Compliance with the EU Cyber Resilience Act: A Comprehensive Approach for OEMs

November 14, 2025

Blog

This legislation marks a significant shift in requirements for all OEMs. The legislation applies to all Products with Digital Elements (PDEs) sold within the EU. Not only is the legislation written so that it applies to a very broad range of both hardware and software products, but it also requires a comprehensive approach to cybersecurity for these products. Simply adding a few security measures to an existing product is insufficient.

Of perhaps even greater importance are the penalties imposed by legislation. Penalties for failing to comply with the CRA can be up to 15M Euros, or 2.5% of global turnover, whichever is larger. As a result, cybersecurity is no longer a nice to have feature for the engineering team. It is now a critical business issue for the CEO.

Goals of the CRA

The CRA was created with three main objectives:

1. Improving Product Security by requiring robust cybersecurity features to be built into products and requiring manufacturers to maintain their products throughout the product lifecycle.
2. Increasing Transparency by requiring manufacturers to provide clear, detailed information to customers about the security features of their products.
3. Harmonizing Regulations and simplify compliance across EU member states to ensure consistency in the security of digital products across the EU.

Scope of the CRA

The CRA mandates enhanced levels of cybersecurity for all “Products with Digital Elements”, or PDEs that are sold in the EU, regardless of where the product was designed and manufactured. As a result, any company selling electronic products into the EU, regardless of the location of the company, needs to comply with the CRA.

Additionally, the concept of a PDE is broadly defined as “Any software or hardware product and its remote data processing solutions, including software and hardware components to be placed on the market separately.” Virtually any electronic device with software, a processor, or networking capabilities is covered. The scope is quite broad and includes:

• IoT devices
• Desktop and mobile applications (including those used to manage IoT devices)
• A device that is not directly connected to a network, but that can be connected to another device

The scope of the CRA is not limited to end devices. It also applies to hardware and software components that are used to create an end such as microprocessors, software libraries, operating systems, etc. Even open-source software, if used in a commercial product, must be compliant with the CRA.

The CRA categorizes products into four groups based on their cybersecurity risk and impact. General products include most digital hardware and software with standard cybersecurity requirements, such as consumer electronics or office applications. Important products, Class I are those that pose higher risks if compromised, such as network management tools or identity management systems. These products must undergo a more rigorous security assessment. Important products, Class II includes products with even greater potential impact on critical infrastructure or sensitive data. Examples include industrial control systems, operating systems, or cloud computing platforms, and require a third-party compliance evaluation. The highest level of security requirements apply to Critical products whose failure could have severe societal or economic consequences. This includes cybersecurity solutions used in critical sectors such as firewalls, intrusion detection systems, or cryptographic modules. Critical products are subject to the strictest security and oversight requirements under the CRA.

The CRA defines multiple categories of products based on their intended use, with more rigorous requirements for products performing more critical functions.

The CRA was enacted in October 2024 and entered into force in December of 2024. Initial compliance requirements begin in June of 2026, with a multi-step rollout of enforcement. Reporting obligations for EOMs begin in September 2026. At that time, OEMs must begin reporting all vulnerabilities and serious incidents. Achieving this requires that OEMs have the ability to create SBOMs, enabling checking for vulnerabilities. They must also be able to monitor deployed systems to detect incidents.

Full enforcement of all CRA provisions begins in December 2027. Given the long lifecycle of many IoT devices, this means that most products currently under development must comply with all provisions of the CRA.

Ensuring compliance with the CRA

The CRA provides a very comprehensive set of requirements that must be met in order to comply with the legislation. Some of the highlights include:

• Documentation on security features must be provided, and maintained for 10 years
• Security features must be supported for a minimum of 5 years
• Security logging and monitoring is required
• SBOM must be provided
• No known and exploitable vulnerabilities are allowed in released products
• Any known but unexploitable vulnerabilities must be disclosed
• Notification of any newly discovered vulnerabilities or exploits must be disclosed within 24 hours or discovery

In order to achieve compliance with the CRA, engineering teams must take a holistic approach to cybersecurity. This includes ensuring appropriate cybersecurity processes are followed, including secure-by-design principles, cybersecurity assessments, and penetration testing of products before they are released. This is, of course, after ensuring appropriate cybersecurity features are implemented, including encryption, authentication, access controls, secure boot, secure updates, etc. Finally, ongoing management is required including vulnerability monitoring and patching of vulnerabilities. Achieving this requires a cybersecurity operations center.

Comprehensive solutions for CRA compliance

Achieving CRA compliance requires solutions across the three domains of IoT solutions, Edge, Mobile applications, and Cloud systems.

Each IoT domain requires unique expertise:

Edge Security requires solutions customized for embedded systems including features such as secure boot, secure firmware updates, bootloader protection, secure communication, and integration with secure element chips.

Mobile Application Security requires support for obfuscation, SSL pinning, tokenization, proxy detection, and detection of OWASP Mobile Top 10 threats.

Cloud Security requires support for features including network defense, web application firewalls, DevSecOps and continuous monitoring,

These features must be backed by secure development processes, security assessments, penetration testing, and a security operations center solutions to deliver complete end-to-end protection and ensure compliance with regulations such as the CRA.

Summary

With the enactment of the CRA, has elevated cybersecurity to a “must-have” feature for anyone building an IoT device for the EU market. Engineering teams must prioritize cybersecurity, beginning with budgets and staffing. R&D teams need to be staffed, trained, and enabled to properly implement cybersecurity. From this starting point, cybersecurity must be addressed when creating product development schedules, defining testing cycles, and selecting partners. For many customers, selecting a partner who can help provide guidance, external testing, tools, and that supports a cybersecurity operations center will be key to their success.

The CRA is now enacted, but it provides a timeline for implementing the features required for compliance. While achieving CRA compliance will be a major effort for many companies, there is time for companies who start now and who are proactive in implementing security capabilities.

About CyberWhiz

CyberWhiz provides a next-generation IoT Cyber Security solution covering the three domains of IoT systems, Edge Devices, Mobile Applications, and Cloud-based applications. CyberWhiz helps IoT manufacturers achieve compliance with security regulations, including the CRA, through security assessments, penetration testing, endpoint security solutions, and continuous monitoring, as a One Stop Shop for device manufacturers. They are already securing millions of IoT devices and thier mobile applications in Europe.