Cyber Resilience Act & Tria

The Cyber Resilience Act & Tria

Designed and manufactured in-house, security first.

  • Tria Technologies leads the world in development of embedded computing with the highest standards in durability and security.
  • The Cyber Resilience Act aims to modernize the regulation of hardware and software, and products that contain them, with a view to enhancing cybersecurity. Learn more about the Cyber Resilience Act below.
  • Tria’s embedded compute modules and systems are built for secure industrial environments and by design are industry leading for compliance with the Cyber Resilience Act. We also work with customers to ensure their end products achieve compliance when using our technology.
  • Now is the perfect time to go modular! Modular compute solutions are the faster, easier way for OEMs to achieve CRA compliance in their end products.  

What is the Cyber Resilience Act (CRA)?

  • The Cyber Resilience Act (CRA) is a landmark EU regulation aiming to significantly enhance the cybersecurity of hardware and software products with “digital elements” sold within the European Union. Its primary goal is to ensure that products, from smart TVs and baby monitors to operating systems and industrial control systems, are secure by design and default, and remain so throughout their lifecycle. 
  • The CRA places mandatory cybersecurity requirements on manufacturers, importers, and distributors. Key obligations include conducting thorough risk assessments, implementing robust security features from the initial design phase, and providing ongoing security updates to address vulnerabilities. Manufacturers must also establish clear vulnerability management processes and promptly report actively exploited vulnerabilities or severe incidents to national and EU cybersecurity agencies. 
  • The Act introduces a tiered approach based on product criticality, with higher-risk products requiring third-party conformity assessments. Products complying with the CRA will bear the CE marking, signifying adherence to the new standards. The CRA seeks to reduce the financial and societal costs of cyber incidents, foster greater transparency in product security, and empower consumers and businesses to make informed purchasing decisions regarding cyber-secure products. Most of its provisions will apply from December 2027. 

  • More information can be found here: Cyber Resilience Act | Shaping Europe’s digital future

Timeline of the CRA

24-Month Transition Period: By 11th of September 2026, manufacturers must implement processes for vulnerability reporting and post-market monitoring.

36-Month Full Enforcement: By 11th of December 2027, all products with digital elements must comply with the CRA’s cybersecurity requirements.

Understanding CRA Product Categories

The Cyber Resilience Act divides products into four key categories:

  • Non-important
  • Important (Class I)
  • Important (Class II)
  • Critical

Each category reflects not only the product’s significance in terms of cybersecurity risk, but also the level of scrutiny and certification requirements it must undergo to achieve CRA compliance.

Every product that is not classified as non-important will eventually fall under one of the vertical standards. To learn more about this ongoing classification process, you can watch the freely accessible video available on the CENELEC website: Webinar ‘Standards supporting the Cyber Resilience Act’ – CEN-CENELEC

How does the CRA impact embedded computing?

  • The Cyber Resilience Act (CRA) will have a profound impact on embedded computing, fundamentally shifting how embedded systems are designed, developed, deployed, and maintained. Given the pervasive nature of embedded devices, from consumer electronics to industrial control systems and critical infrastructure, the CRA’s reach is extensive.

  • In essence, the CRA forces embedded computing to mature its security practices, moving from an often reactive approach to a proactive, integrated, and lifecycle-oriented one. This will undoubtedly increase development costs and complexity for manufacturers but aims to create a more resilient and trustworthy digital ecosystem.

How does the Cyber Resilience Act affect ‘legacy’ technology?

  • The CRA mainly affects products released to the market after 11th December 2027; products released before this date do not necessarily need to comply, unless they are substantially modified after the deadline.

  • Specific industries and applications do not fall under the CRA as they are covered by separate legislation specific to their industry or application e.g. Medical, Aviation and Automotive.

  • All of Tria’s modules, boards and systems are subject to rigorous security and compliance testing. All standard modules are designed for long term support and industrial-scale lifespans in the field to maximize CRA readiness. Long-term security updates ensure hardware and software can be updated to respond to new threats.

  • Tria’s modular design philosophy makes it easier for OEMs to update, upgrade or replace their hardware while reducing (or eliminating) the need for re-engineering a product to conform with new legislation, such as the CRA.

  • Compliance will depend on the design of the end product, and how the module, board or system is used in the product. Tria’s engineers work with OEMs every day to solve challenges including security compliance in their end product, and OEMs choose Tria to make it easier to achieve compliance using tried and tested designs.

Helping our customers achieve compliance 

Tria’s compute modules are the ideal foundation to develop products compliant with the Cyber Resilience Act (CRA). Thanks to their built-in security features, our modules provide customers with all the key elements needed to configure their products in a secure-by-default manner. These security features include tamper-resistant encryption modules, TPMs, TrustZone technology, the ability to disable JTAG ports, and more. Additionally, through our partnerships, we offer services such as secure updates, certificate management, and product lifecycle management. By providing these essential tools, Tria empowers customers to build and maintain products that meet the rigorous demands of the CRA.

CRA compliance at Tria 

Tria has a long history of successfully implementing regulatory safety and security requirements, including compliance with the latest European Radio Equipment Directive (RED). Our RF products for the European market are typically pre-certified, facilitating straightforward certification of the end product.

Following the same systematic, and building on our extensive hands-on experience, all new product launches naturally align with the latest revision of RED for enhanced cybersecurity (RED DA) and will also comply with the upcoming Cyber Resilience Act (CRA). 

We are exceptionally well-positioned not only to align our own products with CRA obligations but also to support our customers in effectively navigating and implementing CRA requirements.

Start your design journey with Tria today to ensure future compliance with the Cyber Resilience Act and future legislation too. Tria is your number one partner for exceptional embedded compute in the most demanding environments.

The Largest Compute Module Portfolio

Get powerful, complex computing capabilities for your product in pre-built modules, designed from the ground up for security. Designed and manufactured in-house, available worldwide. These modules are the fastest way to achieve compliance with the latest standards in your product. 

OSM

Qseven

SMARC

COM Express

COM-HPC
SMARC Logo 300x300
COM Express logo
Open Standard Module logo
COM HPC logo 300x300
QSeven Logo

TALK TO THE EXPERTS

Let us know about your product or your challenge and our team will get in touch to discuss how we can help.

Let's Talk
Contact Us