The new CRA in smart energy and what it means for you

With the Cyber Resilience Act (CRA) set to take effect in 2027, cybersecurity is no longer a “nice-to-have” for manufacturers of digital products. It’s becoming a legal obligation that includes mandatory vulnerability handling, secure-by-default configurations, and support obligations across the full lifecycle of the product.

Despite its European origin, the CRA has global reach. Any company selling smart devices into the EU, including smart meters, EV chargers, and substation controllers, will need to comply, regardless of where they manufacture their products.

What about non-EU markets?

You might be asking, ‘Do I really need to worry if I’m based outside the EU?’

The answer is yes — if you’re targeting European customers, the CRA will apply. It will eventually become part of the CE marking process, just like other essential directives.

Plus, similar standards are emerging worldwide. In the United States, the Cyber Trust Mark initiative is gaining ground, while NIST 800-53 already sets detailed cybersecurity expectations for embedded systems. In short, regulatory momentum is global, and cybersecurity by design is fast becoming the norm.

Smart energy devices are especially vulnerable

Devices in the smart energy space are often connected, remotely monitored, and deployed in physically accessible environments, making them a tempting target for cyber attackers.

Historically, many of these devices were built with limited security controls and low processing power. But the CRA sets clear requirements that change this:

• Products with known vulnerabilities cannot be launched.
  
• Devices must ship with secure-by-default configurations.
  
• Manufacturers must provide maintenance and security updates throughout the lifecycle.

Understanding the implications and hidden costs

Addressing these vulnerabilities in-house comes with cost and resourcing challenges. For many manufacturers, taking on the responsibility of vulnerability management means building and retaining a dedicated security team. This team can comprise 3–5 full-time people tasked with managing threat response and updates each year.

In addition, designing devices to ship with secure-by-default configurations often means upgrading hardware so it can handle stronger encryption and more robust security protocols. This cost impacts both the Bill of Materials (BOM) and design timelines, while some software stacks are memory-heavy and not optimized for small environments.

The stakes are high, as a single undetected cyberattack costs companies an average of $8,851 per minute and doesn’t stop there. The damage can go far beyond the balance sheet with regulatory fines and even critical service disruptions that can put lives at risk.

Getting ahead with authenticity, confidentiality, and integrity

To comply with the CRA and meet similar global expectations, products must embody the core pillars of cybersecurity:

Confidentiality

Use secure key storage, implement TLS/DTLS or IPsec, and enforce strict access controls. These measures limit who can access data and ensure communication remains protected from interception.

Integrity

Protect against tampering and data corruption using cryptographic hashing, secure boot, and storage software that detects and prevents corruption, especially important for devices like smart meters that store and log critical operational data.

Authenticity

Verify device and firmware integrity through digital signatures, mutual authentication, and secure firmware updates. Encrypting firmware also protects your IP by preventing reverse engineering.

Why choosing the right technology partner is critical

Another key CRA requirement is that devices placed on the market must have ongoing support and vulnerability handling. For many manufacturers, that’s a big operational shift.

Using trusted vendors that specialize in secure storage and protocol stacks for your embedded software libraries reduces both costs and burden for internal teams and regulatory risk. It ensures you have:

• A single point of contact for patching and vulnerability disclosures.
• Long-term support options.
• Software that evolves with changing compliance standards.

Beyond technology, the right partner can help navigate the practical steps to compliance. Security frameworks like the CRA, NIST, or ISO 21434 require organizations to have secure processes, people, and documentation, and not just secure devices.

For many companies, it’s smart to start with the elements common to all these frameworks: maintain up-to-date Software Bills of Materials (SBOMs), evaluate their supply chain, conduct regular threat and risk assessments, compile test reports, and create clear incident and vulnerability response plans.

Equally important, preparing your organization internally is key. Train teams on cybersecurity best practices, implement data minimization and retention policies, define access control levels and individual roles and responsibilities when it comes to managing security and compliance long-term.

Final thought: The CRA is more than compliance

The CRA is a strategic opportunity. Manufacturers that invest early in building secure, resilient devices will gain a competitive edge, reduce lifecycle costs, and strengthen their standing with customers and regulators alike.

Cybersecurity is no longer a backend concern. It’s central to product design and a key driver of trust and business success, and should start with how you manage your software and embedded systems.