The Cyber Resilience Act (CRA), which legislates cybersecurity for devices with a connected element, was formally adopted by the European Commission in October 2024 and has to be fully implemented by 11th December 2027. What the CRA aims to do will also have a knock-on effect on general awareness of cybersecurity in wider society, as Preeti Ohri Khemani, Senior Director at Infineon Technologies revealed in an exclusive conversation with IoT Insider where she shared key details of the CRA and misconceptions.
Security is a moving target
“Security is a moving target,” said Khemani. “We have seen that security is becoming increasingly important, even in sectors where it was not asked [for] that much. This is where the CRA comes in. It aims at making all connected devices more secure, phones, vacuum cleaners, smart meters, wearables … more broadly, it aims to build a security by design mindset for manufacturers of connected devices.”
The scope of the CRA is vast, and for that reason, can prove challenging for companies who are readying their compliance in time for the 2027 deadline. As Khemani illustrated, some of the connected devices span from phones to smart meters and wearables.
Companies that don’t comply face the risk of being fined up to €15 million or 2.5% of their turnover, which is greater, as well as losing the CE mark – a mark that signifies to a consumer that the product has been assessed against safety, health and environmental requirements and passed.
“One aspect we need to understand about the CRA is that it affects the entire supply chain of a device,” Khemani explained. “Manufacturers that release a product in 2027 have to ensure compliance throughout the entire supply chain.”
Incidence reporting obligations become applicable on 11th December 2026, and consequently “there is very little time for manufacturers and component suppliers throughout the entire supply chain to start understanding the requirements.”
Due to the scope of the CRA and the arguably strict timeline in place, the pressure is on for manufacturers to fully understand what is required of them. However, misconceptions have arisen.
“We have observed different interpretations of the CRA legal text,” said Khemani. “There is confusion regarding various CRA definitions on how the policy makers have interpreted the use of risk assessment for compliance to the CRA.”
In one concrete example, the CRA classifies products with digital elements into three categories: default, important, and critical. In doing so, the aim is to establish the required security measures for the products that fall into these categories.
“There is a different interpretation that I have heard where risk assessment could be more broadly applied to all categories of digital products that should comply with the CRA, from default class up to the critical class,” said Khemani. “In each of these possible classes, based on the risk exposure of that device, a risk could be assessed from low risk to high risk.”
“The whole supply chain from semiconductors to end devices need to understand the CRA technical requirements and to put in place management processes,” Khemani continued. “This is a major challenge to keep all parties up to date with ongoing standards development and interpretations.”
CRA as a differentiator, not a crux
Infineon’s own involvement in the CRA and the importance of cybersecurity more broadly has provided them with the expertise to support their customers with not just understanding the CRA and what is required, but also with implementing security in their solutions.
“Understanding the foreseeable use of a device and applying CRA accordingly would be important,” Khemani explained. “Raising awareness of the importance of cybersecurity and a shift towards a higher and broader acceptance of cybersecurity is something that we expressly support.”
Importantly, complying with the CRA doesn’t have to be perceived as a crux for companies puzzling over compliance. It can instead be viewed as a competitive differentiator.
“We’ve seen that by adhering to widely adopting cybersecurity standards, whether it is ETSI EN 303 645 for consumer devices, or IEC 62443 for industrial systems, provides a global security standard that can be used for manufacturers … as a product differentiator,” Khemani agreed. “Another aspect of differentiating is visibility of security in a device or a system. If the end user is not able to identify that it’s a more secure device than others, then such absence of visibility leads to a lack of demand for secure products.”
Throughout our conversation, Khemani expressed her belief that the CRA taking a major leap in mandating cybersecurity will raise the bar in security in connected devices. “We at Infineon see the Cyber Resilience Act as a good basis for improving cybersecurity,” she said.
Our conversation finished by stressing the importance of policy makers recognising and using existing standards, in the spirit of recognising the good work that’s been done in this space, and in supporting manufacturers who, if selling their products worldwide, have to comply with a number of different cybersecurity regulations.
“That [way] we can leverage on the good work being done in the industry standards,” Khemani concluded.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
