The European Cyber Resilience Act lists security requirements for any digital product placed on the market within the European Union. Test systems are an important part of meeting those requirements.
What is the CRA?
The European Union announced the Cyber Resilience Act (CRA) in 2020 as part of the EU Cybersecurity Strategy. The CRA was passed in March 2024 and entered into force in the second half of 2024. Some requirements became effective in 2025, and all requirements will be in effect by 2027.
The EU CRA protects consumers by prohibiting the sale of products with inadequate security features. The CRA requires a CE mark that indicates the product complies with the new standards. This requires that all manufacturers and retailers prioritize cybersecurity in their products. It will apply to any product that connects to a network or another device, directly or indirectly. This broad-reaching definition will include everything from smart watches and baby monitors to smart cars and power grids.
Requirements for the EU CRA are documented in Annnex I. How these requirements apply to your test team depend on what you are delivering to your customer - if you are changing products to be delivered to consumers, or if you are building and delivering complete test systems.
Testing Products for Delivery to Europe
If you test products that are sent to Europe, you may need to work with your security team to determine how the CRA requirements will flow down to your test system. Your security team will need to assess the risk that a security vulnerability on your test system would impact the security compliance of the products you ship. In a test system that only interfaces to your device through analog signals, the risk may be very low. But if your test system connects to the device- through a network connection, or other test interface, that may increase the chance an attack could spread from your test system to the device.
Several years ago, some consumer digital photo frames were found to be shipping with a virus installed, which then attacked other computers on the end user's network. Investigators found that the virus was installed during the manufacturing process. It's this scenario that test system security seeks to avoid.
Building Test Systems in Europe
If you buy components to build test systems in Europe, the components you use will need to carry the new CE mark starting in 2027. As you start to plan systems now, you should be working with your suppliers like NI to ensure that they are aware of the European CRA and will be compliant. At NI, we are already meeting with customers to show them our plans for compliance CRA so that they can continue to trust that NI will meet their future needs.
Delivering Test Systems to Europe
If you are a test system developer and your customers are in Europe, you will need to show that the systems you are building meet the requirements of the CRA. That means that the components you buy will need to meet the requirements and carry the CE mark. It also means that the work you do to develop and build the system follow these requirements. You will need to have a development plan that addresses all of the parts of Annnex I. We address these requirements in the next article, EU CRA Requirements.