection at rest ✓ Supporteddm-crypt/LUKS storage encryption protects sensitive data if a device is physically accessed.
Reproducible, traceable builds ✓ SupportedYocto's layer model provides fully reproducible builds with auditable component provenance.

Get ahead of the December 2027 deadline

Contact the Engicam team to start your ATENYS integration and build a CRA-ready product from the ground up.

Get started with ATENYS Explore ATENYS features