22 CRA requirements
now in force
The compliance bar for connected products is rising fast. Embeint's Infuse-IoT helps teams build, secure, and ship connected devices with greater confidence, less friction, and a clearer path to CRA readiness before the main obligations start applying on 11 Dec 2027.
The bar has lifted
IoT Providers
need to show
Secure boot
Verified OTA update frameworks
Cryptographic key management
Continuous vulnerability monitoring
Fully traceable SBOM generation
Audit-ready conformity documentation
Main CRA obligations apply from 11 Dec 2027.
Reporting obligations start on 11 Sep 2026.
Supporting secure IoT that's still low-power and low-data
CRA Coverage Matrix
Supporting secure IoT
that's still low-power and low-data
The Essential Cybersecurity Requirements of the Cyber Resilience Act Annex I and Annex II came into force 10 December, 2024.
Below are each of the 22 essential CRA requirements and how Embeint's Infuse-IoT can help from embedded firmware to cloud.
Annex I
Product design and engineering controls manufacturers need built into the device and service architecture.
| Annex I | CRA requirement | Infuse-IoT Embedded | Infuse-IoT Cloud | |
|---|---|---|---|---|
I(1) | Risk based cybersecurity design | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(a) | Available without vulnerabilities | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(b) | Secure by default | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(c) | Over-the-air Upgrades | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(d) | Prevent unauthorised access | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(e) | Data Confidentiality | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(f) | Data Integrity | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(g) | Process only relevant data | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(h) | Protect availability of essential functions | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(i) | Minimize impacts on other devices/networks | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(j) | Limit attack surfaces | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(k) | Exploitation mitigation mechanisms | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(l) | Record and monitor internal activity | Infuse-IoT Support | Infuse-IoT Support | |
I(2)(m) | Option to permanently remove all data | Infuse-IoT Support | Infuse-IoT Support |
Annex II
Vulnerability management, disclosure, testing, and update handling obligations that continue after the product ships.
| Annex II | CRA requirement | Infuse-IoT Embedded | Infuse-IoT Cloud | |
|---|---|---|---|---|
II(1) | Document components and vulnerabilities | Infuse-IoT Support | Process Support | |
II(2) | Rapidly remediate vulnerabilities with security updates | Process Support | Process Support | |
II(3) | Regularly test and review product security | Process Support | Process Support | |
II(4) | Disclose fixed vulnerabilities and remediation guidance | Process Support | Process Support | |
II(5) | Maintain coordinated vulnerability disclosure policy | Process Support | Process Support | |
II(6) | Provide vulnerability reporting contact channel | Process Support | Process Support | |
II(7) | Securely distribute timely security updates | Process Support | Process Support | |
II(8) | Provide free, timely security patches | Process Support | Process Support |
Start building with Infuse-IoT
