Watch this on-demand webinar to learn how Digi solutions can help to support end-to-end CRA readiness.
The European Union’s Cyber Resilience Act is reshaping how connected devices are designed, secured and maintained. In this on-demand webinar, Digi’s Miguel Perez provides a clear overview of the CRA’s scope and obligations, including what’s required at launch and throughout the product lifecycle. He also shares how Digi ConnectCore®, Digi TrustFence®, and Digi Remote Manager® work together to help OEMs simplify compliance, meet reporting deadlines, and reduce time to market.
Watch now to learn how Digi solutions support end-to-end CRA readiness.
To learn more, visit the Digi ConnectCore product page, check out our Cyber Resilience Act white paper, or review our comprehensive offering of embedded systems for IoT.
Connect with Digi
Want to learn more about how Digi can help you? Here are some next steps:
Follow-up Q&A: Understand the EU Cyber Resilience Act: What It Is and How to Prepare
In this session hosted by Digi and Anglia, Miguel Perez of Digi International walked through the scope and implementation timeline of the Cyber Resilience Act (CRA), and how manufacturers can align with the regulation. See the Q&A session below for additional audience questions.
NOTE: While every reasonable effort has been made to ensure that this information is accurate, complete, and up-to-date, all information is provided “AS IS” without warranty of any kind. We disclaim liability for any reliance on this information. All registered trademarks or trademarks are property of their respective owners.
Moderator: Andrew Pockson, Engineering Manager, Anglia
Presenter: Miguel Perez, Senior Product Manager, Digi International
My company produces automotive aftermarket telematics products. Can we self-certify that our products comply with CRA/RED or is an external test house required? Where can the CRA/RED regulations be found?
In the case of the RED, it is possible to perform self-assessment leveraging, for example, the harmonized standards EN 18031-1, -2, and -3. In the case of the CRA, if they are spare parts, then they would be excluded as long as they are used to replace identical components in products with digital elements and are manufactured according to the same specifications.
Otherwise, we recommend reviewing the Implementing Regulation (EU) 2025/2392, which provides the technical description of the categories of important and critical products. Depending on the category your product falls into, there are different conformity assessment procedures you can choose from to verify whether the essential cybersecurity requirements set out in Annex I have been met. See Article 32, “Conformity assessment procedures for products with digital elements.”
The links to the regulations in English are as follows:
Does the Digi secure firmware delivery apply only to the firmware that will be executing on the Digi SOM, or can it also be used for secure distribution of firmware for other micros in the system?
Digi ConnectCore Cloud Services support security maintenance with secure and reliable remote over-the-air (OTA) software updates. Our cloud service is designed for Digi ConnectCore system-on-modules (SOMs). However, it is technically feasible to integrate this functionality into non-Digi hardware. I encourage you to contact us to discuss this integration.
What minimum size of IoT fleet is likely to be economically viable to use Digi solutions? What's the cost per unit per year?
Digi solutions are scalable, supporting both small and large fleets. There is no hard minimum, but value increases with fleet size, especially when managing updates, security monitoring, and reporting. Our approach is based on pay-per-use pricing; at the end of the month, you will only be billed for the devices that have been connected to our cloud platform. For exact unit pricing, please contact our Sales team.
You mentioned early on that industrial products had to be third-party assessed. What form would this assessment take, and how do you determine whether a product falls under this criteria?
According to the CRA, industrial devices may require a third-party assessment, unlike RED, where a self-declaration is sufficient. In fact, third-party assessments are conformity assessment procedures that can be performed for both important (Class I and II) and critical products. Article 32 sets out the different conformity assessment procedures available for products that fall within the scope of this regulation.
The Commission Implementing Regulation (EU) 2025/2392 makes no mention of the term “industrial.” In fact, “industrial devices” can refer to several products classified as important or critical, but the key is to assess which category my end product falls into in order to determine the different conformity assessment procedures available.
Do you have a view about commonalities between EU/CE requirements and UKCA?
While the UKCA and CE mark diverged after Brexit, there’s still significant overlap in technical requirements, especially regarding safety and electromagnetic compatibility. At Digi, we follow both regulatory paths and will align our documentation and certifications accordingly as EU and UK guidance evolves.
Do sensors like keyboards or a computer mouse need to be protected at the system level or will they eventually have security logins, firmware updates, etc.?
The answer is in Article 2 “Scope:” This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
If my end product falls within the scope of this regulation, then in accordance with Article 13, manufacturers must conduct a cybersecurity risk assessment which will be documented and updated during the support period. The cybersecurity risk assessment will indicate whether the security requirements set out in Annex I, Part I and II, are applicable to the product in question.
Has the EU thought about legal maneuvers like leasing rather than selling products. With a lease you can determine the death date.
Again Article 2 “Scope:” This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
According to Regulation (EC) No 765/2008, ‘making available on the market’ shall mean any supply of a product for distribution, consumption or use on the Community market in the course of a commercial activity, whether in return for payment or free of charge.
Is RED going to be abolished and CRA followed going forward for Radio equipment?
The RED Delegated Act came into force on August 1, 2024, but a transition period was added until August 1, 2025. In the case of the CRA, the transition period runs until December 2027, when the regulation will apply in its entirety, potentially replacing the RED Delegated Act to avoid regulatory overlap. Careful! Not the RED Act, but Article 3(3), points (d), (e), and (f) introduced by the RED Delegated Act. More information at this link.
Annex 1 Part 1 requirements – what would you recommend using as pass / fail criteria?
In accordance with Article 13, manufacturers must conduct a cybersecurity risk assessment which will be documented and updated during the support period. The cybersecurity risk assessment will indicate whether the security requirements set out in Annex I, Part I and II, are applicable to the product in question.
We must understand the role of harmonized standards. From a manufacturer's standpoint, they can be used to demonstrate that their products meet the necessary requirements, thus facilitating market access. In the case of Notified Bodies, they can be used to conduct conformity assessment activities and verify the due diligence of manufacturers that requested their services. In other words, a harmonized standard translates the legal requirement (what) into detailed technical requirements (how). They can be used to consistently verify the implementation of an essential requirement.