Important: This page contains secure information about our products. Sign in to access authorized resources.
Important: This page contains secure information about our products.
View Secure InformationImportant: Authentication is required to view secure content.
reenter your passwordThe Cyber Resilience Act (CRA) is a landmark piece of legislation, ratified by the European Commission in November 2024 (Regulation (EU) 2024/2847). It will come fully into effect in December 2027. This regulation mandates that any company selling products or services with digital elements within the EU must comply with the legislation to obtain the CE mark.
These functional security requirements establish a security baseline for products and services within Europe.
These requirements ensure that companies follow security practices and procedures, including:
NXP values security and compliance highly and we are dedicated to supporting your efforts as a customer to meet your needs and regulatory requirements.
NXP commits to compliance with all applicable laws and regulations. This includes the Cyber Resilience Act (CRA) as it applies to semiconductors. NXP is actively preparing for CRA implementation. Please note that the CRA is scheduled to be enforced starting December 11, 2027, and currently several aspects of the regulation are still evolving and being clarified. NXP is closely monitoring the legislation to ensure compliance. As part of this effort, NXP will provide clear statements outlining how our product family will comply with the applicable CRA classes.
From the date when the CRA compliance applies, all NXP products sold in Europe will attain the CE Mark. NXP has experience with similar requirements in medical, automotive and industrial domains through its secure development process, aligned with ISO and IEC industry certifications like IEC 81001-5-1, IEC 62443-4-1, and ISO 21434.
Get clear guidance on CRA obligations and learn how NXP’s security by design solutions help manufacturers streamline compliance and achieve long term resilience.
NXP's compliance and security certifications are supported by NXP's EdgeLock® Assurance Program and validated through a broad range of security compliance certifications. Company-wide security certifications are available here.
Our processes support the key principles of the CRA, including:
The comprehensive overview of NXP's security development process and Information Security Management System (ISMS) describes the company-wide Business Creation and Management (BCaM) framework, the NXP Security Maturity Process (SMP), and the overarching Product Security Program.
Our development process is built on core security-by-design principles, validated and certified against industry standards such as ISA/EIC 62443 4-1 ML3 (Industrial Control Systems), ISO/SAE 21434 (Automotive), and IEC 81001-5-1 (Medical).
Our products undergo rigorous security testing using state-of-the-art tools during development. Some products are also tested by external partners, as detailed in our Certified EdgeLock Assurance Program.
NXP's dedicated Product Security Incident Response Team (PSIRT), working according to specified processes, addresses security vulnerabilities and incidents in a timely manner. The team provides clear guidance on the impact, severity and mitigation of reported vulnerabilities.
NXP actively participates in standardization and industry groups (such as CENELEC, ETSI, GlobalPlatform, Auto-ISAC and Matter) within Europe, contributing to the ongoing definition of the CRA. This involvement ensures that our processes, procedures and practices remain compliant and up to date.
NXP offers a broad portfolio of devices supporting your security applications, featuring robust security capabilities supported by user-friendly tools and our extensive partner ecosystem.
| Required security capability | Supporting security functions | Corresponding protections |
|---|---|---|
| Product configuration |
|
|
| Product authentication |
|
|
| Access to the product |
|
|
| Data protection |
|
|
| Product monitoring and cyber state awareness |
|
|
| Vulnerability fixes and product updates |
|
|
|
|
|
Appropriate protections must be selected based on the identified risks, the applicable threat model, and the defined mitigation measures for the specific use case. Please check NXP product datasheets/security manuals for availability of specific security functions.
NXP implements these protections through a set of integrated security technologies that enable device protection with the robustness, integrity, and resilience required to meet the CRA’s security objectives across the entire device lifecycle.
Provides hardware level isolation of sensitive assets and security functions, offering significantly stronger protection than software only solutions. This silicon anchored separation helps prevent unauthorized access or manipulation of the product, reinforcing secure by design principles and enhancing resilience against attacks across the device lifecycle. This mechanism is relevant for CRA essential cybersecurity requirements addressing data protection (1(2) d, e, g, h, k, m).
Provide OEMs with a hardened, third party certified foundation for meeting CRA essential cybersecurity requirements. OEMs can leverage tamper resistant key and credential storage, built in cryptographic engines, and support for secure attestation and update verification to implement secure by default end products. Additionally, the Common Criteria certification of the EdgeLock secure element and authenticator family may streamline conformity assessment for end products. This mechanism is relevant for CRA essential cybersecurity requirements addressing data protection (1(2) d, e, g, h, k, m).
Supports CRA’s essential cybersecurity requirements (1(2) b, c, d, e, f, h, m) for secure supply-chain practices by ensuring that unique device identities, certificates, and credentials are provisioned in a controlled, traceable, and tamper resistant manner.
