Skip to main content

European Cyber Resilience Act compliance

The European Union's Cyber Resilience Act (CRA) aims to enhance the cybersecurity of products with digital elements, placing obligations on manufacturers to ensure security throughout a product's lifecycle. Compliance and certification with the CRA is mandatory for manufacturers (OEMs) selling connected products into the EU that are not under an existing regulation, such as the EU Medical Device Regulation. Products will bear the CE marking to indicate that they comply with the CRA requirements.

DigiCert​​®​​ Device Trust Manager provides a comprehensive platform for managing device identities and security, and helps OEMs seeking to comply with CRA's requirements. DigiCert​​®​​ TrustCore SDK and TrustEdge provide key device security capabilities that developers can use to comply with the CRA's requirements, such as data encryption at rest and in transit. DigiCert​​®​​ Software Trust Manager's powerful vulnerability code scanning and software capabilities ensure secure and authenticated software is deployed to devices, with a Software Bill of Materials (SBOM) to ensure transparency.

Article 6 of the CRA defines the core security requirements for products with digital elements:

Products with digital elements shall be made available on the market only where:

  • (a) they meet the essential cybersecurity requirements set out in Part I of Annex I, provided that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable, the necessary security updates have been installed; and

  • (b) the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.

The Act also defines requirements around certification, reporting, disclosure, and enforcement.

The CRA is a regulation (not a directive), which means it is directly applicable across all EU member states once it takes effect. The objectives of the CRA include:

  • Improve the cybersecurity of digital products sold in the EU.

  • Ensure manufacturers take security seriously throughout the product lifecycle.

  • Provide clear rules for businesses and reduce market fragmentation.

  • Empower consumers to make more informed decisions.

Scope

The CRA covers “products with digital elements” (PDEs). These include:

  • Software (apps, operating systems, firmware).

  • Hardware with digital components (IoT devices, smart appliances).

  • Industrial systems and connected products.

It applies to both EU-based and non-EU manufacturers selling in the EU.

Core Requirements

Manufacturers must:

  • Ensure cybersecurity by design and by default.

  • Perform risk assessments.

  • Provide security updates and patches.

  • Report vulnerabilities (including to ENISA and national authorities)

  • Document cybersecurity measures.

Compliance and Obligations

Products are divided into classes depending on their criticality:

  • Default category: Standard products.

  • Class I and II: High-risk products (for example, security-critical software, infrastructure systems).

Critical products may need a third-party assessment (not self-assessment).

Timeline

The Cyber Resilience Act entered into force on December 10, 2024. The main obligations introduced by the Act will apply from December 11, 2027.

Penalties

Non-compliance can result in penalties up to:

  • € 15 million or

  • 2.5% of the global annual turnover (whichever is higher).

How DigiCert Device Trust Solutions support CRA compliance

The CRA mandates strong security practices for connected devices, focusing on vulnerability management, secure updates, and transparent security information. Device Trust solutions can play a pivotal role in enabling device manufacturers and OEMs to partially or fully meet 17 of 22 CRA Annex I requirements.

Tableau 1. Annex I requirements

Serial Number

Requirement Number

Requirement Text

How DigiCert helps OEMs to comply

1

Annex I, Part I - 1

Products with digital elements shall be designed, developed, and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks

TrustCore SDK and TrustEdge support secure design, allowing OEMs complete control over what SDK components are included in the device software, thereby reducing the device attack surface. Plus, support for TPMs, software, and hardware-based secure elements ensure keys are always protected.

2

Annex I, Part I - 2(a)

Products shall be made available on the market without known exploitable vulnerabilities.

Software Trust Manager provides automated software validation and vulnerability scanning for your device software as part of your CI/CD process. It can also generate an SBOM as part of the process to show transparency in the software being used by the devices.

Each TrustCore SDK and TrustEdge commit and release is automatically scanned for software vulnerabilities.

3

Annex I, Part I - 2(b)

Products shall be made available on the market with a secure-by-default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state.

TrustCore SDK is modular, allowing OEMs to compile in only the features they need, thereby reducing the attack surface.

By default, TrustEdge ships with no open inbound TCP/UDP service ports, avoiding the need to disable or firewall open ports.

Both TrustCore SDK and TrustEdge support securing private keys in TPMs, secure elements, or using Physical Unclonable Functions (PUF).

Both TrustCore SDK and TrustEdge support encryption of device data in transit, using TLS 1.3 and secure MQTT, and data at-rest using either AES, ML-DSA, or SLH-DSA.

Both TrustCore SDK and TrustEdge are PQC-ready, supporting ML-KEM, ML-DSA, and SLH-DSA, protecting devices against the impending quantum threat.

4

Annex I, Part I - 2(c)

Ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them.

Device Trust Manager with TrustEdge enables secure over-the-air updates of binaries and configuration file updates over MQTTs. Updates can be packaged to include the ability to notify users, support opt-out, and postpone updates.

Software Trust Manager can monitor SBOMs representing the software components installed on a device, and notify development teams once a new CVE is discovered in a dependency, such as an open-source software package.

