Security

The Cyber Resilience Act (CRA)

What is the CRA and why should I care?

The Cyber Resilience Act (CRA) is the EU’s new regulation aiming to  make digital products — both hardware and software — more secure by  design and throughout their lifecycle. It applies to nearly every  connected product on the EU market, from smart fridges to SaaS  platforms.

Learn more
Important dates to have in mind
11 December 2025

The EU adopts technical descriptions of the categories of products with digital elements

11 September 2026

You need to carry out your reporting obligations for actively exploited vulnerabilities and severe incidents

11 December 2026

If your product is considered a “high-risk product”, you need a notified body for an external conformity assessment.

11 December 2027

All your products with digital elements are regulated by the CRA now and need to fulfill the essential cybersecurity requirements and declare  conformity.

Learn more
Class I vs. Class II: How to Know Where Your Product Fits

The CRA introduces a two-tier system for “important” products with digital elements—Class I and Class II—as defined in Article 7 and detailed in Annex III of the regulation. Understanding the distinction is crucial because it determines the type of conformity assessment required.

Learn more
Secure OTA Updates & Patch Management
What the CRA says:

Under the CRA, handling vulnerabilities isn’t just good practice,  it’s the law.  Manufacturers have to detect, document, fix, and report exploited vulnerabilities within 24 hours (!), plus submit final reports in just 14 days. Oh, and notify users too, preferably in a machine-readable format.

How balena helps:
Utilize a full Device Management suite for patching and updates.
Enable secure, remote updates to patch all devices without manual intervention.
Mitigate risks on running devices, a key insistence of the CRA.
Prevent outages by automatically verifying update integrity and rolling back failed updates to a stable version.
Learn how balena provides secure remote updates
Vulnerability Management & Secure Development
What the CRA says:

One of the goals of the Cyber Resilience Act is to make sure that both hardware and software products have fewer vulnerabilities when they are sold and that manufacturers manage security throughout the product's entire life. This includes designing and developing products securely and handling any vulnerabilities that are discovered after the product is on the market.

How balena helps:
Reduce the attack surface for your edge applications with a hardened, minimal, and containerized OS that provides a secure configuration.
Guarantee software authenticity and integrity using Secure Boot and Full Disk Encryption, available for selected device types.
Automate vulnerability tracking for outdated software and CVEs (Common Vulnerabilities and Exposures).
Simplify CVE monitoring by using balena-provided CVE data for OS images in the future, so you just need to monitor your containers' libraries and code.
Enable rapid incident reporting by using fleet observation tools to gather essential data for your mandatory 24-hour notification to EU authorities.
Learn about CRA and vulnerability handling requirements
Supply Chain Security & SBOMs
What the CRA says:

Under the CRA, manufacturers must be able to identify and account for every component in their products, including third-party libraries, system dependencies, and embedded software. This level of visibility is essential not only for compliance, but also for building trust with customers and partners.

How balena helps:
Meet CRA accountability requirements by ensuring your entire supply chain is secure.
Receive a comprehensive SBOM for every component contained in the balenaOS build.
Fulfill a key CRA requirement by implementing a Software Bill of Materials (SBOM) to track all software components and dependencies.
Focus only on your application dependencies, as balena monitors balenaCloud and balenaOS and provides reports.
Provide verifiable proof of compliance to importers and distributors, helping them meet their "due care" obligations under the Cyber Resilience Act.
Learn about how and why SBOMs are regulated
Product Lifecycle & End-of-Life (EOL)
What the CRA says:

The CRA doesn’t stop at product launch—it follows you through the entire lifecycle. From first deployment to final shutdown, manufacturers are expected to maintain security support and clearly communicate when that support ends. That means planning for updates, defining an End-of-Life (EOL) policy, and ensuring devices don’t become vulnerabilities once they’re out of service.

How balena helps:
Ensure product security support and define a clear End-of-Life (EOL) strategy as required by the CRA.
Simplify lifecycle compliance with automatic and remote updates for firmware and software.
Remotely deactivate devices when they reach their End-of-Life.
Securely retire devices by removing applications and user data upon deactivation.
Learn how balena allows for secure device deletion
Compliance Documentation & Audits
What the CRA says:

If your product relies on remote services to function—like cloud dashboards, update systems, or device management—you’re also responsible for securing that infrastructure. The CRA treats these remote data processing components as part of your product, meaning they must meet the same cybersecurity standards. Ensuring confidentiality, integrity, and availability across your backend is just as critical as securing the device itself

How balena helps:
Comply with CRA requirements for products with digital elements by using balena's platform, which provides a compliant solution for any service that defines, controls, or secures your product.
Leverage secure and ISO 27001:2022 audited cloud services provided by balena.
Meet the CRA remote data processing requirements for device management, vulnerability updates, and fleet observation by using balena's cloud services.
Download our certificates from our Trust Center
More on security at balena
Loading latest security related articles from our blog...

Not sure where to start? We are here to help!

Contact Us
Loading ...
Copyright 2025 Balena | All Rights Reserved.