The Cyber Resilience Act covers both software and hardware with digital elements, but the obligations are not identical. Understanding the differences is essential for adapting your compliance strategy.

1. Products Covered

Pure Software (SaaS, applications, firmware)

Software is clearly in scope: web and mobile apps, SaaS platforms, operating systems, firmware, and software libraries. Focus areas include security by design, SBOM, vulnerability management, and security updates.

Connected Hardware (IoT, industrial devices)

Hardware products with digital elements are also covered: consumer IoT, connected medical devices, industrial equipment, and hardware components with firmware. Additional requirements include physical security, secure default configuration, and OTA updates.

2. Key Differences

  • SBOM: Mandatory for both, but hardware must also document embedded software and hardware components
  • Updates: Software via internet (automatic recommended), hardware via OTA or manual (must be documented)
  • Default configuration: Secure accounts by default for software; no generic passwords for hardware
  • Support lifecycle: Defined by the manufacturer, typically longer for hardware

3. Recommendations

For software publishers: Focus on SBOM, CI/CD pipeline security, and automated vulnerability management. Expert CRA integrates with your existing tools.

For hardware manufacturers: Plan for physical constraints: OTA updates, hardware port security, no default passwords, and documented support lifecycle.

Whether you develop software or hardware, the CRA applies to you. The key is adapting your approach to your product type.