ST launches dedicated resource hub to help developers navigate the EU Cyber Resilience Act (CRA)

ST's new CRA webpage helps you understand your compliance obligations and how ST's products and expertise can support your journey. 

If you're designing products with digital elements for the European market, the EU Cyber Resilience Act (CRA) is already on your radar. With reporting obligations starting September 11, 2026, and full compliance enforcement from December 11, 2027, the clock is ticking for manufacturers to get their processes in order. 

To help you get ready, ST has launched a CRA resource hub designed specifically for developers and product teams. 

What obligations the CRA brings and how ST helps you address them 

The hub breaks down the key obligations you must address when shipping products with digital elements: 

• Secure by design: products must be designed with security from the outset, with minimal cybersecurity vulnerabilities 

• Conformity assessment: products must be assessed against essential requirements through self or third-party 

• Vulnerability handling: process must be in place to handle vulnerabilities and report actively exploited vulnerabilities  

• Longterm maintenance: support must be provided for at least 5 years after the last sale with security updates for minimum 10 years 

The page explains the principles of how ST helps you meet these requirements. 

How ST is preparing  

ST is monitoring and, where appropriate, adapting our product development and life-cycle processes in alignment with the principles of the CRA. 

As the CRA’s harmonized standards continue to evolve, we are closely following developments and actively participating in standardizations and industry working groups to align our approach with the evolving regulatory framework. 

This strategy builds upon ST’s longstanding security expertise, established certifications, and proven vulnerability management processes. 

What about RED? 

The page also addresses the EU Radio Equipment Directive (RED), which has overlapping cybersecurity requirements for radio-enabled devices and has been in force since August 2025. 

What this means for you as a developer 

• Understand what CRA will require for your workflows 

• Access materials that help you understand how ST products and practices will help you meet the requirements 
  
  

Additional resources 

• ST CRA webpage 

• Navigate new EU security regulations with STM32 wireless solutions – On-demand webinar  

• Deep dive on CRA – ST Community Wiki 

• New IoT security standards: Get ready with a certified microcontroller and root-of-trust - Whitepaper 

First published on Mar 04, 2026