EU Cyber Resilience Act

CRA compliance for embedded software and firmware

Embedded software and firmware in connected products are in scope for the Cyber Resilience Act. The challenge is usually evidence over long lifecycles: an accurate firmware SBOM, secure updates, and ongoing vulnerability monitoring.

What to focus on

  • Generate an SBOM for firmware and binaries, not just source manifests.
  • Provide a secure update path and a clear support period.
  • Monitor components for new CVEs across the device lifetime.
  • Produce the Annex VII dossier and Declaration of Conformity.

Frequently asked questions

Does the CRA apply to firmware?
Yes — firmware in a connected product is part of a product with digital elements and is in scope. An accurate firmware SBOM and a secure update mechanism are central to compliance.

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See what the CRA requires for your embedded & firmware.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.