EU Cyber Resilience Act (CRA)
EU Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) is a landmark piece of legislation, ratified by the European Commission in November 2024 (Regulation (EU) 2024/2847). It will come fully into effect in December 2027. This regulation mandates that any company selling products or services with digital elements within the EU must comply with the legislation to obtain the CE mark.
The CRA Encompasses Two Sets of Requirements
Essential Cybersecurity Requirements (ECR)
These functional security requirements establish a security baseline for products and services within Europe.
Company Requirements
These requirements ensure that companies follow security practices and procedures, including:
- A development process to eliminate known, exploitable security vulnerabilities upon product release
- Ownership of vulnerabilities throughout the product’s life cycle:
- Transparency in notifying potential issues
- Mitigation strategies
NXP’s Commitment to Compliance
NXP values security and compliance highly and we are dedicated to supporting your efforts as a customer to meet your needs and regulatory requirements.
NXP commits to compliance with all applicable laws and regulations. This includes the Cyber Resilience Act (CRA) as it applies to semiconductors. NXP is actively preparing for CRA implementation. Please note that the CRA is scheduled to be enforced starting December 11, 2027, and currently several aspects of the regulation are still evolving and being clarified. NXP is closely monitoring the legislation to ensure compliance. As part of this effort, NXP will provide clear statements outlining how our product family will comply with the applicable CRA classes.
From the date when the CRA compliance applies, all NXP products sold in Europe will attain the CE Mark. NXP has experience with similar requirements in medical, automotive, and industrial domains through its secure development process, aligned with ISO and IEC industry certifications like IEC 81001-5-1, IEC 62443-4-1, and ISO 21434.
Complying with the Cyber Resilience Act (CRA)
Explore how to meet CRA requirements for secure product design and life cycle.
CRA-Ready with NXP: Ensuring Compliance and Security
NXP’s compliance and security certifications are supported by NXP’s EdgeLock® Assurance Program and validated through a broad range of security compliance certifications. Company-wide security certifications are available here.
Our processes support the key principles of the CRA, including:
- Operating a current Secure Development Lifecycle
- Implementing robust security testing and vulnerability management
- Maintaining security across all operations
- Completing a comprehensive risk management assessment
The comprehensive overview of NXP’s security development process and Information Security Management System (ISMS) describes the company-wide Business Creation and Management (BCaM) framework, the NXP Security Maturity Process (SMP), and the overarching Product Security Program.
Security by Design
Our development process is built on core security-by-design principles, validated and certified against industry standards such as ISA/EIC 62443 4-1 ML3 (Industrial Control Systems), ISO/SAE 21434 (Automotive), and IEC 81001-5-1 (Medical).
No Known Exploitable Vulnerabilities
Our products undergo rigorous security testing using state-of-the-art tools during development. Some products are also tested by external partners, as detailed in our Certified EdgeLock Assurance Program.
Ownership of Vulnerabilities
NXP's dedicated Product Security Incident Response Team (PSIRT), working according to specified processes, addresses security vulnerabilities and incidents in a timely manner. The team provides clear guidance on the impact, severity and mitigation of reported vulnerabilities.
Thought Leadership
NXP actively participates in standardization and industry groups (such as CENELEC, ETSI, GlobalPlatform, Auto-ISAC and Matter) within Europe, contributing to the ongoing definition of the CRA. This involvement ensures that our processes, procedures and practices remain compliant and up to date.
How NXP Can Help You Comply
NXP offers a broad portfolio of devices supporting your security applications, featuring robust security capabilities supported by user-friendly tools and our extensive partner ecosystem.
Security functions available on NXP products map to regulation requirements:
| Required security capability (regulations) | Supporting security functions by NXP solution1 |
|---|---|
| Product configuration |
|
| Product authentication |
|
| Access to product |
|
| Data protection |
|
| Product monitoring and cyber state awareness |
|
| Vulnerability fix and product update |
|
|
|
Documentation
|
Secure by Design: Foundational Security for Embedded Systems Explore the evolving landscape of automotive cybersecurity and discover how to build trust in connected vehicles. |
White Paper | Jul 10, 2025 |
|
Complying with the Cyber Resilience Act (CRA) Explore how to meet CRA requirements for secure product design and life cycle. |
White Paper | Jul 10, 2025 |
Resources
- EdgeLock Assurance Program
- EdgeLock Products
- Product Security Vulnerability
- Security
