Security:Q&A for CRA

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Disclaimer

• This Q&A associated to all ST deliverables, is a tentative to interpret the current status of CRA regulation and impacts and help our customers and developers prepare themselves against future compliance requirements

• This is not a legal view of the regulations

• Some of these interpretations may vary and changes over time may occur

• Industry standards and consortiums are actively working on clarification on the applicability and conformance

• All information and links are subject to changes

2. What are the application dates of CRA?

“The Cyber Resilience Act entered into force on 10 December 2024. The main obligations introduced by the CRA will apply from 11 December 2027” Source: Cyber Resilience Act | Shaping Europe’s digital future

Note that reporting of security incidents application date is 11^th December 2026.

3. How do I know if my product is impacted?

“The regulation applies to all products connected directly or indirectly to another device or network except for specified exclusions such as certain open-source software or services products that are already covered by existing rules, which is the case for medical devices, aviation and cars.” Source: Cyber Resilience Act | Shaping Europe’s digital future

In addition according to REGULATION (EU) 2024/2847:

“product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately”

“article 2.1: This regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network”.

4. Will CRA apply to medical devices?

“The regulation applies to all products connected directly or indirectly to another device or network except for specified exclusions such as certain open-source software or services products that are already covered by existing rules, which is the case for medical devices, aviation and cars.” Source: Cyber Resilience Act | Shaping Europe’s digital future

Some additional interpretation given to ST: CRA for medical devices may apply if the medical device is not subject to a regulation such as a device subject to (EU) 2017/745 or a regulation on in vitro diagnostic medical devices like (EU) 2017/746).

5. Will ST classify it STM32 MCUs & MPUs?

Yes, at the date of CRA application STM32 will have to be classified from default class or Class I or Class II. The classification of the device will be documented by ST and made publicly available.

6. How do I know which CRA class my product is?

Annex III of the REGULATION (EU) 2024/2847 law provide products list for Class I, II and critical class. If your product is not listed here, you have good reasons to believe it may fall into the default class.

However, many horizontal application working groups are trying to better define and position the products lists.

REGULATION (EU) 2024/2847 “Article 7.4 By 11 December 2025, the Commission shall adopt an implementing act specifying the technical description of the categories of products with digital elements under classes I and II as set out in Annex III and the technical description of the categories of products with digital elements as set out in Annex IV.”

We invite readers to verify on the official European Community websites for official information at the date of application. To participate one can also visit: Technical description of important and critical products with digital elements.

7. How do I know which CRA class is STM32?

The classification of the device will be documented by ST and made publicly available.

The definition of the Class is under further clarification by the European community.

For MCUs & MPUs we believe that products without security features will be classified in the default class; products with security features, such as cryptographic accelerators, random generators, isolation mechanisms, will be in Class I, while products with such security features and claiming physical attack resistance will belong to Class II.

8. I developed a product many years ago, am I impacted?

Products produced or imported within Europe after December 11^t 2027 are impacted. Therefore, we believe that legacy products are impacted.

Furthermore, if a device was produced or imported in EU before the application date, but substantially modified after the application then CRA may apply.

A detailed table is given below:

9. Do I need CE marking on my device and if yes how?

The answer is YES; “Products will bear the CE marking to indicate that they comply with the CRA requirements.”. Source: Cyber Resilience Act | Shaping Europe’s digital future.

Follow: CE marking and EUR-Lex - 52022XC0629(04) - EN - EUR-Lex.

Refer to articles 29 and 30 of REGULATION (EU) 2024/2847.

10. Will STM32 devices have CE marking?

Yes, as STM32 MCUs and MPUs are subject to CRA, they also bear the CE marking.

11. Can I get fined if my product is not compliant to CRA?

Non-compliance can lead to severe penalties, including:

Possible recall or withdrawal of products for non-compliance with cybersecurity requirements.
Up to 15M€ or 2.5% WW turnover for non-compliance with cybersecurity essential requirements.
Up to 5M€ or 1% WW turnover for incorrect, incomplete or misleading information to the authorities.

