Tria Technologies’ Cedric Vincent looks in depth at what this ground-breaking legislation means for the embedded industry and how OEMs could avoid heavy financial penalties
In an increasingly digitalised world, cyberattacks are becoming a common phenomenon and pose significant risks to manufacturers and suppliers, as well as to society as a whole. For example, in 2022, a breach of security in Chinese-made surveillance cameras installed in British offices, high streets and even government buildings, drove security and hacking risks to the forefront of the digital conversations. Now the conversation becomes more important than ever as the use of Internet of Things (IoT) devices continues to grow in the move towards smart cities. Solutions are paramount because this kind of breach could occur on an even larger scale and have extremely serious consequences.
In a very real example, in April 2025, a global clothing and food retailer suffered a cyberattack that caused significant disruption to online orders, contactless payments and logistics. Hackers were able to access customer data that included names, e-mail addresses and postal addresses (reportedly, no banking details) and the cost to the company of this breach has been estimated at around £300 million. The store says the attack was so bad that its operations are expected to be disrupted for months following the attach, with an initial investigation suggesting the attack probably originated through an IT provider for the business.
Urgent crisis
These attacks are recent examples of what is facing organisations and individuals every day across the globe. To help address this urgent crisis facing businesses in all industries, the European Union (EU) launched the EU Cyber Resilience Act (CRA) at the end of 2024. The CRA complements other EU cybersecurity laws, such as the NIS2 Directive which came into force in January 2023 and mandates risk management, incident reporting and accountability. The European Commission (EC) has also launched the European Vulnerability Database (EUVD) which collects vulnerability information from trusted sources.
It’s important to note that while an EU directive sets goals for member states to achieve – but allows them to choose how – an EU act is binding law with specific rules that must be adhered to. That’s why the CRA goes much further. The EC says the act will enhance cybersecurity standards for devices with digital components, “requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products”. The regulation shifts responsibility of security on to manufacturers who are expected to ensure their hardware and software meet cybersecurity standards before entering the EU market. Security updates, incident reporting and third-party assessments will become mandatory for all products which will then be identified by CE marking as complying with the CRA.
Before going into further detail on precisely what the act demands of designers and OEMs, it’s worth noting here that the act has not been universally welcomed. Criticisms have included its broad, one-size-fits-all approach, with the EC citing such consumer devices as smart watches and baby monitors. One the most common concerns expressed by our customers is that if they are required to comply fully with the CRA, it could drive them to bankruptcy. One of my biggest worries is that, if the act is fully enforced, it could significantly hinder innovation in Europe.
In addition, the act requires companies to disclose unpatched vulnerabilities to government agencies within 24 hours, which some believe could actually make cyberattacks more likely through the creation of a real-time database containing security flaws. Finally, concern has been expressed that governments could exploit disclosed vulnerabilities for intelligence or surveillance purposes.
Understanding the CRA
Nevertheless, the CRA is coming and engineers and OEMs need to know exactly what the legislation covers and what requirements it places on them to ensure compliance. As a specialist in embedded compute boards designed to reduce development times and optimise resources, Tria Technologies believes it is of the utmost importance that key players in the industry are aware of their responsibilities under the act. The aim is that manufacturers who proactively engage with the CRA and adopt its measures will be able to navigate the complex cybersecurity landscape effectively, safeguarding their operations and contributing to a secure and resilient manufacturing ecosystem.
The EC says:
- The CRA addresses: “the inadequate level of cybersecurity in many products and the lack of timely security updates for products and software”.
- It tackles the challenges consumers and businesses currently face when trying to determine which products are cybersecure.
- The act enforces mandatory cybersecurity requirements on manufacturers and retailers at every stage of the supply chain, specifically in the planning, design, development and maintenance of products. The main goal here is to ‘Secure by Design’, which means building systems, software and services with security embedded right from the start and not added as an afterthought.
- Some products “of particular relevance for cybersecurity” will need to undergo a third-party assessment by an authorised body before they can be sold into the EU market.
It’s important to understand that the new regulations apply to all products that are connected directly or indirectly to another device or network. The only exceptions are certain open-source software or services products that are already covered by existing rules, such as medical devices, aviation and cars.
Benefits of the act
The professed benefits of the CRA include greater security, significantly reducing the risk of cyberattacks and thereby protecting businesses and consumers from potential data breaches and reputational damage. Financially, the act is also designed to avoid the significant costs of handling data breaches, such as those experienced by high profile retailers in recent times.
For some time now, Tria has been working closely with its customers in development processes to ensure they comply with the new act. As part of the customer experience, Tria is providing advice on end products under the new regulations. Tria’s goal is to ensure security compliance of customers’ products with the CRA regulations throughout the entire supply chain, from silicon vendor to final manufactured products. One of the key benefits that Tria can offer in this potentially complex field is trust. By working with just one company – which in turn draws on the expertise of such partners as Qualcomm, NXP, Intel and Renesas – designers and OEMs can be confident that they have access to the most advanced customised embedded solutions for their end products at every step of the way.
The EU Cyber Resilience Act puts significant demands on all parties that are involved in the design, manufacture and supply of digitally-based products and devices as we approach the 2027 deadline. Non-compliance can lead to very heavy penalties for OEMs – currently €15 million or 2.5% of global annual revenue.
In terms of timings, while the main obligations of the CRA will not apply fully until 11 December 2027, the clock started to count down regarding compliance from 10 December 2024 when the act officially came into force. Another key date is 11 September 2026, when reporting obligations begin to apply. At this stage, manufacturers must start the process of letting authorities know within 24 hours of any actively exploited vulnerabilities and report all incidents within 72 hours.
So it’s essential that organisations act now – not only to ensure they will be fully compliant when these dates come around but, more importantly, to minimise the likelihood moving forward of serious cyberattacks that could compromise their devices and avoid the eye-watering costs of dealing with the aftermath.
For more information: https://www.tria-technologies.com/cyber-resilience-act-tria/








