With the Cyber Resilience Act (CRA), the EU has established a minimum level of cybersecurity for all networked products. The CRA covers all products sold in the EU that contain “digital elements.” This includes the entire range of embedded systems – from consumer electronics and household appliances to complex high-end industrial systems – if they can be connected to a network or even just to another device.

The CRA has been in force since the end of 2024 and must be implemented in several stages by the end of 2027 at the latest. Developers of embedded systems, but also project managers and product managers, are therefore asking themselves the question: How do I go about ensuring that my products meet the CRA requirements?