Embedded Cybersecurity
Discover cutting-edge solutions from leading global suppliers
The EU Cyber Resilience Act (CRA), marks a major regulatory shift for global manufacturers selling digital products in Europe. Cybersecurity threat management solutions developer Periphery explores how defense manufacturers can stay ahead of the legislation and the competitive advantage of embedding cybersecurity early.
The European Union’s Cyber Resilience Act (CRA) is rapidly approaching, and for manufacturers of devices with digital elements, it represents a pivotal shift in the cybersecurity landscape. At Periphery, we’re deeply invested in understanding its nuances, not just for our own compliance, but to ensure our partners are fully prepared. So, what do we know for certain, and where are the areas that still require careful navigation?
What We Know.
The core tenets of the CRA are now firmly established, fundamentally changing how products are developed, brought to market, and maintained.
Firstly, we know its broad scope. The CRA applies to a vast array of hardware and software products with digital elements, from consumer IoT devices to industrial control systems, if they are placed on the EU market. This holds true regardless of where these products are manufactured, meaning it has a significant global reach.
Secondly, the legislation introduces mandatory cybersecurity requirements throughout the product lifecycle. Manufacturers must ensure ‘security by design’ and ‘secure by default’ from the outset, embedding security into every stage of development, testing, and production. Beyond the initial release, there’s a clear obligation for continuous vulnerability management, requiring products to receive timely security updates for their declared support period, which is typically at least five years unless a shorter expected lifecycle is specified by the manufacturer.
Crucially, we understand the key deadlines and enforcement mechanisms. While the Act entered into force in December 2024, the most significant dates are approaching fast. From 11th September 2026, manufacturers face mandatory obligations to report actively exploited vulnerabilities and severe cybersecurity incidents. And by 11th December 2027, all in-scope products placed on the EU market must fully comply with every essential cybersecurity requirement when applying for CE marking. The penalties for non-compliance are substantial, including fines of up to €15 million or 2.5% of global annual turnover, along with market restrictions and product recalls.
Finally, we know the CRA’s intent is to foster trust and transparency. It aims to improve consumer protection by making cybersecurity a clear differentiator and rebalancing responsibility firmly onto manufacturers. It complements other significant EU cybersecurity legislation, like the NIS2 Directive, creating a comprehensive framework for digital resilience.
What We Don’t (Yet) Know.
While the framework is solid, the practical implementation of such a sweeping regulation always comes with nuances that are still evolving.
One area that continues to develop is the specifics around harmonised standards. The EU is working to issue standardisation requests, which will lead to detailed technical standards for various product categories. These standards will provide clear guidance on how to comply with the essential requirements. Until these are fully finalised and adopted, some manufacturers face the challenge of interpreting the high-level requirements and implementing their own solutions without explicit, harmonised guidelines.
There are also ongoing discussions around the categorisation of ‘important’ products (Class I and Class II, Annex III) and ‘critical’ products (Annex IV), which may trigger different conformity assessment routes. While broad definitions exist, the precise classification for every type of product across diverse industries will become clearer as the expert groups provide more specific guidance and as precedents are set. The availability and capacity of these ‘notified bodies’ to handle the expected volume of assessments is also a practical consideration.
Finally, while the obligations for open-source software stewards have seen revisions to be more accommodating, the full practical implications for different models of open-source projects, particularly those with hybrid commercial aspects, continue to be a topic of discussion and clarification.
At Periphery, we’re actively monitoring these developments and engaging with the evolving landscape. Our pre-deployment Insights services and post-deployment Outpost technology are designed to provide the robust, real-time security and compliance support manufacturers need, regardless of these finer points. We firmly believe that by focusing on embedding fundamental, proactive cybersecurity measures, manufacturers can build a strong foundation that will adapt to any future clarifications or evolutions of the CRA. Indeed, for those who move swiftly, the CRA represents a significant commercial opportunity to differentiate their products, gain a competitive edge, and capture market share by offering demonstrably more secure and resilient devices.
The direction of travel is clear: embrace secure by design, and reap the rewards of enhanced market trust.
