Next year the European Cyber Resilience Act (CRA) comes into force. The first obligations apply from September 2026, the full law from December 2027. It sets requirements for the cybersecurity of nearly every connected product placed on the European market.
Important to realise is that the law mostly prescribes the result. It says what has to be true; how you solve that technically is up to you as the manufacturer. That gives you freedom, but it also means you have to make the translation from requirement to architecture yourself. And preferably from the very first design decision.
In this article we look at three concrete requirements from the law.
1. Firmware updates have to be secure
First of all, it becomes mandatory to have a mechanism for firmware updates, so you can patch discovered vulnerabilities as quickly as possible.
But such an update cannot simply be pushed to the device. The device has to be able to check both the authenticity and the integrity of the update before it installs it.
What is the difference between authenticity and integrity?
Authenticity: you want to be sure the update comes from a trusted source. So from you as the manufacturer, and not from someone else.
Integrity: you want to be sure the update has not been corrupted in transit or tampered with by a malicious party.
These are two different guarantees. An update can come from the right source and still get corrupted on the way. Or arrive perfectly intact while coming from an attacker. You need both.
How you solve that, for example with cryptographic signatures, is not something the law prescribes. The law prescribes the result. How it is solved technically is up to the manufacturer.
2. The tension between data minimisation and logging
The second requirement is really a combination of three requirements that rub against each other. That is exactly why it is interesting to think carefully about when designing your system architecture.
Data minimisation: collect only the data you really need for the function of your product. (CRA Annex I Part 1 (2)(g))
Logging: monitor relevant activity, including access to or modification of data, services or functions. (CRA Annex I Part 1 (2)(l))
Opt-out: for that logging, the user must also have an opt-out. They are allowed to switch the monitoring off. (CRA Annex I Part 1 (2)(l))
Do you see the tension? On the one hand the law wants you to collect as little as possible. On the other hand the law wants you to log relevant activity. And then the user is allowed to switch that logging off as well.
This is not something you solve after the fact. What counts as "relevant" activity? Which logging is security and which is needless data collection? And how do you build an opt-out that respects the user without making the device insecure? Those are design choices you have to make up front.
3. The SBOM: knowing what is inside your product
The third requirement is that software suppliers have to maintain an SBOM.
Hardware builders know the Bill of Materials (BOM) well: a list of all the parts in a product. An SBOM (Software Bill of Materials) is exactly the same idea, but for software. A complete list of all the software components in your product.
And "complete" is the keyword. It covers all the metadata, authors, licences and versions. And also the underlying dependencies, the whole tree all the way down.
Why?
Imagine: tomorrow a vulnerability is discovered in a widely used library. The question you then want to be able to answer within a minute is: is it in any of my products?
With a good SBOM that is a single CTRL-F.
Without an SBOM, that is the moment a search through your entire codebase and that of all your dependencies begins. With an SBOM you have the answer before that search even starts.
In closing
The law says what has to be true: a secure update, careful handling of data, and insight into your software components. How you fill that in is up to you.
That is exactly why the CRA asks you to think about security from the very first design decision. Whoever makes the translation from requirement to architecture up front benefits from it in every product that follows.