Tom McCarthy
Product Marketing Manager
On October 10, 2024, the highly anticipated Cyber Resilience Act (CRA) was adopted by the European Commission (EU) Council. The new law provides for a 36-month period after signing and publication before the requirements in the act will be enforced. However, the CRA goes into force only 20 days after its publication. Signing and publication are projected to take place in the coming weeks.
Enterprises Must Start Designing for the CRA Now
What does this mean for companies that produce and ship critical products with digital elements (PDEs)? Starting in late 2027, the EU will begin enforcing CRA requirements on products that started shipping 20 days after publication, in 2024. Developers and manufacturers should plan accordingly to ensure compliance and avoid any potential fines or disruptions in shipping, come late 2027.
Changes in Technology and Practice are Required
Included in CRA requirements are key elements that should be addressed as initial units are shipped before the 2027 enforcement date. Through the CRA’s definition of “software”, any “part of an electronic system that consists of computer code” will need to have an associated software bill of materials (SBOM) and be resilient from cyber-attacks. This includes all firmware, as it is the foundational computer code for all electronic systems.
Firmware Must be Resilient
To ensure compliance in late 2027, developers of PDEs must design capabilities to detect corrupted firmware at power-on, prevent firmware corruption during runtime, and recover corrupted firmware to a trusted firmware image. Additionally, all versions of firmware running on PDEs must have an associated SBOM where vulnerabilities can be traced and managed.
How AMI Can Help?
Aligning with these requirements, AMI offers products and services that help our customers comply with the EU CRA, along with other international standards and regulations. This includes firmware with all associated SBOMs, vulnerability management through our Product Security Incident Response Team (PSIRT) and AMI’s Tektagon Platform Root of Trust (PRoT) solution for platform firmware resilience.
Customers should contact their associated AMI sales representative to learn more about how AMI can help them comply with the CRA and other cyber security regulations.