1、Page 1CRA for Device MakersApplicability for Components,Devices,and SystemsCarlos SerratosNXP Security Certification ExpertGlobalPlatform Chairman SESIP Ecosystem Adoption WGMay 22,2025Page 2AgendaWhats the CRACRA PrinciplesCRA ConformanceCRA&AutomotiveKey takeawaysPage 3What is the Cyber Resilience
2、 Act(CRA)Scope:EuropeGoal:“To harmonise cybersecurity requirements for products with digital elements in all Member States”Horizontal regulation,touching:RED NIS2 for critical infrastructure AI Act for AI eIDAS for wallets/eIDs GDPR for data protection Liability Act Safety Act Machinery Directive Cy
3、bersecurity ActMandatory for CE mark from December 2027:Access to the EU marketPenalties:For non-complying essential requirements,it can amount to 15 million or 2.5%of the annual turnover,whichever is higher.ApplicabilityFinished products with digital elements(SW/HW),except products that have an exi
4、sting European regulation in place:Ground TransportationAir transportationMedical for human and in-vitro diagnosticCommercial SoftwareHW/SW subcomponents,including MCUs,MPUs,Crypto Processors and Secure Elements used in ANY application,including those abovePage 4If its”smart”,maybe it is notIt appli
5、es to every“connected”vertical and application(minus medical&automotive systems and vehicles)CRA principlesPage 5If its”smart”,maybe it is notIt applies to every“connected”vertical and application(minus medical&automotive systems and vehicles)“Everything”is a potential backdoorIt applies to any HW a
6、nd SWEnd devices,components,and remote services alikeCRA principlesPage 6If its”smart”,maybe it is notIt applies to every“connected”vertical and application(minus medical&automotive systems and vehicles)“Everything”is a potential backdoorIt applies to any HW and SWEnd devices,components,and remote s