Embedded Systems Academy

The first part of the EU Cyber Resilience Act (CRA) obligations will apply from September 11th, 2026. For many companies, this still feels far away, but the reality is that compliance takes months of preparation, don’t start too late to establish or verify your vulnerability handling processes.

Vulnerability Reporting Under CRA

From that date forward, vulnerability handling and reporting obligations apply to ALL products with digital elements offered on the EU market.

Manufacturers must:

• Maintain a 24/7 process to accept and review vulnerability reports from customers, researchers or suppliers.
• A 24h/72h clock starts the moment your organization becomes aware of a potential vulnerability in your product, whether confirmed or not.
• Within 24 hours: if the vulnerability is actively exploited or under attack, send an early warning notification to ENISA or your national notification body.
• Within 72 hours: if the vulnerability could impact the cybersecurity of your product, provide a notification with initial assessment details to ENISA or your national notification body.
• Continue evaluation and proper scoring (e.g. CVSS) while investigation is ongoing, updating notifications as more data becomes available.
• Support the product: provide mitigation documentation or updates with fixes as long as it is still offered on the EU market or supported.
• Keep customers informed without undue delay once a fix or mitigation exists.
• Within 14 days after a fix or mitigation is available: submit a final detailed vulnerability report including root cause and corrective measures.

This is not optional! Failure to comply can mean heavy fines or even blocked market access. Do not underestimate the effort of setting up such a process.

Our free CRA Intro Course

To help companies get started, we published a free 30-minute session on our online academy at https://emsa.courses/course/cra-can-opener

This course gives you:

• A CRA overview and what it really means for product manufacturers,
• A practical look at vulnerability handling and CVSS scoring,
• Examples specific to embedded systems with CAN or CANopen channels.

Our commercial in-depth CRA training is not just theory. It includes guidelines, checklists and templates that you can use in your own CRA preparation.

The CRA will significantly affect all digital products, including those based on the Controller Area Network (CAN) and using protocols like CANopen. Under the CRA, manufacturers must manage and report vulnerabilities with clear severity scoring. This applies not only to newly developed products but also to products already placed on the EU market.

To support companies in this transition, Embedded Systems Academy continuously publishes white papers that address the different aspects of CAN security and CRA compliance. Currently three papers are published at:
https://www.esacademy.com/en/library/security-white-papers.html

The first, Security Justification for Classical CAN Systems (EmSA-WP-101), explains under which circumstances lightweight or non-cryptographic measures can be sufficient. It shows how techniques like physical access control and event monitoring can provide compliance where full cryptography is impractical. The paper maps these measures against IEC 62443, BSI TR-02102 and CRA requirements and presents structured arguments that auditors can follow.

The second, Interface Driven Security Evaluation for Sensors (EmSA-WP-102), analyses how the choice of sensor interfaces, from memory bus and SPI/I²C to CAN, changes the security evaluation. The central message is that risk depends more on the exposure of the interface than on the protocol itself. Deeply embedded CAN systems may be sufficiently secure. But exposed systems, such as wiring accessible behind easily opened panels, often require additional mitigations. Methods could be as simple as timing checks but also involve cryptography like an authenticated heartbeat. The paper aligns these evaluations with IEC 62443, ISO/IEC 27005 and CRA expectations.

The third, Common Vulnerability Scoring System (CVSS) for CAN (EmSA-WP-103), provides guidance on applying CVSS v4.0 to CAN devices. Because CRA requires vulnerabilities to be reported with standardized severity scores, this paper adapts the CVSS methodology to include CAN-specific considerations. It explains how confidentiality, integrity and availability impacts should be assessed at both node and system levels. It demonstrates how measures such as event monitoring or cryptographic authentication can reduce scores from high to low risk.

These papers are a practical toolkit for organizations producing CAN nodes or machinery using CAN systems. By adopting these approaches now, companies can prepare for the CRA with confidence and ensure that their products remain secure and compliant.

Turning Compliance into a Market Differentiator

The Shift Has Already Begun

Full CRA enforcement begins in December 2027, but purchasing departments will already soon start auditing suppliers about planned compliance. Early adopters have a window to build long-term relationships based on trust and readiness.

Customers will soon ask:

• Do you have a CRA technical file?
• Can you provide an SBOM?
• How and for how long will you provide updates?
• What’s your vulnerability disclosure process?

If you can answer swiftly and confidently, your product becomes more than compliant, it becomes attractive.

Defense in Depth Starts at the Component Level

CRA embeds specific cybersecurity principles, especially defense in depth: limiting attack surfaces, managing access, validating inputs, secure updates, and ongoing vulnerability management.

Even minor components can be attack vectors. An unmaintained module or undocumented interface can compromise a full system. Your customers want components that help them build secure systems. Your documentation must show that you’re part of the solution.

Short-Term Effort, Long-Term Advantage

Yes, CRA adds some effort:

• Documenting processes
• Clarifying support periods
• Generating SBOMs
• Setting up secure update mechanisms

But these are reusable across product lines. And they become selling points:
“We provide a pre-filled CRA technical file, saving you time and audit effort.”
Soon, CRA alignment will be part of RFQs, especially in regulated industries. Early movers will already have what’s needed.

How to Start Now

You don’t need a full conformity assessment yet. Start with these:

1. Draft the basic technical documentation: risk analysis, update policy, SBOM, and contact point.
2. Educate your team: make sure product and sales staff can explain how you support CRA obligations.
3. Label your products: terms like “CRA-ready” or “CRA-aligned” will gain traction fast.

Conclusion: Be the Easy Choice

CRA isn’t just a legal requirement, it’s a new trust signal. Vendors who invest in documentation and defense in depth today won’t just be compliant, they’ll be strategic partners.

Integrators will ask: does your component help us get CRA-certified?

If the answer is yes, you’re the easy choice.

If you want to stay updated on our upcoming CRA training classes, follow us on LinkedIn or check this blog regularly. We’ll share practical tips, updates, and announce training availability as we go live.