Countdown to Cyber Resilience Act
The reporting obligations of the CRA apply from 11 September 2026, and the regulation fully applies from 11 December 2027.
Future-Proof Cybersecurity for Connected and Embedded Systems
The EU Cyber Resilience Act (CRA) sets binding cybersecurity requirements and essential security requirements, as detailed in Annex I, for hardware and software products placed on the European Union market, ensuring safety across the entire EU market. The aim is to ensure that all connected devices and IoT products meet essential cybersecurity requirements throughout their entire product lifecycle – from the design and development phase through production, updates, and maintenance to secure decommissioning.
With decades of experience in embedded computing, edge systems, and industrial Internet of Things (IoT) security, Kontron supports manufacturers in implementing modular, practical, and CRA-compliant solutions. The result is products that are not only legally compliant but also offer maximum operational reliability, scalability, and future-proofing.
CRA-compliant products must have a documented security architecture, including robust user authentication and access control, as well as:
Secure boot and hardware protection (TPM, HSM)
Encrypted data transmission and data storage
Signed firmware updates and lifecycle management
Proactive threat detection and incident monitoring
Transparent processes for security incidents and auditability
Why CRA Compliance Is Crucial Now
The Cyber Resilience Act is fundamentally changing the European cybersecurity landscape. In the future, manufacturers, integrators, distributors, and software providers will have to prove that their products with digital elements are secure throughout their entire lifecycle and are continuously updated.
Excerpt from CRA obligations:
Risk assessment and continuous vulnerability management to mitigate cybersecurity risk, manage security risks, and address exploited vulnerabilities
“Security by Design” as a development principle
Transparent update and patch processes, including vulnerability handling and the maintenance of an SBOM
Reporting of security incidents to ENISA, including formal notification and other reporting obligations
Early CRA compliance not only ensures legal certainty through the required conformity assessment, market surveillance, and CE marking, but also a clear competitive advantage through trust, transparency, and supply chain operational reliability.
How Kontron Supports You on Your CRA Journey
Kontron provides companies with comprehensive support through all phases of CRA compliance – from secure system architecture and continuous update management to intelligent threat detection and CRA-ready hardware.
KontronOS – Hardened, CRA-compliant basis for embedded systems
KontronGrid – Transparent updates, compliance reporting, and lifecycle management
KontronAIShield – AI-powered detection and response to cyber threats
AL i.MX8M Mini/LTE NXP Arm® - IoT-Gateway AL i.MX8M Mini/LTE, based on NXP Arm - CRA-Ready Industrial
Kontron A-251 AML/ADN – Robust, powerful industrial edge system, preconfigured for CRA compliance with secure boot, TPM support, lifecycle security, and optimal computing power for edge analytics and AI applications
The L i.MX8M Mini/LTE NXP Arm® and the A-251 AML/ADN Box enable companies to seamlessly combine hardware, operating system, and security solutions, ensuring CRA compliance from software to physical platform.
KontronOS
Hardened, CRA-compliant basis for embedded systems
KontronOS, part of the susietec® toolset, is a secure, hardened Linux®-based operating system utilizing open-source software designed to minimize attack surfaces that has been specially developed for industrial and embedded edge devices.
Advantages:
Secure boot and hardware protection through TPM
Signed updates and continuous lifecycle management
Encrypted data communication and memory integrity
CRA-compliant security baseline design for embedded systems
KontronGrid
Centralized IoT Device Management and Compliance Monitoring
KontronGrid enables centralized monitoring, configuration, and updating of distributed edge devices. This allows continuous verification of CRA security and compliance requirements.
Advantages:
Remote provisioning and automated updates
Transparent compliance reports and audit functionality
Secure, encrypted communication between edge devices and the cloud
Seamless integration with KontronOS
KontronAIShield
AI-Powered Real-Time Threat Detection
KontronAIShield uses AI-based analytics to detect anomalies and cyber threats in real time. This enables proactive countermeasures and continuous compliance with CRA requirements.
