The Cyber Resilience Act (CRA) is an EU regulation that sets mandatory cybersecurity requirements for products with digital elements—connected hardware and software that can communicate directly or indirectly with networks or other devices. It introduces secure-by-design and secure-by-default expectations, requires manufacturers to run a structured vulnerability handling process, and ties compliance to EU market access mechanisms such as CE marking.
What Is the Cyber Resilience Act (CRA)?
The CRA establishes a common EU-wide baseline for product cybersecurity across the lifecycle, including:
– Designing products to reduce attack surface and prevent known vulnerability classes
– Providing security updates and handling vulnerabilities throughout a defined support period
– Documenting cybersecurity measures and providing user security instructions
– Enabling market surveillance enforcement for non-compliant products
Why the CRA Matters for EV Chargers
EV chargers are typically connected products (firmware, remote monitoring, networking, backend integration), so CRA requirements are directly relevant to:
– Secure update pipeline and controlled OTA firmware updates
– Protection of charger communications and backend connectivity (CPMS, OCPP)
– Vulnerability management across embedded components and third-party software
– Customer security expectations in public infrastructure where downtime and abuse risk is high
For charger OEMs, CRA compliance becomes part of product engineering, release governance, documentation, and long-term support commitments.
Who Has Obligations Under the CRA
The CRA assigns responsibilities across the supply chain, with primary obligations on:
– Manufacturers placing products with digital elements on the EU market
– Importers and distributors with specific duties related to compliance and market surveillance cooperation
Key CRA Requirements in Practice
Secure-by-Design and Secure-by-Default
CRA expects products to be built with cybersecurity as a core engineering requirement, typically including:
– Minimised attack surface (disable unused services, reduce exposed interfaces)
– Secure configuration defaults (no insecure default credentials, least privilege access)
– Protection of confidentiality, integrity, and availability appropriate to the risk
– Clear security instructions for deployment and operation
Vulnerability Handling and Security Updates
A CRA-aligned product lifecycle typically includes:
– A defined process to receive, triage, and remediate vulnerabilities
– Security patches delivered in a timely, controlled way
– Transparency to customers about fixes and required actions
– Evidence of dependency management and product security maintenance
Reporting of Exploited Vulnerabilities and Severe Incidents
The CRA introduces mandatory reporting obligations for manufacturers, including reporting of:
– Actively exploited vulnerabilities
– Severe incidents impacting product security
These reporting obligations apply from 11 September 2026, ahead of the wider CRA application date.
CRA Dates and Implementation Milestones
Key CRA milestones commonly referenced in compliance planning include:
– CRA entered into force on 10 December 2024
– Rules on notifying conformity assessment bodies apply from 11 June 2026
– Reporting obligations apply from 11 September 2026
– Main CRA obligations apply from 11 December 2027
What CRA Compliance Usually Forces Companies to Build
CRA compliance is typically a capability build across engineering, operations, and quality systems:
– Product security risk assessment and security requirements traceability
– Secure development lifecycle controls (testing, reviews, release approvals)
– Secure update governance (versioning, rollback, customer notification)
– Vulnerability disclosure intake and incident response playbooks
– Evidence-ready technical documentation for audits and market surveillance
Common Pitfalls
– Treating CRA as documentation-only instead of lifecycle security engineering
– No clear security support period and update commitment for deployed products
– Uncontrolled firmware releases that break security assurances or interoperability
– Weak third-party component tracking and patch management
– Missing reporting readiness before 11 September 2026
Related Glossary Terms
Cybersecurity Audits
Secure Update Pipeline
OTA Firmware Updates
CI/CD Firmware Deployment
Encrypted Communications
Intrusion Detection
CPMS (Charge Point Management System)
OCPP
Secure Boot