5

Annex I, Part I - 2(d)

Ensure protection from unauthorized access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorized access.

Device Trust Manager offers secure credential provisioning policies ensuring each device has a strong, certificate-backed identity to avoid spoofing. Device access to certificate issuance, OTA updates, and, policies are strictly controlled through the certificate-back identity of the device, device group membership, and assignment of policies to the device group.

Device Trust Manager user and API access are strictly controlled, using least-privileges, by a combination of role-based access control, API keys, two-factor authentication, client certificate authentication, and support for popular IDPs.

6

Annex I, Part I - 2(e)

Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state-of-the-art mechanisms, and by using other technical means.

By default, Device Trust Manager supports secure MQTT communication with devices over TLS 1.3 encryption.

Both TrustCore SDK and TrustEdge support encryption of device data in transit, using TLS 1.3 and secure MQTT, and data at-rest using either AES, ML-DSA or SLH-DSA.

7

Annex I, Part I - 2(f)

Protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs, and configuration against any manipulation or modification not authorized by the user, and report on corruptions.

By default, Device Trust Manager supports secure MQTT communication with devices over TLS 1.3 encryption. It also supports deploying signed updates to devices.

Both TrustCore SDK and TrustEdgesupport encryption of device data in transit, using TLS 1.3 and secure MQTT, and data at-rest using either AES, ML-DSA or SLH-DSA.

8

Annex I, Part I - 2(g)

Process only data, personal or other, that are adequate, relevant, and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimization).

By default, TrustEdge does not send any personal data from the device to Device Trust Manager nor does Device Trust Manager receive or store any personal data from devices. Only device metadata is sent by TrustEdge to Device Trust Manager, such as operating system, version, MAC address, and so on, to manage the device security and updates.

9

Annex I, Part I - 2(h)

Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks.

Device Trust Manager allows administrators to temporarily disable devices while incidents are being investigated. This immediately severs communication between the device and Device Trust Manager and any integrated cloud platforms. Also, a device’s certificate can be permanently revoked if the device is found compromised.

10

Annex I, Part I - 2(i)

Minimize the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks.

Device Trust Manager allows administrators to temporarily disable devices while incidents are being investigated. This immediately severs communication between the device and Device Trust Manager and any integrated cloud platforms. Also, a device’s certificate can be permanently revoked if the device is found compromised.

11

Annex I, Part I - 2(j)

Be designed, developed, and produced to limit attack surfaces, including external interfaces.

TrustCore SDK is modular, allowing OEMs to compile in only the features they need, thereby reducing the attack service.

By default, TrustEdge ships with no open inbound TCP/UDP service ports, avoiding the need to disable or firewall open ports.

12

Annex I, Part I - 2(k)

Be designed, developed, and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.

Device Trust Manager allows administrators to temporarily disable devices while incidents are being investigated. This immediately severs communication between the device and Device Trust Manager and any integrated cloud platforms. Also, a device’s certificate can be permanently revoked if the device is found compromised.

13

Annex I, Part I - 2(l)

Provide security-related information by recording and monitoring relevant internal activity, including the access to or modification of data, services, or functions, with an opt-out mechanism for the user.

[Coming soon from DigiCert]

14

Annex I, Part I- 2(m)

Provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.

Both TrustCore SDK and TrustEdge support encryption of device data in transit, using TLS 1.3 and secure MQTT, and data at-rest using either AES, ML-DSA or SLH-DSA. Also, OEMs can use TrustCore SDK and TrustEdge to decrypt at-rest data to securely transfer the data to another device over TLS 1.3.

15

Annex I, Part II - 1

Identify and document vulnerabilities and components contained in products with digital elements, including drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products

Software Trust Manager provides automated software validation and vulnerability scanning for device software as part of your CI/CD process. It can also generate an SBOM as part of the process to show transparency in the software being used by the devices.

16

Annex I, Part II - 2

In relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates.

Device Trust Manager with TrustEdge enables secure over-the-air updates of binaries and configuration files over MQTTs. These can either be feature updates or security fixes. Updates can be quickly deployed to large groups of devices. Devices are immediately notified of the update.

17

Annex I, Part II - 3

Apply effective and regular tests and reviews of the security of the product with digital elements.

- This requirement falls on the manufacturer.

18

Annex I, Part II - 4

Once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch.

- This requirement falls on the manufacturer.

19

Annex I, Part II - 5

Put in place and enforce a policy on coordinated vulnerability disclosure.

- This requirement falls on the manufacturer.

20

Annex I, Part II - 6

Take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements.

- This requirement falls on the manufacturer.

21

Annex I, Part II - 7

Provide mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner.

Device Trust Manager with TrustEdge enables secure over-the-air updates of binaries and configuration files over MQTTs. These can either be feature updates or security fixes. Updates can be quickly deployed to large groups of devices. Once connected, devices are immediately notified of the update.

22

Annex I, Part II - 8

Ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Device Trust Manager enables secure over-the-air updates of binaries and configuration files over MQTTs. These can either be feature updates or security fixes. Updates can be quickly deployed to large groups of devices. Once connected, devices are immediately notified of the update.