12. Will STM32 provide SBOM for software packages?

Yes, STM32Cube packages will be delivered with SBOM, in CycloneDx format. The process of exposing the SBOM publicly on the STM32Cube packages has been started and over time be extended to most of them if they are updated.

Other formats such us SPDX are not provided by ST but multiple commercial and open-source converters are publicly available.

13. Where will I find STM32Cube SBOMs?

The SBOMs will be delivered within the STM32Cube packages, either on the downloadable version or on the GitHub version. For example, on STM32CubeN6 has it within the GitHub main project directory: “sbom_cdx.json” file.

14. Can STSAFE help for CRA & compliance?

Yes, STSAFE secure elements can help ease the CRA compliance for product developers, thanks to several countermeasures to security vulnerabilities:

STSAFE-A comes loaded with secrets and X.509 certificate to authenticate and attest the device to perform device authentication and attestation operations
- Protected against attacks on chip with best-in-class security countermeasures
- Loaded at ST inside a certified manufacturing site
- Personalization of the STSAFE at ST, secured and certified manufacturing site
STSAFE, best-in-class mitigation to:
- Attack of devices in the field to clone device IDs
- Leakage of device IDs & credentials at manufacturing and configuration
STSAFE to ease product conformity assessment
- STSAFE-A is Common Criteria certified (CC EAL5+, AVA_VAN5)
- This certification can be referred to by device maker assessing the certification compliance of objects

Please refer to ST secure MCU webpage

15. Can I use legacy STM32 for my new devices?

Yes. We do not expect legacy STM32 to be blocked by CRA. But a clear application risk assessment must be done, to understand the applicative security functions required on the application and see if the functions provided by each STM32 allows to fulfill the requirements. If not, then STM32 devices with proper security functionalities are available to replace them.

16. Does ST provide vulnerability information for ICs and software?

Yes, we do provide security advisories and security notes on each product page (hardware or software) and also on our Product Security Incident Response Team (PSIRT) page.

We also invite readers to visit the European vulnerabilities database (EUVD) as well as the NIST national vulnerability database for CVE.

17. Is there mapping of CRA versus application standards?

The horizontal application security working groups are working on defining the security standards to be applicable for CRA conformance assessments. Once available mapping will be formalized. ENISA has also been working on a first document named “Cyber Resilience Act Requirements Standards Mapping” for mapping that can be use and it may be updated once application standards be more known & developed.

18. Will CRA mandate post quantum cryptography (PQC)?

PQC is not directly stated within CRA. But CRA mandates to use recognized security standards for the application and use of cryptography. Therefore, we believe that because NIST deprecated the classical asymmetric cryptographic algorithms from 2030, the PQC will be required. Our PQC compliant library allow users to start developing future proof cryptographic solutions.

19. Does ST provide risk analysis solutions?

No, ST does not provide risk analysis services. Some of our qualified ST partners do provide risk analysis services.

For device scope we do not know / cannot recommend risk analysis standard.

Our current experience on risk analysis is based on the requirements held from various standards such as IEC62443-4-3-2, ISO21434, ISO27005, EN303645

Details given by ENISA Cyber Resilience Act Requirements Standards Mapping

Some tools and methodologies exist and should be chosen according to your industry segment and product scope. For example, we can list:

OWASP Threat Modeling:

Title: OWASP Threat Modeling

Publisher: Open Web Application Security Project (OWASP)

or

STRIDE Model

Title: STRIDE Threat Model

Publisher: Microsoft

We also invite our readers to visit the CWE website onMITRE website.

20. Where can I find further information on CRA by ST?

For further information, you can also watch the webinars part I and part II on the subject and download our detailed presentations and Q&A.

21. References

For further information, you can also watch the webinars part I and part II on the subject and download our detailed presentations and Q&A.
STM32Trust security framework
STM32 Security wiki
STM32 classic-cryptographic library
PQC compliant library allow users to start developing future proof cryptographic solutions.
Product Security Response Team - PSIRT
CRA Question and Answers (not yet available)
REGULATION (EU) 2024/2847
Cyber Resilience Act | Shaping Europe’s digital future
Cyber Resilience Act Requirements Standards Mapping
Visit ENISA web portal to get latest news and updates