Navigating the Cyber Resilience Act (CRA) with NXP

The Cyber Resilience Act (CRA) introduced one of the most far-reaching overhauls to digital product cybersecurity in the European Union (EU). As digital and connected products gain widespread adoption, the CRA places newer, stricter obligations on every manufacturer distributing these devices in the European market. These new expectations will raise the bar and introduce sweeping new considerations for engineering teams.

NXP has long anticipated these regulatory shifts and is well positioned to support CRA compliance. The company has played a key role in helping define industry standards and has always built its products according to rigorous security requirements. With solutions including secure development practices, third-party certifications, vulnerability response, documentation support and lifecycle management, NXP is prepared to help customers navigate the new complexities of the CRA.

Why the CRA Matters

The CRA establishes mandatory cybersecurity requirements for products with digital elements—including their associated remote data processing and digital services—placed on the EU market. Notably, it makes cybersecurity readiness a prerequisite for obtaining a CE mark, placing security on equal footing with safety. As a result, manufacturers can no longer treat security as a late-stage feature, but instead must adopt a security-by-design approach from the onset of the project.

Generally speaking, the regulation applies to hardware and software products that connect—directly or indirectly, logically or physically—to other devices or networks and that can also process, store, or transmit digital data.

Full enforcement is set to begin on December 11, 2027, with vulnerability reporting obligations taking effect in September 2026. Non-conformance can result in penalties of €15 million or 2.5% of global turnover, whichever is higher.

What Manufacturers Must Demonstrate

For manufacturers to meet the new regulation, the CRA outlines several core obligations:

• Products must be secure-by-design and secure-by-default, so security is integrated throughout the product’s entire lifecycle
• Products must ship without any known exploitable vulnerabilities at the time the product is placed on the market
• Manufacturers must provide security support for at least five years or for the product’s intended lifetime
• Manufacturers must report exploited vulnerabilities and severe incidents to the relevant authorities during the product’s lifecycle

Beyond these foundational obligations, the CRA doesn’t prescribe specific features or architectures. Instead, it places responsibility on manufacturers to perform risk-based decision-making by demonstrating that their chosen mitigation strategies are appropriate for the product’s threat exposure.

NXP’s Approach to CRA-Ready Development

NXP takes a comprehensive, security-by-design approach to CRA readiness. The company aligns its development practices with relevant standards and regulations and works with independent third parties to assess its products. Through active participation in global standards bodies and industry working groups, NXP continuously integrates best practices and emerging security criteria into its engineering flows.

NXP also maintains strong frameworks for export control and supply‑chain security, supporting the CRA’s emphasis on risk‑based and well‑documented security decisions. This includes clear documentation of risk analyses, implementation choices and design rationales to ensure all security measures remain proportionate to each product’s specific threat landscape.

To address both new and legacy products, NXP continually refines its compliance strategies by regularly updating product documentation, integrating enhanced security controls and providing tailored support.

With this dynamic culture of continuous improvement and transparent communication, NXP enables customers to advance confidently toward CRA compliance in a rapidly evolving regulatory environment.

Secure Development and Certification to Reduce Integration Risk

NXP’s approach to CRA-ready development is built on secure engineering practices that span the entire product lifecycle. As part of its security-by-design approach, NXP embeds secure practices into every stage of development, from design and production to long-term lifecycle management. These secure development practices are certified by third-party organizations against relevant standards—ISO/SAE 21434 for automotive, IEC 62443-4-1 for industrial, and IEC 81001-5-1 for medical applications.

Complementing these process certifications, selected NXP products undergo independent third-party evaluations using SESIP (EN 17927) or Common Criteria (ISO 15408) methodologies. These assessments validate foundational security capabilities such as secure boot and cryptographic operations, giving manufacturers a clear and proven path toward CRA conformance without requiring redundant evaluation of core security functions.

Together, these secure development processes and certifications reduce integration risk for device manufacturers, streamline conformity assessments and strengthen the security documentation packages required for CE marking and CRA post-market obligations.

Vulnerability Handling for CRA Reporting

Vulnerability handling is one of the CRA’s most consequential requirements because it influences day-to-day engineering operations even after a product ships. As per the CRA, manufacturers are now expected to document and report vulnerabilities, maintain clear procedures for incident response and deliver remediation in a timely manner.

To promptly address exposure, NXP has operated a dedicated Product Security Incident Response Team (PSIRT) for many years. This team is responsible for managing security vulnerabilities in NXP products, including submitting vulnerability reports, conducting technical investigations, assessing severity and impact while providing customers with clear mitigation guidance.

Beyond helping customers build CRA-compliant post-market processes, this infrastructure also gives device makers a foundation for achieving long-term lifecycle management. As systems become more interconnected and more software-defined, such continuity will be necessary to sustain conformance.

