EU Cyber Rules Hit FPGA Design

The Cyber Resilience Act (CRA) mandates a "secure by design" and "secure by default" approach for all hardware and software products with digital elements sold in the European Union. This legislation forces manufacturers, including makers of FPGAs and microcontrollers, to integrate security into the earliest stages of design rather than treating it as an afterthought. While full enforcement of the CRA begins in December 2027, key deadlines are approaching much sooner. Manufacturers must comply with obligations for reporting actively exploited vulnerabilities and serious security incidents by September 2026. For FPGA designers, this means directly addressing threats like bitstream reverse engineering, side-channel attacks that analyze power consumption, and fault injection attacks that create glitches to bypass security. The CRA shifts responsibility, making manufacturers liable for vulnerabilities that are exploited. Compliance requires extensive technical documentation, including cybersecurity risk assessments and a Software Bill of Materials (SBOM). Engineers must also establish processes for handling vulnerabilities and delivering security updates throughout a product's expected lifecycle, which must be clearly communicated to users. The regulation has significant weight in the aerospace and defense sectors, where compliance is becoming a baseline requirement for any supplier in the EU market. Products without the CE marking indicating CRA compliance will be barred, and non-compliance carries penalties up to €15 million or 2.5% of a company's global annual revenue. These rules extend through the entire supply chain, placing legal obligations on importers and distributors to verify that products, from individual components to finished systems, meet the CRA's security standards before being sold in the EU.