The Cyber Resilience Act

The Cyber Resilience Act marks a major shift in how connected products must be designed, built, and maintained. As security becomes a core requirement and not just an optional feature, manufacturers of connected devices face new expectations around secure design, vulnerability management, and long‑term update support.  

This page gives a brief introduction to the CRA and shows how Nordic’s nRF Cloud chip‑to‑cloud platform gives you the tools and infrastructure you need to build confidently, stay compliant, and keep your device fleet secure throughout its lifecycle.  

What is the Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) is the most recent and broadest EU regulation impacting digital products, showing that legislators are catching up to the rapidly growing IoT industry. The act cites that hardware and software products increasingly are subject to “successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 55 trillion by 2021,” that these products often have “a low level of cybersecurity,” and that users have “insufficient understanding and information” to make safe choices both when it comes to choosing secure products and using them in a safe manner.  

The goal is to mitigate these problems by introducing mandatory cybersecurity requirements for all “Products with Digital Elements” sold in the EU, including both hardware and software products. These new requirements don’t just relate to the state of the product as it enters the market; they set strict standards for vulnerability handling and providing security updates throughout the product’s expected lifetime – adding significant, ongoing responsibility to manufacturers, importers, and distributors long after products are deployed.  

For a product to be compliant with the CRA, it must meet the essential cybersecurity requirements listed in the act and have processes put in place for vulnerability handling. These requirements apply to all products with digital elements unless covered by other specific EU regulations (medical, aviation, military, or automotive devices). Non-compliance will result in the withdrawal or recall of products on the market, as well as severe financial penalties.  

The CRA entered into force in December 2024, but a three-year transition period has been granted to give companies time to adapt, so the main obligations of the act will go into effect in December 2027. However, companies need to comply with the requirements for vulnerability and incident reporting from 11 September 2026.

Who is affected by the Cyber Resilience Act?

The CRA applies broadly to manufacturers, importers, and distributors of nearly all hardware and software that has a digital component and can connect – directly or indirectly – to a network or another device. Manufacturers bear the greatest responsibility for ensuring products are secure by design and are able to receive security updates, but the act also places significant responsibility on importers and distributors as they are now required to verify and guarantee that products comply with the CRA and have the proper documentation before selling products in the EU market. 

These regulations are affecting every part of the IoT ecosystem. Nordic, as a provider of hardware, software, and services to manufacturers, is directly affected by the CRA in the sense of making sure our hardware and software components meet the requirements for CE-marking, and it's affecting device manufacturers that use our solutions in that they will need to have integrated, straightforward solutions for CRA compliance.

What it means for product development

Manufacturers are responsible for ensuring that products with digital elements meet the “Essential Cybersecurity Requirements” listed in Annex I of the CRA, which covers both properties of the digital products themselves and the processes surrounding vulnerability handling throughout the product lifecycle.  

Secure design and maintenance 

Products must be designed and delivered without any known vulnerabilities and must follow key security principles, including:

• Limiting attack surface and enforcing secure default configurations 
• Protecting data confidentiality and integrity (including encryption) 
• Ensuring resilience against outages, attacks, and service degradation 
• Providing secure, timely security updates and supporting long-term maintenance 

Vulnerability handling

Manufacturers must maintain a clear vulnerability management process, including:

• Documenting components (including a Software Bill of Materials) 
• Address and remediate vulnerabilities without delay 
• Publishing information about security updates 
• Offering clear channels for reporting vulnerabilities 

For a full understanding of how to comply with the CRA, we recommend you refer to the act directly. 

How nRF Cloud can help you comply with the CRA

The biggest change for the IoT industry is not the requirements for building secure devices, but the mandate that devices must remain secure throughout their expected lifetime. This places a responsibility on manufacturers, distributors, and importers long after products have been deployed as they are now required to be able to monitor and uncover security issues and fix them within a reasonable timeframe. 

Nordic’s cloud service, nRF Cloud, provides the update infrastructure and fleet visibility that help manufacturers comply with some of the new requirements introduced by the CRA, and specifically those related to lifetime security updates and vulnerability handling.  

Secure OTA firmware updates 

The CRA requires manufacturers to provide timely security updates and fix vulnerabilities throughout the product’s lifetime >> nRF Cloud enables secure, reliable OTA updates across your entire fleet, making it easy to deliver patches and keep devices compliant. 

Continuous fleet monitoring and issue detection 

The CRA mandates active vulnerability handling and ongoing monitoring for potential risks >> nRF Cloud offers real-time device health insights, event logs, and issue detection to help you spot potential vulnerabilities early and respond quickly. 

Lifecycle transparency and documentation support 

Manufacturers must give users clear cybersecurity information and maintain records of updates and vulnerabilities >> nRF Cloud’s update audit logs, version tracking with SBOM association, and device inventory help you demonstrate compliance and document your security posture.  

Get started with nRF Cloud

Whether you’re preparing to increase your OTA capabilities for CRA compliance, launching a new product, or updating existing devices, nRF Cloud helps you deliver secure, maintainable, and compliant connected products.