RSS

Raspberry Pi and the EU Cyber Resilience Act

Brajeshwar2 pts0 comments

Raspberry Pi and the EU Cyber Resilience Act - Raspberry Pi

We use some essential cookies to make our website work.

We use optional cookies, as detailed in our cookie policy, to remember your<br>settings and understand how you use our website.

Accept optional cookies

Reject optional cookies

News

All news

Search the archive

RSS feed

The regulatory landscape for digital devices is changing, specifically for those that fall within the relatively wide definition given in the EU’s new cybersecurity regulation:

…‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately…

If you manufacture and deploy digital products in the European Union, the EU Cyber Resilience Act (CRA) is something you need to understand. At Raspberry Pi, we’ve been monitoring the development closely and are ready to support customers integrating our computers into their designs.

What is the Cyber Resilience Act?

The CRA is the EU’s primary legislation focused on the cybersecurity of digital products. It applies to any hardware or software with digital elements, including IoT devices, embedded systems, industrial controllers, smart home devices, and much more; if it’s a connected product sold in Europe, it’s almost certainly within scope. The CRA will follow the product compliance procedures established in the New Legislative Framework Regulation (EC) No 765/2008, commonly known as CE marking.

Manufacturers must begin with a cybersecurity risk assessment, evaluating how the digital product operates and where any potential vulnerabilities may lie. Depending on the outcome of the risk assessment, manufacturers may need to implement security features, securely maintain products throughout their lifecycle, provide vulnerability handling processes, and be transparent with customers about security capabilities and limitations.

Manufacturers must also take steps to improve the cyber resilience of their products — from the integrity of the communications they send and receive, through to the confidentiality of their data — by, among other things, carrying out regular reviews and security tests. Penalties for non-compliance can reach €15 million or 2.5% of global annual turnover.

Timelines and requirements

The full CRA will come into force on 11 December 2027, which is the date by which products must meet the requirements outlined in the Annex. These requirements include:

Annex 1Essential cybersecurity requirementsAnnex 2Minimum level of information that must be given to the customerAnnex 3A list of high-security digital products organised into two classesAnnex 4Critical products with digital elementsAnnex 5Template of the declaration of conformityAnnex 6Simplified declaration of conformityAnnex 7Content of the technical documentation that the manufacturer must maintain, commonly referred to within the CE marking framework as the Technical Construction File (recognising that software elements have no physical construction)Annex 8Conformity assessment procedures: the processes a manufacturer must follow to prove a product is compliant; under the CRA, these range from self-declaration through internal production control to assessment by an appointed notified body

The December 2027 deadline still gives integrators time to implement the requirements of the legislation. However, for teams building products today — choosing silicon, designing firmware architectures, planning certification strategies — the decisions made now will determine whether they arrive at that deadline with confidence. When that time comes, all in-scope products must be CE-marked.

Vulnerability and incident reporting will become mandatory on 11 September 2026. Manufacturers marketing connected products in the EU must report any actively exploited vulnerabilities or severe security incidents affecting their products. They will have 24 hours to file an early warning and 72 hours to submit a full notification. Reports will be submitted via a new central reporting platform established by the CRA, enabling the secure exchange of data between European Computer Security Incident Response Teams (CSIRTs) and the European Network and Information Security Agency (ENISA).

W e’re here to help

Raspberry Pi products are at the heart of an enormous variety of connected applications, including industrial automation, smart building infrastructure, edge computing nodes, medical monitoring equipment, retail systems, and beyond. Many of these use cases fall within the scope of the CRA.

The CRA categorises products with digital elements according to risk — the majority fall within the default, lowest-risk category, but some fall within ‘important’ and ‘critical’ categories subject to more stringent assessment requirements. For many of our customers, the default category will apply, but those building more critical infrastructure will face proportionally...

products digital must security within product

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.