Documentation and Resources that Strengthen Compliance

A clear mandate of CRA compliance is its heavy focus on documentation. Manufacturers are expected—upon request of the dedicated authorities—to provide risk assessments, software bill of materials (SBOMs), implementation justifications, certificates and evaluation reports. However, many underestimate the effort required to produce and maintain such extensive documentation throughout a product’s lifetime.

While the CRA introduces new documentation obligations, notably, several requirements build on activities engineering teams already perform today, such as preparing security targets and developing mappings to external standards. To support these efforts, NXP provides comprehensive technical resources and documentation. With NXP, customers can access certificates for products and processes, application notes and mappings to standards: EN 18031/RED, ISO 21434, IEC 62443-4-2, EN 303 645, NIST 8425 and more.

NXP Security Technologies for CRA-Ready Products

Beyond processes and documentation, NXP also offers a range of security technologies designed to strengthen product robustness, integrity and lifecycle resilience. These technologies help manufacturers implement secure-by-design architecture, protect critical assets and maintain resilient products throughout their service life:

• EdgeLock Secure Enclave: Hardware-anchored isolation of sensitive assets and security functions, reinforcing secure-by-design principles and protecting against unauthorized access or manipulation across the device lifecycle
• EdgeLock Secure Elements and Authenticators: Third party-certified, tamper-resistant components that support secure key storage, cryptography, attestation and secure update verification, helping streamline conformity assessment for end products
• EdgeLock 2GO: NXP’s secure credential provisioning and key management over-the-air (OTA) service supports in-field credential protection and management, secure updates, and vulnerability handling across the entire product lifecycle, directly aligning with CRA post-market obligations
• Trust Provisioning: Secure identity injection that ensures device identities, credentials and certificates are handled in a controlled and traceable way, supporting CRA requirements for supply-chain integrity
• Physical and Logical Attack Resistance: Built-in detection and mitigation mechanisms that reduce the risk of unauthorized access or device manipulation
• Post-Quantum Cryptography (PQC): Quantum-resistant cryptographic algorithms that offer state-of-the-art protection and long-term resilience across extended product lifecycles

A Safer, More Secure Future

The CRA is transforming the European market for connected products and NXP is already prepared for this shift. By working with NXP, customers can accelerate development and move forward with confidence on a reliable foundation for secure design, validated functionality and long-term lifecycle management.

Meet NXP at embedded world 2026

Join us at embedded world 2026 (Booth 4A-222) to dive deeper into CRA‑ready development and see our technologies in action:

• EW Forum Speech: "Beyond Silicon: A Practical CRA Conformance Blueprint with NXP ", Tuesday, March 10, 5:00 PM, Hall 3A, Stand 631
• NXP FRDM‑Lab Session: "Building Cyber-Resilient Embedded Systems: CRA Compliance", Tuesday, March 10, 9:30-10:30 AM and Wednesday, March 11, 10:30-11:30 AM, FRDM Lab 3A-128
• Meet the Experts: NXP subject‑matter specialists will be available on‑site at the NXP booth (4A-222) for informative discussions about your products, requirements and CRA‑related challenges

To explore NXP’s support tailored for CRA conformance and for access to detailed guidance, visit the EU Cyber Resilience Act (CRA) page and download the full FAQ document.

Authors

Carlos Serratos

IoT Certification Expert, NXP Semiconductors

Carlos is a specialist in IoT security and regulatory compliance. In his role as IoT Certification Expert at NXP, he engages with policymakers, regulators and industry across verticals and regions, addressing trust enablement issues for compliance, risk management, and accountability purposes. He's a subject expert in security regulatory compliance, the development of schemes and standards and their applicability in IoT markets. He is currently participating in the Connectivity Standards Alliance Product Security Working Group, co-chairing the Product Security Certification and Regulatory activities.

Camille Markarian

Product Marketing Secure Connected Edge, NXP Semiconductors

Camille is a Product Marketing Manager for Security and Factory Automation, where she drives the security value proposition across NXP’s edge processing portfolio, helping customers navigate emerging cybersecurity regulations and adopt robust security capabilities for connected edge devices. She also manages marketing activities for Factory Automation, contributing to positioning strategies and go to market initiatives for NXP’s industrial edge processing solutions. Before joining NXP, Camille held product and marketing roles across industrial IoT and embedded systems and gained entrepreneurial experience as the co founder of early stage technology ventures.

Giuseppe Guagliardo

Senior Product Manager, NXP Semiconductors

Giuseppe Guagliardo is a Senior Product Manager in the Industrial IoT and NFC Security team, where he drives the secure element offering for Industrial IoT products, making security more accessible and scalable. He works closely with customers to help them understand security threats, navigate evolving cybersecurity trends and implement robust solutions for Industrial IoT. Giuseppe brings extensive experience in system engineering, with expertise spanning IoT, edge and cloud architectures, healthcare technologies, standardization and cybersecurity.