Europe‘s Response to Cybercrime: CRA

In an increasingly digitalized world where cyberattacks are becoming more sophisticated and frequent, the need for a legal framework to ensure cybersecurity is paramount. The EU Cyber Resilience Act (CRA) aims to guarantee the security of digital products and services. This article explores ways to ensure CRA compliance using CodeMeter.

Motivation from Two Directions

Product security is a critical success factor for businesses. On the one hand, companies aim to protect their software know-how from hackers using reverse engineering. On the other hand, software monetization must not be undermined by piracy. External requirements, driven by market demands or legal mandates such as IEC 62443, NIS2, and the EU Artificial Intelligence Act, also play a role.

Since the end of 2024, the EU Cyber Resilience Act has been in effect for all member states. It includes guidelines, processes, security requirements for digital products, detailed information, and reporting obligations. Non-compliance with these regulations can result in fines amounting to millions. Although the CRA allows a transition period until 2027, businesses must act now to prepare. Determining who is affected and in what capacity marks the starting point of the compliance journey.

CodeMeter as a Companion for CRA Compliance

The following sections present various examples of how CodeMeter technology can actively support you on this journey. Our experts have identified specific parts of the CRA where Wibu-Systems’ products can be leveraged for compliance.

Measures to Restore Compliance CRA Art. 13 (21)

If manufacturers determine that a product with digital elements in the field no longer complies with CRA regulations, they must immediately take measures to restore compliance or, if this is not possible, withdraw the product from the market. Manufacturers must maintain an overview of products and users in the field to inform affected customers.

This can be achieved by leveraging CodeMeter licenses, which provide complete transparency for manufacturers. Programs or functionalities can be disabled or replaced by withdrawing or updating licenses to regain compliance. Using CodeMeter License Central and CodeMeter License Portal, managing licenses in the field becomes seamless and transparent across multiple levels. Roles and rights can be assigned to these levels, and the status of licenses in the field is always accessible.

Access Protection (CRA Annex I, Part I, 2d)

In addition to general authentication and authorization via issued licenses, CodeMeter allows for specific licenses to be assigned−for example, for different software versions, compliance with export controls, regional requirements, or particular user groups or individual users via Named User Licenses. CodeMeter Certificate Vault can securely deploy certificates to the field and integrate them into applications via standard protocols. Access protection based on CodeMeter is also implemented for CODESYS and Siemens’ TIA Portal. Rockwell Automation uses the technology for Studio 5000 Logix Designer.

Data Confidentiality and Integrity (CRA Annex I, Part I, 2e, 2f)

Manufacturers must ensure data confidentiality and prevent data manipulation to guarantee data integrity. By utilizing encryption and cryptographic signatures through CodeMeter licenses, CodeMeter API and CodeMeter Protection Suite provide manufacturers with all the tools needed to meet these requirements. CodeMeter License Central ensures secure key distribution.

Compliance and Monetization: An Ideal Combination

By combining product security and licensing, CodeMeter offers an ideal solution that supports CRA compliance while enabling the licensing of products with digital components − An investment with a guaranteed return!

 

KEYnote 49 – Edition Spring/Summer 2025