5 posts tagged with "CRA"

On 3 December 2025, the European Commission published its first Frequently Asked Questions document on the Cyber Resilience Act (CRA). This is the first official implementation guidance since the regulation was published in November 2024, and it provides important clarifications on how manufacturers should approach compliance.

The FAQ is a substantial document covering scope, product classification, manufacturer obligations, vulnerability reporting, conformity assessment, and timelines. For product teams preparing for the December 2027 deadline, Chapters 4 (Manufacturer Obligations) and 5 (Reporting) contain the most actionable guidance.

The European Commission has published Implementing Regulation (EU) 2025/2392, providing the detailed technical descriptions that define exactly which products fall into the CRA's "Important" and "Critical" risk categories. This is the first major piece of secondary legislation under the Cyber-Resilience Act, and it removes much of the ambiguity around product classification.

The Cyber-Resilience Act (CRA) is the EU's first horizontal law that legally mandates Secure-by-Design for products with digital elements. It sets clear obligations for confidentiality and integrity, but it deliberately avoids naming specific algorithms or key sizes. That raises an immediate question for device makers:

What exactly counts as “state-of-the-art” cryptography under the CRA?

Inspired by Markku-Juhani O. Saarinen’s paper “CRA and Cryptography: The Story Thus Far” (IACR ePrint 2025/2092), this post explains how European standardisation work is answering that question – and what it means for your products.

On November 20, 2024, the Cyber-Resilience Act (CRA) was officially published in the EU's Official Journal as Regulation (EU) 2024/2847. This marks the final, formal step in a legislative process that will fundamentally reshape the market for connected devices.

Welcome to the SecureByDesignHandbook.com project!