Cyber Resilience Act (CRA)

Home

> Applications

> Key Technologies

> Cybersecurity

Introduction

The European Cyber Resilience Act (CRA) defines essential cybersecurity requirements for all products with digital components and their integrated remote data processing. GigaDevice integrates CRA compliance into every stage of our product lifecycle, ensuring that our products and solutions are designed, manufactured, and maintained with security as a priority. Our approach helps customers deploy secure and resilient solutions inline with European regulations.

Timeline

2027
December 11

Product compliance obligations begin

All products placed on the EU market must be fully CRA-compliant.
2026
September 11

Incident reporting obligations begin

Manufacturers must start reporting actively exploited vulnerabilities and security incidents within 24 hours of awareness.
2026
June 11

Notification of Conformity Assessment Bodies required

Manufacturers must begin notifying relevant authorities (e.g. ENISA or national bodies) about their product categories and conformity plans.
2025
December 11

Implementation Act entry into force

The EU formally activates the secondary legislation that defines how CRA will be enforced.
2024
December

Entry into force of the CRA

The CRA officially exists as EU law.
2023
July

Council and Parliament proposals introduced

Member states and the European Parliament submit their proposed amendments.
2022
September

Commission draft published

The European Commission releases the initial draft of the Cyber Resilience Act.

Impact of CRA to Manufacturers

Product Requirements
Vulnerability Handling Process
Information and Labeling

Product Requirements
- Design & Development Phase
  
  Products shall be designed, developed and produced using secure design principles to ensure security from the source.
- Product Delivery Phase
  
  Products must meet basic cybersecurity requirements at delivery, ensuring no known vulnerabilities.
- Product Operation Phase
  
  Products shall ensure security of themselves and other devices during operation, maintaining continuous security status.
- Process & Organizational Capability Phase
  
  Processes and organizational capabilities shall follow security risk-based best practices to effectively address various security risks.
Vulnerability Handling Process
- Identification & Documentation
  
  Identify and document product dependencies and vulnerabilities, including Software Bill of Materials (SBOM).
- Technical Validation & Impact Assessment
  
  Conduct analysis of the reported vulnerabilities, and recognize the impacted product scopes Conduct security testing on digital products to assess their security capability.
- Risk Assessment & Severity Classification
  
  Using industry-recognized methods to assess the severity of confirmed vulnerabilities. Evaluate the impact of promptly identified vulnerabilities to ensure products remain free from known vulnerabilities.
- Remediation & Security Update Support
  
  Provide remediation measures and security update support for products for the expected lifetime or the declared support period of the product, delivering security updates and patches in a timely manner, accompanied by appropriate explanatory information.
- Public Disclosure
  
  Publicly disclose information on remediated vulnerabilities and follow the coordinated vulnerability disclosure policy.
Information and Labeling
- CE Marking
  
  Products must bear CE marking indicating compliance with relevant EU standards.
- Vulnerability Reporting Contact Information
  
  Provide contact details for reporting vulnerabilities to facilitate user feedback.
- Manufacturer Support Information
  
  Specify the type and duration of support provided by the manufacturer.
- Usage and Data Processing Instructions
  
  Provide instructions for secure usage and secure data deletion.
- EU Declaration of Conformity
  
  Attach EU Declaration of Conformity documents proving product compliance.

Impact of CRA to Semiconductor Suppliers

Hardware & Firmware Security
Vulnerability Management
Documentation Support

Hardware & Firmware Security

GigaDevice products with security features and the associated firmware address CRA's secure design requirements, provide root of trust and secure execution environments.

Design & Development Processes
- Dedicated security architecture and security design team
- Security design flow compliant to process standards
Secure Hardware Foundations
- Integrate hardware based security primitives such as secure boot support, hardware root of trust, protected key storage to provide a trusted foundation for secure system operation
Secure Firmware Architecture
- Design our firmware and reference software to support secure boot chains, firmware authenticity verification, memory protection and secure debugging interfaces
Cryptography & Key Management Support
- Support encryption, authentication, secure communications
- Key and credential management services
Secure Update & Lifecycle Support
- Support mechanisms for secure firmware updates to help maintain security throughout the product lifecyle
- Secured manufacturing process and methodology

Vulnerability Management

Regular security updates and transparent vulnerability disclosure process help customers maintain compliance throughout product lifecycle.

Vulnerability Intake & Documentation

Provide a dedicated channel for reporting security vulnerabilities with the Product Security Incident Response Team (PSIRT). Receive and log vulnerabilities related to semiconductor products, SDKs, firmware and reference codes, etc.
Technical Validation & Assessment

Technically analyze reported vulnerabilities to confirm whether they are related to our products or software components, and to identify the affected semiconductor devices, SDKs, firmware versions, or reference implementations.
Risk Assessment & Severity Classification

Assess the severity of confirmed vulnerabilities using industry recognized methodologies and evaluate their potential exploitability and impact on affected semiconductor products and software components.
Remediation & Security Update Support

Implement appropriate remediation measures or mitigation measures such as updates to SDKs, firmware, or configuration guidance. Provide security update support or mitigation information to customers.
Public Disclosure

Publicly disclose information on remediated vulnerabilities and follow the coordinated vulnerability disclosure policy.

Documentation Support

We provide comprehensive security manuals, compliance guides and other materials to assist customers in conformity assessment procedures.

FAQ

Q1：What is the purpose of the CRA (Cyber Resilience Act)?

The CRA aims to ensure that connected products placed on the EU market meet consistent cybersecurity requirements throughout their entire lifecycle. It defines mandatory rules for secure design, secure development, vulnerability handling, and timely security updates. The purpose is to ensure a high level of cybersecurity of products with digital elements and their integrated remote digital processing solutions. Therefore, it improves transparency on security of hardware and software products.
Q2：How will the CRA impact device manufacturers using GigaDevice products?

Manufacturers must ensure their end products comply with CRA requirements, including secure integration of components, risk assessments, and continuous vulnerability management. GigaDevice supports customers by offering secure MCU features, reference implementations, and lifecycle security guidance to help simplify compliance efforts. We also work with partners to provide third party software solutions with increased security provisioning and less design cycle time for our customers.
Q3：How do I report a vulnerability case ?

Please visit the page Report Product Security Vulnerabilities on our website and provide the information related to the vulnerability case. Our PSIRT team will get in contact with you as soon as possible after receiving the inquiry.

Report Product Security Vulnerabilities

GD PSlRT stands for GigaDevice Product Security Incident Response Team. GigaDevice is highly committed to eliminating security vulnerabilities for our customers. PSIRT is responsible for the collection, assessment, reporting and remediation of security vulnerabilities related to GigaDevice products.

Learn More

Cyber Resilience Act (CRA)

Introduction

Timeline

Impact of CRA to Manufacturers

Impact of CRA to Semiconductor Suppliers

FAQ

Q1：What is the purpose of the CRA (Cyber Resilience Act)?

Q2：How will the CRA impact device manufacturers using GigaDevice products?

Q3：How do I report a vulnerability case ?

Report Product Security Vulnerabilities