Cyber Resilience Act (CRA)

Your partner every step of the way

Understanding the European Union (EU) CRA

The CRA aims to protect consumers and businesses from the growing risks of security vulnerabilities in our connected world. It lays down the rules for the design, development and production of products with digital elements, as well as processes for handling vulnerabilities throughout the product's lifecycle. TI is actively involved in shaping and tracking CRA developments so we can help you navigate the requirements with confidence, and get to market quickly with secure, compliant products.

Scope of CRA

The EU CRA regulation [1] applies to products and components with digital elements made available on the EU market, such as any hardware or software product processing digital data and which is intended or is reasonable expected to be connected to another device or to a network.

Included in scope

Examples of products and components with digital elements:

Hardware:

Network management systems
Smart appliances
Mobile phones
Microprocessors and microcontrollers

Software:

Operating systems
Open source software
Boot manager

Not included in scope

Products with digital elements to which the following existing EU regulations apply [1]:

Motor vehicles, their systems - Regulation (EU) 2019/2144
Medical devices - Regulation (EU) 2017/745
In vitro diagnostic devices - Regulation (EU) 2017/746
IT, cloud services, SaaS, etc - Directive (EU) 2022/2555
Marine equipment - Directive 2014/90/EU
Civil aviation - Regulation (EU) 2018/1139
National security and defense

CRA timeline

CRA requirements

The CRA regulation applies to products and components with digital elements made available on the EU market, such as any hardware or software product processing digital data and which is intended or is reasonable expected to be connected to another device or to a network.

Product requirements

1. Appropriate level of security
2. Products to be delivered without known vulnerability
3. Based on the risk and where applicable:
• Security by default
• Enable adequate security updates
• Protection from unauthorized access
• Confidentiality and integrity of data, commands and programs
• Minimization of data
• Availability of essential functions
• Minimize negative impact on other devices
• Limit attack surfaces
• Reduce impact of an incident
• Record and monitor security relevant events
• Securely, permanently erase and/or transfer data and settings

Vulnerability handling process

• Identify and document dependencies and vulnerabilities, including SBOM
• Track vulnerabilities
• No known vulnerabilities and address vulnerabilities without delay
• Test the security of the digital product
• Publicly disclose information about fixed vulnerabilities
• Coordinated vulnerability disclosure policy
• Facilitate the sharing of information about potential vulnerabilities
• Patches are delivered without delay, free of charge and with advisory messages

Information and labeling

• CE marking
• EU Declaration of Conformity
• Appointment of authorized representative, designation of a safety point of contact
• Technical documentation, including cybersecurity risk assessment
• Information on availability of security updates
• SBOM covering top-level dependencies
• Technical documentation defining the support and support period
• Public SW archive with access to revisions
• Provide user instruction set
• Identification of product

Our commitment to cybersecurity

checkmark

Decades of experience in security

We have a long history of developing and selling products and meeting the demanding security needs of our customer.

checkmark

Certified by TÜV SÜD

We are certified by TÜV SÜD to comply with ISO/SAE 21434 standard for automotive cybersecurity.

checkmark

Closely monitoring CRA development

We are closely monitoring the implemnentation of the CRA and the publication of its standars with active participation.

checkmark

Enabling vulnerability reporting

Our product security incident response team (PSIRT) oversees the process of accepting and responding to reports of potential security vulnerabilities.

Guiding you through your product cycle

Product definition

Define product usage
Define applicable CRA class
Assess potential risks

Design & development

Identify vulnerabilities
Create software bill of materials (SBOM)
Provide CRA technical documentation

Validation

Assess conformity
Mitigate any existing vulnerabilities
Provide CRA technical documentation

Deployment

Continuously scan and report vulnerabilities to our Product Security Incident Response Team (PSIRT)
Evaluate potential vulnerabilities
Fix necessary vulnerabilities

Resources

Certification for automotive cybersecurity process

Compliance to product cybersecurity standard ISO/SAE 21434

Download certificate

Build your application with security in mind

How do developers achieve their desired level of security in connected devices? This e-book presents the main security enablers we offer to assist in meeting the designers’ security objectives.

Download the e-book

References

1. European Union. Nov. 20, 2025. “Regulation - 2024/2847 - EN - EUR-Lex”. Accessed Aug. 1, 2025.

2. European Cyber Resilience Act. n.d. “Cyber Resilience Act (CRA) | Updates, Compliance,”. Accessed Aug. 1, 2025.