Lean on tools to comply with different EU cybersecurity initatives, advises Benjamin Monate, CTO, TrustInSoft
The European Cyber Resilience Act (CRA), which entered into force in December 2024 and becomes applicable in stages from June 2026 through December 2027, is a significant milestone in the EU’s commitment to enhancing cybersecurity across all digital products. This legislation mandates that any product with digital elements sold within the EU must adhere to strict cybersecurity regulations, ensuring a safer digital environment for consumers and businesses alike.
The new era of cybersecurity in Europe
The CRA, a topic of discussion since it was first proposed in 2022, now legally sets out cybersecurity requirements for all products with digital elements, whether hardware or pure software products, sold in the European Union. However, to make the CRA work as intended, a rigorous and comprehensive software analysis tool must be used by developers to ensure their products meet these new standards for cybersecurity in a way that makes code review and conformity with the CRA more manageable.
And that manageability is important. The CRA introduces comprehensive cybersecurity that includes strict requirements for manufacturers, importers, and distributors of digital products. Non-compliance can result in fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.
The UK’s parallel initiative, the Product Security and Telecommunications Infrastructure (PSTI) Act, which went into effect 29 April 2024, adds another layer of stringent compliance, particularly for devices accessible to children under 14. In the case of PSTI, non-compliance offenders may be liable for penalties up to £10 million or 4% of a company’s worldwide revenue, whichever is greater. This underscores the global trend towards stricter cybersecurity regulations and makes tools like TrustInSoft Analyzer indispensable for ensuring compliance.
Key requirements
The CRA mandates that all products must be designed with cybersecurity in mind. This applies to all products with digital elements. For example:
- Products must ensure an appropriate level of cybersecurity based on identified risks
- Products must be delivered without any known exploitable vulnerabilities
- Products must limit attack surfaces and reduce the impact of incidents through appropriate exploitation mitigation mechanisms
- Products must undergo effective and regular security tests and reviews
Adapting to the CRA’s classification system
A critical aspect of the CRA is its classification of products into four categories—important (Class I and Class II), critical, and others—each with varying degrees of cybersecurity requirements. Products with higher risk profiles, such as network appliances, VPNs, or Identity Access Management solutions, must adhere to more stringent standards.
Again, tools such as TrustInSoft Analyzer support compliance across all categories by automating security reviews, identifying vulnerabilities, and aiding in the formal verification of software. This is acutely necessary when analysing open-source components to ensure security and conformity with CRA standards.
Why is software analysis so important?
For software developers, lead architects, and professionals working on cybersecurity products, embedded systems, and network appliances, professional software analysis offer sound and exhaustive examination that identifies memory safety issues and runtime errors, pivotal for CRA’s security compliance.
By automating security reviews and ensuring code integrity, there are analysers that aid in meeting the CRA’s mandates, including the obligation to report actively exploited vulnerabilities starting September 2026.
Tools also support the development of secure-by-design products, aligning with both the CRA and PSTI, thereby reducing potential attack surfaces and improving overall product quality.
Implications for software developers
For C/C++ software developers, lead developers, and lead architects, the CRA by design necessitates a paradigm shift towards security. Products must include the appropriate level of cybersecurity based on identified risks; be free from known exploitable vulnerabilities; and undergo mandatory security tests and reviews to identify and mitigate vulnerabilities.
Empowering developers to meet these requirements efficiently by integrating analysis into workflows, automate security reviews to identifying vulnerabilities such as memory safety issues, runtime errors, and undefined behaviours; detect and resolve issues early in the development cycle, leading to more robust and secure software products; and align development practices with the CRA’s essential cybersecurity requirements all ensure conformance and reduce the risk of non-compliance penalties.
Two new sheriffs in town
The enforcement of the CRA signifies a transformative period for the tech industry within the EU. Manufacturers and software vendors must revise R&D processes, updating methodologies to incorporate security considerations from the outset by embrace secure-by-design practices; and assess third-party code most efficiently.
It’s time to take the next step towards compliance and security. There is no point playing fast and loose with the European Cyber Resilience Act or the UK’s PSTI Act if you want your products to be known for security and reliability.
Discover how a professional analyser can streamline your cybersecurity compliance processes by booking a demo at a trade show, on-prem, or otherwise meet with acknowledged experts to understand how software analysis fits into your development pipeline and compliance strategy.
Benjamin Monate joined the CEA, the French Alternative Energies and Atomic Energy Commission, after one year of teaching at École Polytechnique. Benjamin served as head of the laboratory, leading the lab’s scientific and financial advancement. In addition, he co-invented the technology that would later serve as the basis of TrustInSoft Analyzer, spearheading the development of the product himself. In May 2013, Benjamin co-founded TrustInSoft, where he currently serves as the CTO.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
