In 2024, the EU Cyber Resilience Act (CRA) became law, reshaping security expectations for digital products sold in the EU. By 2027, the regulation will be fully enforced, and new digital products will need to demonstrate compliance. The CRA introduces security-by-design and security-by-default requirements, raising the baseline for products that previously shipped with little or no protection.
To help manufacturers apply the CRA consistently, EU standards bodies are developing Harmonized Standards. Cybersecurity knowledge and resources are unevenly distributed across industry, and not every organization has the same in-house expertise to translate legislation into a robust test plan. Without a shared framework, vendors could interpret requirements differently, leading to inconsistent assessments, gaps in protection, and added risk for both manufacturers and the European marketplace. Harmonized Standards capture industry security expertise as risk-driven requirements. This approach offers a more straightforward path to compliance by defining process requirements in horizontal standards and specifying requirements for each device class in vertical standards.
The CRA aims to safeguard consumers and businesses by protecting not only personal data, such as credentials, but essentially any data that has value to its user. That can include, for example, operational data, configuration settings, usage information, or proprietary data processed by the device. Even if a product may not appear to handle “sensitive” data, this information can still reveal behavior, enable profiling, or be used to pivot into other systems. If a device is to be trusted to protect any data it handles, it is important that its functionality cannot be changed by adversaries. If an adversary can modify firmware, change configurations, or replace code with malicious code, they can bypass protections, alter outputs, or use the product as a foothold into a larger system. And even if the data itself isn’t valuable, users will still care that the device cannot be manipulated, because altered functionality can create safety or reliability risks.
Boot Managers appear as a line item in the CRA because of their vital role in the chain of trust. This function ensures a device only executes approved code and cannot be hijacked for malicious purposes. The Boot Manager sits in the SoC (System-on-Chip), the heart of any digital product, and consists of hardware and low-level software (firmware). The hardware consists of cryptographic functions, sensors, OTP registers, and memory. The firmware provides protected data flow, checkpoints, and error handling.
The new ETSI EN 304 623 draft standard elaborates the high-level CRA requirements for Boot Managers, such as the use of cryptography to protect data, and a standard configuration enabling these security features. The standard includes a total of 92 detailed requirements that Boot Managers need to satisfy to be considered secure. These are derived from a threat and risk assessment (TARA), which is also included in the standard to provide evidence that threats have been modelled.
For a Boot Manager to be CRA compliant, it is important that its features are not only designed well but also implemented well. The standard therefore includes a section on conformity assessment, describing what a test lab should do to verify correctness.
The release of this new draft standard underlines that CRA is not only about software, but also about hardware and firmware. As a result, many more chips will need to include a Boot Manager / Root of Trust, and developers will be expected to demonstrate that these security functions are implemented correctly and can withstand realistic threat scenarios.
Keysight supports its customers throughout every stage of CRA product security evaluation. From interpreting CRA requirements and emerging harmonized standards, to security evaluation and test execution, and ultimately evidence generation for conformity assessment, we work with your team to manage the complete security lifecycle of your product. Learn more about Keysight CRA services on this page.
Want more stories like this? Subscribe to the Keysight Device Security Bulletin for monthly highlights on device security trends and practical insights — brought to you by the Keysight device security team.