Implements mechanisms that detect and respond to attempts to interfere with the device. This supports CRA’s essential cybersecurity requirements (1(2) d, e, f, j, k) for preventing unauthorized access or manipulation, reducing the impact of security incidents, and strengthening overall product resilience.
Introduces cryptographic algorithms designed to resist future quantum based attacks. This aligns with CRA’s essential cybersecurity requirements (1(2) d, e, f, h, k, m).
Explore the upcoming regulatory challenges and learn how NXP empowers customers to achieve CRA compliance.
|
The Cyber Resilience Act (CRA) — A Paradigm Shift Discover how the CRA is reshaping product security expectations and how NXP empowers manufacturers with scalable, compliance ready solutions to meet the new regulatory era with confidence. |
Training Presentation |
Jan 1, 2026 |
|
|
AN14671: Ease CRA compliance with EdgeLock Discrete Portfolio Discover how the EdgeLock Discrete portfolio can support OEMs in implementing the CRA requirements |
Application Note |
Oct 13, 2025 |
|
|
Secure by Design: Foundational Security for Embedded Systems Explore how NXP and PHYTEC enable secure embedded systems by integrating hardware-based security, secure design principles, and lifecycle management. |
White Paper |
Jul 10, 2025 |
|
|
Complying with the Cyber Resilience Act (CRA) Explore how to meet CRA requirements for secure product design and lifecycle. |
White Paper |
Jul 10, 2025 |
|
|
AN14601: Ease CRA Compliance with i.MX 93 Discover how i.MX 93 can support OEMs in implementing the CRA requirements |
Application Note |
Jun 25, 2025 |
|
|
AN14687: Ease CRA Compliance with MCX N Discover how MCX N can support OEMs in implementing the CRA requirements |
Application Note |
Jun 20, 2025 |
|
|
Protecting the Edge at Scale with NXP Security Solutions Explore how NXP delivers scalable, modular security solutions for resilience and compliance, with practical deployment and strong regulatory support. |
Training Presentation |
Jan 1, 2025 |
|
|
As security regulations tighten worldwide, understanding key requirements becomes essential. Learn how NXP can help simplify compliance and strengthen product security across devices and software. |
Training Presentation |
Mar 1, 2024 |
|
|
View all our documents in our document library. |
|||
All information provided by NXP is accurate to the best of NXP's knowledge and will not operate to create or increase any NXP obligation. All information is provided “AS IS” and NXP makes no representation or warranty, express or implied, of accuracy, completeness, that products will be suitable for any specified use, or that the information, test results, analysis or assessments are reliable without further testing or modification by the customer. NXP will not be liable for any damage or loss arising from, in connection with or incident or to any information or assistance provided by NXP. Customers are responsible for the design and operation of their applications and products and are responsible to provide appropriate design and operating safeguards to minimize risks associated with their applications and products.
Even though no company can formally claim CRA conformance yet (notified bodies are not accredited), the CRA explicitly recognizes SESIP-, PSA- and Common Criteria-certified products as ready for conformance.
In practice, these certifications, combined with our EdgeLock Assurance program and our IEC 62443 / ISO 21434-certified development processes, already provide customers with the level of assurance expected under the CRA and position NXP as a low risk, CRA ready supplier.
“Placing on the market” refers to the first time a product is sold or transferred by the manufacturer (e.g., NXP → distributor). This event triggers CRA and CE marking obligations.
“Making available” refers to any later distribution in the supply chain (e.g., distributor → integrator). It may happen multiple times, but it does not reset compliance obligations.
Any product sold on the EU market after December 2027 must meet CRA requirements at the moment it is placed on the market, and this event also starts the support period clock.
CRA conformance means demonstrating that a product meets the Essential Cybersecurity Requirements of the Cyber Resilience Act and is therefore eligible for the CE mark, which is required for selling products in Europe.
To achieve CRA conformance, manufacturers must:
A product can only be considered CRA conformant when all these steps have been fully completed.
A product must comply with the CRA if all three conditions are met:
Additional guidance: The European Commission has published detailed technical descriptions for “Important” and “Critical” product classes under the CRA (Implementing Regulation (EU) 2025/2392), helping manufacturers determine whether their product falls into a higher risk category requiring stricter conformity assessment.
No. The CRA class applies to the final product, not to every individual component. You may use components from any category, as long as you:
Your device’s class determines the conformity assessment you must follow, not the classification of its components.
Starting December 11, 2027, any unit placed on the EU market must comply with the CRA, including legacy products that continue to be sold after this date. CRA, including legacy products that continue to be sold after this date.
CRA compliance is not a one-time activity. Manufactures must maintain:
All categories meet the same essential cybersecurity requirements, but the proof mechanism differs:
Secure Boot is essential, but not sufficient on its own for CRA compliance.
Secure Boot contributes to protecting software integrity, which is required by the CRA, but CRA compliance also requires additional capabilities such as:
Each requirement must be addressed based on a product level risk assessment, and manufacturers must justify any measures that are not implemented.