RSS Feed

Embedded Systems Blog

One Year Until Your CRA Obligations Begin

September 10th, 2025 No comments

The first part of the EU Cyber Resilience Act (CRA) obligations will apply from September 11th, 2026. For many companies, this still feels far away, but the reality is that compliance takes months of preparation, don’t start too late to establish or verify your vulnerability handling processes.

Vulnerability Reporting Under CRA

From that date forward, vulnerability handling and reporting obligations apply to ALL products with digital elements offered on the EU market.

Manufacturers must:

  • Maintain a 24/7 process to accept and review vulnerability reports from customers, researchers or suppliers.
  • A 24h/72h clock starts the moment your organization becomes aware of a potential vulnerability in your product, whether confirmed or not.
  • Within 24 hours: if the vulnerability is actively exploited or under attack, send an early warning notification to ENISA or your national notification body.
  • Within 72 hours: if the vulnerability could impact the cybersecurity of your product, provide a notification with initial assessment details to ENISA or your national notification body.
  • Continue evaluation and proper scoring (e.g. CVSS) while investigation is ongoing, updating notifications as more data becomes available.
  • Support the product: provide mitigation documentation or updates with fixes as long as it is still offered on the EU market or supported.
  • Keep customers informed without undue delay once a fix or mitigation exists.
  • Within 14 days after a fix or mitigation is available: submit a final detailed vulnerability report including root cause and corrective measures.

This is not optional! Failure to comply can mean heavy fines or even blocked market access. Do not underestimate the effort of setting up such a process.

Our free CRA Intro Course

To help companies get started, we published a free 30-minute session on our online academy at https://emsa.courses/course/cra-can-opener

This course gives you:

  • A CRA overview and what it really means for product manufacturers,
  • A practical look at vulnerability handling and CVSS scoring,
  • Examples specific to embedded systems with CAN or CANopen channels.

Our commercial in-depth CRA training is not just theory. It includes guidelines, checklists and templates that you can use in your own CRA preparation.

Categories: CAN, CANopen, Security Tags: , , ,
You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Your email address will not be published. Required fields are marked *