Advantages:
Real-time monitoring of device and network activity
Automated anomaly detection and alerting
Integration into existing security and compliance processes
Proactive protection against known and unknown threats
AL i.MX8M Mini/LTE NXP Arm®
Ideal Hardware Option: IoT-Gateway AL i.MX8M Mini/LTE, based on NXP Arm - CRA-Ready Industrial
The Kontron AL i.MX8M Mini/LTE is a compact, fanless gateway for advanced automation solutions. Equipped with KontronOS and KontronGrid, it provides a strong foundation for CRA-ready applications.
Advantages:
CRA-compliant security architecture with Secure Boot and TPM support
Long-term availability and regular security updates
Compact gateway for demanding automation applications
CU Control Unit 6x / Mini 6x NXP Arm®
Flexible Industrial Control Platform for Secure Embedded and Edge Systems
The Kontron CU Control Unit 6x / Mini 6x are NXP i.MX8M Plus-based control platforms that support cybersecurity, maintenance and lifecycle strategies aligned with Cyber Resilience Act requirements.
Advantages:
Supports security-by-design strategies for CRA-oriented system development
Scalable performance for advanced edge and industrial automation applications
Long-term availability supporting maintenance and updating strategies
KBox A-251 AML/ADN
Suitable Hardware Option: KBox A-251 AML/ADN – CRA-Ready Industrial Edge Box
The Kontron KBox A-251 AML/ADN is a robust, powerful industrial edge system for data-intensive and AI-based applications. Pre-installed with KontronOS and KontronGrid, it is optimally prepared for CRA use.
Advantages:
CRA-compliant security architecture with Secure Boot and TPM support
Long-term availability, a defined support period, and regular security updates
High computing power for machine learning, vision, and edge analytics
FAQ
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) is EU Regulation (EU) 2024/2847. It introduces mandatory cybersecurity requirements for products with digital elements that are made available on the EU market, including hardware, software and certain related remote data processing solutions.
Why was the Cyber Resilience Act introduced?
The CRA was introduced to address the low level of cybersecurity in many connected products and the lack of clear security information for users. Its goal is to improve product security across the lifecycle and make it easier for businesses and customers to identify and use secure digital products.
Which products are covered by the CRA?
The CRA applies to products with digital elements whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. This includes both finished products and components placed on the market separately.
Does the CRA apply to embedded, edge and IoT systems?
Yes. The CRA is highly relevant for embedded, edge and IoT systems because it covers connected hardware and software and also includes categories such as operating systems, boot managers, network interfaces, routers and switches among important products with digital elements.
Are cloud services, SaaS or open-source software covered?
Not automatically. Cloud or SaaS services are only covered if they qualify as a remote data processing solution that is necessary for the product to perform one of its functions; pure standalone cloud services are generally outside scope. Open-source software is only in scope when it is made available on the market in the course of a commercial activity, while open-source software stewards are subject to a lighter, tailored regime.
Who is affected and what are the main CRA requirements?
The CRA affects manufacturers, importers, distributors and authorised representatives, with the main compliance obligations falling on manufacturers. Key requirements include cybersecurity risk assessments, secure-by-design and secure-by-default principles, vulnerability handling, technical documentation, user information, disclosure of the support period, conformity assessment, EU declaration of conformity and CE marking before placing products on the EU market.
When does the CRA apply?
The CRA entered into force on 10 December 2024. The rules for notification of conformity assessment bodies apply from 11 June 2026, the reporting obligations apply from 11 September 2026, and the CRA becomes fully applicable on 11 December 2027.
What are the reporting obligations and penalties under the CRA?
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents affecting product security through the CRA Single Reporting Platform, including an early warning within 24 hours and a more complete notification within 72 hours. Non-compliance can lead to significant penalties of up to €15 million or 2.5% of total worldwide annual turnover, depending on the infringement, and may also trigger enforcement measures such as market restrictions.