News and analysis about cybersecurity standards.
View All Tags
The European Commission has published Implementing Regulation (EU) 2025/2392, providing the detailed technical descriptions that define exactly which products fall into the CRA's "Important" and "Critical" risk categories. This is the first major piece of secondary legislation under the Cyber-Resilience Act, and it removes much of the ambiguity around product classification.
The Cyber-Resilience Act (CRA) is the EU's first horizontal law that legally mandates Secure-by-Design for products with digital elements. It sets clear obligations for confidentiality and integrity, but it deliberately avoids naming specific algorithms or key sizes. That raises an immediate question for device makers:
What exactly counts as “state-of-the-art” cryptography under the CRA?
Inspired by Markku-Juhani O. Saarinen’s paper “CRA and Cryptography: The Story Thus Far” (IACR ePrint 2025/2092), this post explains how European standardisation work is answering that question – and what it means for your products.
On November 20, 2024, the Cyber-Resilience Act (CRA) was officially published in the EU's Official Journal as Regulation (EU) 2024/2847. This marks the final, formal step in a legislative process that will fundamentally reshape the market for connected devices.
The NIS 2 Directive (EU 2022/2555) was published in the Official Journal of the EU in December 2022, officially replacing the original NIS Directive. This new legislation significantly expands the scope of Europe's cybersecurity rules, imposing stricter risk-management and reporting obligations on a wider range of critical sectors.
In a move with major implications for the connected device market, the European Commission published Delegated Regulation (EU) 2022/30 in January 2022. This act officially activated the dormant cybersecurity clauses within the Radio Equipment Directive (RED), turning what were once recommendations into hard legal requirements.
In a significant step forward for cybersecurity, ETSI formally published EN 303 645 in June 2020. This standard establishes a baseline for the security of internet-connected consumer devices, providing a practical, risk-based framework for manufacturers.