We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here

Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here

Complete your profile to access more resources.Update Here!

$0.00

Item	Qty
Your cart is empty.

Secure Solutions for Cyber Resilience Act (CRA) Compliance

What Is the CRA?

The Cyber Resilience Act (CRA) is a pioneering regulation designed to enhance the security of digital products and services within the European Union (EU). It addresses the escalating threats of cyberattacks by mandating rigorous security requirements throughout the lifecycle of digital products, from design and development to deployment and disposal. Noncompliance with the CRA can lead to severe penalties, including fines up to €15 million or 2.5% of global annual revenue.

Designing secure products under the CRA involves integrating security measures from the very beginning. This includes implementing secure boot processes, ensuring firmware integrity, securely storing credentials, keys and certificates and utilizing robust cryptographic techniques to protect data at rest and in transit. When personal data is processed, secure communication should be implemented to safeguard data exchanges. Regular security updates and effective vulnerability management are also critical components of compliance.

Attain CRA Compliance With Microchip

With a broad portfolio of security solutions and expertise in cybersecurity and product development, we are your partner in achieving CRA compliance. We are committed to providing solutions that help you attain CRA-compliant designs, such as:

Secure products: Secure authentication ICs, microcontrollers (MCUs), microprocessors (MPUs), FPGAs and communication solutions
Features: Secure boot, tamper resistance, hardware cryptography, hardware for key storage, authentication and cryptographic operations
Tools: MPLAB® development ecosystem and Trust Platform Design Suite (TPDS)
Services: Factory key provisioning, in-field provisioning and device management SaaS and MCU firmware programming

CRA Guidelines

The CRA contains many guidelines that manufacturers must follow; we will elaborate on a few of these below.

Secure by Design

Products must be designed and developed with cybersecurity integrated at every stage of the lifecycle. This includes embedding safeguards into hardware and software from the outset, conducting regular risk assessments and ensuring the product meets essential cybersecurity requirements. The CRA emphasizes that manufacturers must adopt a "secure-by-design" approach to minimize vulnerabilities and ensure robust protection against cyber threats.

Default Security Settings

Devices must ship with the most secure settings enabled by default to reduce the risk of exploitation without requiring user intervention. Manufacturers are obligated to ensure products have default configurations that prioritize security while still being user friendly. This measure aims to protect users who may lack technical expertise from unnecessary exposure to cyber risks.

Vulnerability Reporting

Manufacturers are required to establish and maintain a coordinated vulnerability disclosure policy under the CRA. This policy facilitates communication between manufacturers, security researchers and governments to ensure that vulnerabilities are identified, reported and remediated efficiently. Our Product Security Incident Response Team (PSIRT) addresses security vulnerabilities across hardware, software, firmware, and tools, acting swiftly to mitigate risks and protect customers.

Read Disclosure Process

Timely Communication

Manufacturers must establish and maintain a comprehensive incident response plan to address cybersecurity incidents effectively. This includes mechanisms for detecting, reporting and mitigating incidents to minimize potential harm. The CRA mandates procedures to ensure timely communication with affected parties and regulatory authorities, fostering a proactive and coordinated response to cyber threats.

Lifecycle Management

Manufacturers are required to ensure the security of their products with digital elements throughout the entire lifecycle. This includes designing secure products, implementing updates to address vulnerabilities, monitoring emerging threats and providing a clear end-of-support notification. By adopting a lifecycle approach, the CRA ensures products remain resilient against evolving cyber threats and maintain compliance with essential cybersecurity requirements.

Benefits of CRA Compliance

The CRA introduces a harmonized framework to enhance the cybersecurity of products with digital elements across the EU. Key benefits include:

Increased Consumer Protection

By mandating secure-by-design and secure-by-default practices, the CRA ensures consumers are better protected against cyber threats, reducing the risk of breaches and exploitation.

Enhanced Product Security

Lifecycle security obligations and vulnerability handling requirements ensure that products remain resilient to emerging threats throughout their lifespan.

Market Harmonization

The CRA creates a unified set of cybersecurity standards, reducing regulatory fragmentation and enabling seamless market access for manufacturers across the EU.

Improved Incident Management

Requirements for robust incident response plans facilitate quicker resolution of security incidents, minimizing damage and disruption.

Trust and Transparency

By establishing clear obligations for vulnerability disclosure and security support, the CRA fosters trust among users, businesses and security researchers.

Competitive Advantage

Demonstrating CRA compliance can help businesses showcase their commitment to security. By exceeding baseline requirements and emphasizing enhanced security practices, companies can differentiate themselves in a cybersecurity-conscious market, building trust and providing added value through ongoing support and transparency.