Services
⛔ 11 Sep 2026 — CRA notification dutyCyber Resilience Act:
What embedded systems manufacturers must do now
Every machine with firmware is a regulated product from 11 September 2026 — with a 24-hour vulnerability notification duty.
Request CRA Readiness CheckWhat CRA means for OEMs
Product with digital elements (CRA Art. 3)
Any software or hardware product that can be connected directly or indirectly to a network or device — including firmware, embedded operating systems, and remote access solutions.
All of the following are CRA-relevant if you manufacture them:
Deadlines
CRA timeline
10 December 2024
CRA in force
Adapt processes now
11 September 2026
Notification duty active
24h initial report to cert.at + ENISA
11 December 2027
Full application
CE marking · cybersecurity duty
Classification
CRA Annex II: which category is your product?
| Category | Conformity path | Typical products |
|---|---|---|
| Standard products | Self-assessment (Annex IX) — no third party | Simple sensors, standard IoT devices |
| Important products Class I (Annex II) | Self-assessment OR voluntary third-party cert; without harmonised standard: third party mandatory | Industrial firewalls, standard PLCs, industrial routers |
| ⚠ Important products Class II (Annex II) | Mandatory third-party assessment | Safety controllers, industrial gateways with remote access, PLCs in critical infrastructure |
Annex I
Security by design (5 requirements)
- ✅ No known vulnerabilities at market placement
- ✅ Secure by default No default passwords, no open ports without need
- ✅ Minimal attack surface Only necessary interfaces enabled
- ✅ Authentication against unauthorised access
- ✅ Encryption of sensitive data — in transit and at rest
SBOM — new obligation under CRA Art. 13
CRA Art. 13 requires manufacturers to create an SBOM — a machine-readable inventory of all software components.
- Format: CycloneDX or SPDX (not PDF)
- Content: all components incl. open-source libraries, version numbers, CVE references
- Legacy systems: SBOM creation is often the hardest CRA step — reverse engineering dependencies may be required
Reporting duty
24-hour notification table
| Deadline | Notification | Recipient (Austria) | Content |
|---|---|---|---|
| 24 hours | Initial report (early warning) | cert.at / GovCERT Austria + ENISA | Knowledge that vulnerability is actively exploited |
| 72 hours | Follow-up report | cert.at / GovCERT Austria + ENISA | Severity, initial cause assessment |
| 14 days after update | Final report | cert.at / GovCERT Austria + ENISA | Full analysis, measures, fix provided |
⚠
Fielded legacy products: notification duty from 11 Sep 2026 also applies to vulnerabilities in already shipped devices. Without a vulnerability disclosure policy, you are non-compliant from the first known incident.
IEC 62443: the OT security standard for your control systems
OWASP Embedded Top 10 applies at MCU/SoC level. For industrial control systems (PLC, IPC, safety controller), customers and market surveillance check against IEC 62443-4-2:2019 (Security Level SL-C 1–4). Solvetronix supports both standards.
More on AI security & firmware audit →Penalties
CRA fines
€15M
Annex I violation
or 2.5%
€10M
Other violations
or 2%
€5M
False information
or 1%
Deliverables
What Solvetronix delivers
- ✅ Firmware security audit per OWASP Embedded Top 10 + IEC 62443-4-2
- ✅ Security-by-design consulting for new and existing products
- ✅ Vulnerability disclosure policy creation
- ✅ OTA update architecture (signed, secure firmware rollout)
- ✅ Notification process for cert.at / ENISA 24h reporting
- ✅ SBOM creation for new and legacy products (incl. reverse engineering)
CRA readiness for your products?
We assess your firmware, SBOM status, and notification process — structured and actionable.
Request CRA Readiness Check