The EU Cyber Resilience Act – What is it, and how can Tuxera help you comply? 

The EU Cyber Resilience Act (CRA) came into force in December 2024 and its main requirements will apply from December 2027 – a little over two years from now. What does the act mean for you, and how can Tuxera help you comply?

The CRA aims to improve the cyber security of any hardware or software products sold in the EU that have a digital element – meaning products that can be directly or indirectly linked to another device or to a network. Products will need to meet stringent cybersecurity requirements and manufacturers will need to provide ongoing support – for example through timely security updates – during the lifecycle to ensure that their products remain compliant.

Manufacturers will also need to perform risk assessments, have clear security policies that outline how updates will be provided for a minimum of five years, and publicly report vulnerabilities and security incidents.

When does the CRA come into force?

The CRA entered into force in December 2024. The obligations concerning vulnerability reporting will apply from September 2026, and from December 2027 any products available in the EU market will need to comply with the act’s essential cybersecurity requirements.

The risks of using non-commercial software in commercial products

Under the CRA manufacturers are responsible for performing due diligence on non-commercial software in their products – and liable for any potential consequences if the software doesn’t comply.

Open source software stewards (OSS stewards) are not legally liable for security vulnerabilities, so they cannot be expected to take care of them on request. 

It is critical to have 100% visibility over what OSS libraries your product uses and their dependencies, because there may be components amongst them that do not fulfill the requirements of the CRA. You’ll also need to maintain a software bill of materials (SBOM) for all the libraries you use. You will be liable for providing long-term support in line with the CRA requirements and understanding when a new compliance assessment might be needed due to modifications. And should you discover a malicious element in your OSS, you will need to verify any patches and updates needed to address it.

Can you stop the CRA becoming an expensive problem?

Some critics have argued that the CRA will do more harm than good by negatively impacting innovation and placing unreasonable demands on developers. However, given the rise in cyber attacks in recent years, connected devices need to be made resilient against these attacks. 

Designing, building, and maintaining this resilience comes at a cost. For example, you may need a team of three to four experts just to support your non-commercial libraries. Another challenge is that building your own solutions doesn’t happen overnight. It can take anything from three to five person-years to build a secure communication protocol or crypto library.

You might also need another two or three people to handle mandatory vulnerability reporting and resolution. So that’s potentially seven new hires and a huge time investment. 

Non-compliance with the CRA could leave you with a very expensive problem on your hands. Companies found to be in breach of the act could face fines of up to 2.5% of their global revenue plus loss of their product’s CE certification, leaving it unable to be sold in the EU.

These challenges are faced by every organization that manufactures devices with a digital element. The good news is, Tuxera is here to help manage them.

How can Tuxera help you comply with the CRA? 

Tuxera’s maintained commercial software is secure by design, ensuring your compliance with the EU Cyber Resilience Act (CRA) and helping to avoid the potentially significant additional costs associated with using non-commercial software. We offer security updates and long-term support that open-source alternatives can’t match. This includes vulnerability scanning and reporting, support and maintenance including updates, and help with integration issues.

In addition, Tuxera products do not use external components, so the SBOM is far simpler.

Rock-solid resilience for a customer’s embedded devices

In a recent project we helped a customer to secure their embedded devices with security protocols and encryption for data in transit and encryption for file-system data. In this project we also used key-agreement algorithms to ensure that firmware updates were secure. The customer also benefited from our clear and defined process for vulnerability handling and reporting and a support and maintenance contract to ensure continued compliance for the lifetime of the products.

Why Tuxera’s secure-by-design concept matters for CRA compliance

Secure by design provides rock-solid security for both data at rest and data in transit.

For mission-critical data at rest, Tuxera NitroFS is a high-performance file system that includes fs-crypt support for enhanced data security at the file level. Tuxera EdgeFS is an embedded file system built to protect critical data in resource-constrained environments. You can use EdgeFS with Tuxera CryptoCore, which includes essential security algorithms optimized for embedded systems. 

For data in transit, there’s Tuxera TCP/IP Stack, which gives you secure and resilient connectivity software for your embedded systems.  

With Tuxera embedded software securing your CRA compliance, you benefit from:

• 100% data integrity with secure-by-design products
• 50–100% cost savings with no need to invest in development, support, or vulnerability reporting and management 
• 83% faster go-to-market time so you can scale faster with expert support

Get in touch today to find out how Tuxera can help you secure CRA compliance.