EU Cyber Resilience Act (CRA)

The European Cyber Resilience Act (CRA) is the European Commission's new law focused on products with digital elements. It is part of a larger cybersecurity framework that already includes similar requirements such as, for example, the EU Cybersecurity Act, NIS Directive, and, in particular, the NIS2 Directive, which the CRA complements.

Below, you'll find a brief overview of the EU Cyber Resilience Act's relevant requirements for embedded device manufacturers.

Product-Specific

According to the CRA, Products must be:

Delivered without known vulnerability
Include Free Security Patches for at least 5 years, unless the product's estimated lifetime is shorter
Protected with a Security-by-Design approach

Handling Vulnerabilities

Device manufacturers must be able to:

Provide documentation of the Software used, including the Software Bill of Materials (SBOM)
Give early warning in 24h and a full notification in 72h about any vulnerabilities
Address vulnerabilities and provide patches with no delay

Information & Instruction

The following details should be readily available and well-documented:

The intended use of the product
How to remove data from the devices
A description of the product's security features

Torizon Platform is recognized for its robust build system based on the Uptane Framework, which facilitates the creation of custom Linux distributions for embedded systems, playing a crucial role in the development of secure products and applications. Using the Torizon Platform, you are taking advantage of shared collaboration and established best practices, which meet a key requirement of the CRA, including the Software Bill of Materials (SBOM) and CVE reports.

Software Bill of Materials (SBOM)

You want to know exactly what goes into your Software. We publish the SBOMs and CVE reports on every TorizonCore build. They are readily and publicly available, making it easier to comply with vulnerability-handling and documentation requirements.

Secure Boot

Secure Boot is the process of booting an image from a valid trusted source — related to the authenticity check specification — while ensuring it has not been modified in any way, complying with the CRA's integrity clause.

Proven Security Framework

Torizon is built with automotive-grade security in mind, thanks to its Uptane-based architecture. Along with Secure-Boot, it guarantees that what you think you're installing is indeed what is being installed. Furthermore, it prevents tampering with the image.

Reliable Updates Process

Torizon offers out-of-the-box, over-the-air, or physical offline updates via a USB stick or SD Card. This process is secure and verifiable due to several layers of validation and fallback systems that ensure your devices keep working at all times.

Vulnerability Monitoring

The Torizon security team continuously monitors software for exploitable vulnerabilities, to help you comply with this key requirement of the CRA. Each CVE (often more than 800) undergoes a manual assessment in order to filter out the non-exploitable ones - saving you time and effort compared to managing this process yourself.

Device Monitoring

The Torizon platform allows you to check in on any unit, at any time. It also allows you to customize the metrics you'd like to keep track of, such as CPU performance, the device's temperature, overall status, and more. This allows you to preempt any vulnerabilities and roll out patches promptly.