Skip to content

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) is an EU regulation for products with digital elements, including hardware and software made available on the EU market. It introduces mandatory cybersecurity requirements for manufacturers across the product lifecycle, including planning, design, development, production, and maintenance. It also introduces vulnerability-handling obligations during the support period of the product, and some products may require conformity assessment by a notified body before they are placed on the market.

Important dates:

  • 10 December 2024: The CRA entered into force, but it applies in stages.
  • 11 September 2026: Reporting obligations start. These include obligations to report certain actively exploited vulnerabilities and severe incidents.
  • 11 December 2027: The main product obligations apply.

This page summarizes Variscite's general CRA-related positioning for customers using Variscite System on Modules and reference software releases. It explains how Variscite helps customers prepare for CRA-related requirements and how Variscite documentation can support planning for secure, maintainable products.

How Variscite Helps Customers Prepare

For manufacturers building products with Variscite System on Modules, the CRA increases the focus on lifecycle planning, vulnerability handling, update strategy, documentation, and device security.

Variscite helps customers prepare for these areas by providing:

  • System on Module hardware with predictable long-term availability and support planning through Variscite's product longevity program
  • Reference software releases for supported operating systems and software platforms, validated on Variscite evaluation kits through automated and hands-on testing
  • Periodic maintenance releases on selected branches, as defined in the Software lifecycle documentation
  • Release documentation, build instructions, and how-to guides
  • Enablement paths for selected security and update capabilities

Together, these resources give customers a practical starting point for product development and long-term maintenance planning.

How Variscite Documentation Should Be Used

Variscite documentation helps customers start from a supported foundation and navigate available implementation paths for applicable releases.

For CRA-related planning, customers should use Variscite documentation to:

  • Identify the exact SoM, OS, and release used as the product starting point
  • Understand the lifecycle status of that release
  • Review which update and security capabilities are documented for that release
  • Locate release-specific implementation guidance

Exact commands, package names, generated artifacts, and supported features can vary by SoM, operating system, and release.

Risk-based product decisions

The CRA does not define one required product architecture or implementation model. Manufacturers of finished products are expected to make risk-based decisions based on their specific product requirements and support obligations.

Variscite helps with this planning by providing maintained reference software releases and release-specific implementation guidance. Customers can use these resources to evaluate available options, choose a suitable starting point, and adapt the final product software to their own requirements.

Security and update topics

Variscite documents customer implementation paths for selected topics such as:

  • SBOM generation
  • Software updates and OTA approaches
  • Secure boot
  • TPM or trusted key storage paths
  • Encrypted storage and related device-security building blocks

Availability depends on the SoM, software family, and release. Variscite documentation helps customers identify supported capabilities and locate the relevant guidance.

Reference software releases versus finished products

Variscite reference software releases should be understood as a starting point for product development, not as turnkey production images.

Manufacturers generally use the applicable Variscite software release as the base for their own product software, then adapt it by removing unneeded components, adding product-specific software, enabling required security features, validating the result, and maintaining the deployed product over time.

This distinction also applies to the boot chain. Variscite SoMs are shipped with U-Boot as a factory and bootstrap tool for bring-up and manufacturing use. It is not intended to remain as the production bootloader of a finished product. In a production flow, manufacturers replace it with the boot software delivered as part of their selected software release and overall product software image.

Release maintenance

Variscite performs ongoing release maintenance on selected branches for supported software families.

Maintenance scope varies by software family, branch, and release. Relevant details include the exact release in use, its lifecycle status, and the associated maintenance and update model. Use the Software Release Finder to identify the applicable release, and see the Software lifecycle overview for lifecycle expectations.

Next steps

For broader background on how Variscite structures software support, lifecycle planning, and long-term maintenance across software families, see Variscite's Software Support Strategy.