EU cybersecurity requirements force embedded systems industry to change
The Cyber Resilience Act (CRA) requires changes to industrial computers, medical electronics, robots, and other embedded systems – with side effects.
Embedded Systems
(Image: Christof Windeck / heise medien)
The EU's Cyber Resilience Act (CRA) is an important topic at the embedded world 2026 trade fair in Nuremberg. The CRA regulation, which “establishes a minimum level of cybersecurity for all connected products,” is forcing many manufacturers of industrial controls, robots, and measuring devices to make profound changes throughout the entire lifecycle of their products.
Numerous products will no longer be allowed to be sold in the EU from the end of 2027 if they do not meet the CRA requirements.
Industry insiders expect side effects, such as the discontinuation of older chips and IT components. The CRA could have a similar impact to the stricter regulations for automotive cybersecurity that have been in place since 2022: these led to models such as the Audi TT and R8, VW T6.1, Porsche Cayman and Boxster, Smart EQ Fortwo, and Renault Zoe no longer being delivered in the EU. According to the respective manufacturers, the effort to revise these older vehicle types was no longer worthwhile.
Videos by heise
Shortage of spare parts
Production or delivery stoppages for older IT components can lead to problems with the supply of spare parts for old systems. In addition, there is currently a second issue: the poor availability of DRAM and NAND flash chips.
In an interview with heise online, some exhibitors at the embedded world 2026 trade fair stated that they primarily expect the discontinuation of cheaper versions of older product series. This is because additional costs for these could only be recouped through higher production volumes. And the latter are even more difficult to achieve as RAM and flash memory become increasingly expensive.
CRA effort and PQC
At first glance, the CRA requirements do not appear particularly complex. However, the devil is in the details. For example, a lot of software has been involved for years, mostly from different sources. In addition, there is the firmware for each individual embedded microcontroller or the UEFI BIOS.
Furthermore, the security rules, vulnerability reporting obligations, and documentation requirements apply to numerous components of a system and along their supply chain.
Another factor for many embedded systems is that they have relatively long development times and are then operated for more than ten years, for example, in industrial controls. Devices currently under development are therefore likely to be in operation until the late 2030s.
For this reason, some manufacturers recommend the use of, or at least preparation for, quantum-secure encryption (Post-Quantum Cryptography/PQC), at least for secure firmware updates.
(ciw)
