Navigate the EU Cyber Resilience Act (CRA)
with confidence
Security expertise 30+ years.
Security enabled 5,000+ products.
Security innovation 200+ patents.
ST is ready to comply with CRA and support its customers throughout their compliance journey.
What is the EU Cyber Resilience Act?
The EU Cyber Resilience Act is a regulation establishing mandatory cybersecurity requirements for products with digital elements sold in the European Union. STMicroelectronics provides complete solutions, expert guidance, and proven certifications to help you achieve CRA compliance faster and more efficiently.
CRA obligations for manufacturers
Secure by design
Products must be designed with security from the outset, with minimal cybersecurity vulnerabilities
Obligation to conduct a risk assessment
Conformity
Products assessed against essential requirements through self or third-party
Issue EU declaration of conformity and affix CE marking
Vulnerability handling
Set up process and practices to handle vulnerabilities
Report actively exploited vulnerabilities
Maintenance
Support period of at least 5 years after the last sale
Security updates for minimum 10 years
How ST helps you meet CRA requirements
Secure-by-design products
- ST provides products meeting CRA essential requirements (Annex I Part I)
- Process-level certifications (Common Criteria, SESIP, PSA, ISO 21434) demonstrate systematic security approach
- Product classification support and conformity assessment guidance
Conformity documentation & support
- ST is targeting conformity assessment based on Full Quality Assurance (Module H)
- Comprehensive technical documentation and security ecosystems
- Support for customers through documentation, webinars, and technical resources
Established vulnerability handling
- Established PSIRT following ISO/IEC 29147 and 30111 standards for coordinated vulnerability disclosure
- DevSecOps methodology integrating security throughout product lifecycle
- Automated vulnerability monitoring and Software Composition
Maintenance
- Long-term product support with security updates throughout defined support periods
- Secure provisioning and update mechanisms for some products
CRA implementation timeline
December 10, 2024
Publication of the CRA final text
June 11, 2026
Framework for Notiffied Bodies operational
September 11, 2026
Reporting obligations begin
24h & 72-hour vulnerability reporting required
December 11, 2027
Full compliance enforcement
All products with digital elements sold in the EU must meet essential requirements
December 10, 2024
Publication of the CRA final text
June 11, 2026
Framework for Notiffied Bodies operational
September 11, 2026
Reporting obligations begin
24h & 72-hour vulnerability reporting required
December 11, 2027
Full compliance enforcement
All products with digital elements sold in the EU must meet essential requirements
ST certifications
Security certifications
- Common Criteria (EUCC)
- EMVCo
- SESIP
- PSA Certified
- ISO 21434 (Automotive cybersecurity)
Process certifications
- ISO 9001
- ISO 27001
- TISAX (Automobile cybersecurity)
Other processes followed
- ISO/IEC 29147: Vulnerability Disclosure
- ISO/IEC 30111: Vulnerability Handling Processes
The EU Radio Equipment Directive (RED) and CRA
The Radio Equipment Directive (EU) 2014/53/EU regulates the placement of radio equipment on the European market. Amended in 2022, RED includes cybersecurity requirements that apply from August 1, 2025, mandating that manufacturers protect network interfaces, safeguard user data, and implement vulnerability management processes. RED complements the Cyber Resilience Act by focusing specifically on radio-enabled devices.
ST resources on CRA and RED
| Document | Type | |
|---|---|---|
| Webinar | ||
| Community | ||
| New IoT security standards (SESIP Level 3) | Whitepaper | |
| Developing cyber-resilient railway components | Whitepaper | |
| Webinar | ||
| Webinar | ||
| Wiki | ||
| Wiki | ||
| Wiki | ||
| Wiki |
ST resources on CRA and RED
ST security-related resources
| Document | ||
|---|---|---|
| STM32 Software security policies Q&A | Wiki | |
| STM32Trust software security policies | Wiki | |
| Embedded Security Solutions & Products | Applications | |
| STM32Trust Security Framework | Ecosystems | |
| STSECURE - Secure MCUs Portfolio | Products | |
| Secure Hardware Platforms | Platform | |
| Security Embedded Linux | Blog |
ST security-related resources
Embedded Security Solutions & Products
Overview of ST's security portfolio, including STM32Trust, STSECURE products, secure elements, certifications (PSA, SESIP, Common Criteria), and Post-Quantum Cryptography program.
Applications
STM32Trust Security Framework
Detailed information about STM32Trust's 12 security functions for MCUs and MPUs, supporting certifications (PSA, SESIP, Common Criteria EAL5+), and compliance with security standards.
Ecosystems
STSECURE - Secure MCUs Portfolio
Complete portfolio of secure microcontrollers for payment, identity, authentication, IoT, and automotive applications.
Products
Secure Hardware Platforms
Details on ST secure microcontrollers, Common Criteria certifications (EAL6+), EMVCo compliance, and hardware security features.
Platform
Security Embedded Linux
Effective Security on Embedded Linux with STM32MP1 and STM32MP2: 3 Powerful Lessons for Today’s Decision-Makers
Blog
Partner resources
| Partner | Document | |
|---|---|---|
| Avnet Silica | The EU Cyber Resilience Act - The Impact on OEMs and How to Comply | |
| EBV | Radio Equipment Directive & Cyber Resilience Act – Impact on Your MCU Related Cyber Security Applications |
Partner resources
The EU Cyber Resilience Act - The Impact on OEMs and How to Comply
Focus on: STM32H573 device with Arm Cortex M33, SESIP Level 3 compliant secure manager root of trust
Radio Equipment Directive & Cyber Resilience Act – Impact on Your MCU Related Cyber Security Applications
Conference session on RED and CRA impact on MCU-related cybersecurity applications.
Support
Our global team of security specialists is ready to help you navigate CRA requirements and implement compliant solutions.
Contact the ST Online Support Center
If you need assistance or have a private question, open a case through our online support portal and track your ticket.
Join the ST Community
Find answers to your questions and share insights with your peers and ST experts. Join discussion threads, read articles in the knowledge base, or increase your skills thanks to online courses from the academy.
Report a potential product security vulnerability
If you wish to report a potential security vulnerability regarding our products, we encourage you to report it to ST PSIRT by following the steps described on this page.
Frequently asked questions
The Cyber Resilience Act (CRA) is a European cybersecurity law aiming at increasing security of connected digital elements. A summary of the law has been made available to the public, and is detailed here.
CRA applies to all products with a connected digital element, enhancing security through mandatory products and process requirements during the development lifecycle. Products are categorized according to their security related impact. Products under existing and mandatory application security regulations are excluded.
Entered in force December 2024. Vulnerability Reporting obligations begin September 2026. Full compliance required December 2027.
ST’s processes and security-certified components provide third-party validated security evidence, significantly reducing CRA certification time and costs.
ST provides a wide range of support through online community forums, application engineering, training programs, and webinars.