European Cyber Resilience Act (EuCRA)

In November 2024 the Europen Union signed-off the Cyber Resilience Act (CRA) which effectively comes into full-force on December 11th, 2027. The CRA is an EU regulation for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates. Products with digital elements mainly are hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network".

The CRA will have a lot of affects on firmware. Firmware is part of every product and is deemed as critical software within those products.

The CRA will also have some implications on open-source firmware. Within this workstream we are identifying what challenges are lying ahead of us and what open-source firmware projects need to implement in order to be compliant with the CRA.