The EU's horizontal cybersecurity regulation for products with digital elements, mandating secure-by-design principles including cryptographic agility and software supply chain security.
The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU market. This sweeping regulation applies to hardware and software alike — from IoT devices to enterprise applications — requiring manufacturers to handle vulnerabilities, provide security updates, and implement secure-by-design principles throughout the product lifecycle.
A core requirement of the CRA is crypto agility — the ability to update or replace cryptographic algorithms and parameters without replacing the entire product. This is essential for post-quantum readiness and ensures that products can adapt to evolving threat landscapes. For PKI, this means certificates and cryptographic primitives must be designed for rotation from day one.
The CRA also mandates software supply chain security, including code signing to ensure software integrity and Software Bills of Materials (SBOMs) for transparency. These requirements create new demands for certificate management at scale, particularly for manufacturers managing fleets of connected devices and frequent software releases.
Products must be designed with security from the ground up, including appropriate cryptographic protections, minimal attack surfaces, and the ability to update security components.
Manufacturers must identify and document vulnerabilities, provide security updates for the product's expected lifetime, and ensure updates can be deployed securely and automatically.
Products must support the ability to update or replace cryptographic algorithms and parameters without requiring full product replacement — essential for post-quantum readiness.
Manufacturers must document all components and dependencies in a machine-readable SBOM, enabling supply chain transparency and vulnerability tracking across the software stack.
Products must undergo conformity assessment procedures — self-assessment for standard products, third-party assessment for critical products — before bearing the CE marking.
Actively exploited vulnerabilities must be reported within 24 hours. Market surveillance authorities can withdraw non-compliant products and impose significant penalties.
The European Commission proposes the Cyber Resilience Act to address the lack of horizontal cybersecurity requirements for products with digital elements.
The CRA is formally adopted in March 2024 and published in the Official Journal in November 2024 as Regulation (EU) 2024/2847.
Manufacturers must begin reporting actively exploited vulnerabilities and severe security incidents to ENISA and national CSIRTs.
All CRA requirements become fully applicable, including conformity assessments, vulnerability handling, and secure-by-design obligations.
Market surveillance authorities begin enforcement actions, with non-compliant products subject to fines up to 15 million EUR or 2.5% of global turnover.
The Cyber Resilience Act introduces fundamental new demands on PKI infrastructure for product manufacturers and software publishers. Here are the critical areas:
Products must support the ability to rotate cryptographic algorithms, directly driving the need for post-quantum readiness and certificate infrastructure that can adapt without breaking deployed systems.
Code signing certificates become mandatory for ensuring software integrity. Every firmware update, software patch, and release must be cryptographically signed and verifiable.
Connected devices require unique identity certificates for authentication and secure communication, creating massive certificate issuance and management demands at manufacturing scale.
Vulnerability patches must be deployed rapidly and securely, requiring automated certificate rotation capabilities that can scale across entire product fleets without manual intervention.
Crypto agility dashboard — Track algorithm usage across your entire certificate estate, identify weak or deprecated cryptographic primitives, and plan your post-quantum migration path.
Automated certificate rotation — Rapidly rotate certificates across product fleets in response to vulnerabilities, ensuring continuous security without service disruption.
Policy enforcement for crypto standards — Define and enforce minimum cryptographic standards across all products, ensuring compliance with CRA's secure-by-design requirements from development to deployment.
Certificate inventory across product fleets — Maintain complete visibility over all device and code signing certificates across your entire product portfolio, from manufacturing through end-of-life.
