Navigating CRA and PSTI - What UK Embedded System Manufacturers Must Know
Discover how UK embedded system manufacturers can prepare for the EU Cyber Resilience Act and PSTI compliance with expert insights and strategic guidance.
What is the EU Cyber Resilience Act (CRA)?
The EU Cyber Resilience Act (CRA) is a new EU law aiming to make all digital products, like smart devices and software, more secure. For UK manufacturers of embedded systems selling into the EU, this is a critical change.
Essentially, the CRA demands that security is built into products from the very start, referred to as "secure by design." This means manufacturers must actively manage cybersecurity risks, fix vulnerabilities quickly with updates, and document their product's security features. They also need to provide a Software Bill of Materials (SBOM), which is like an ingredient list for the software inside their products.
What are the Objectives of the Cyber Resilience Act?
The main objectives of the Cyber Resilience Act are:
- Strengthening security from the design stage of digital products.
- Improved transparency of security information.
- Strengthening incident reporting obligations.
- Establishment of a more robust market supervision system.
- Improving cooperation between EU Member States.
The Impact of EU Cyber Resilience Act in the UK on Embedded Systems
As the European Union presses ahead with its ambitious Cyber Resilience Act (CRA), UK-based manufacturers of embedded electronic systems are encountering an increasingly fragmented and demanding regulatory landscape. Despite the UK pursuing a less prescriptive approach to cybersecurity legislation, with the EU introducing mandatory obligations for almost all digital products, the route to compliance and market access is becoming notably more complex.
Whether your company produces control systems, diagnostic equipment, networked industrial tools, or smart infrastructure devices, if your offerings incorporate embedded computing elements, they are highly likely to fall within the view of these evolving regulatory frameworks. A thorough understanding of the distinctions between the Cyber Resilience Act in the UK and EU approaches is therefore essential to both mitigate compliance risks and maintain commercial competitiveness.
Understanding the EU’s Cyber Resilience Act
The CRA, formally adopted in 2024 and currently within a three-year implementation phase, introduces compulsory cybersecurity requirements for any product with a digital component destined for the EU market. This encompasses not only consumer technology but also professional and industrial equipment that integrates embedded software, microcontrollers, or network functionality.
What the EU Cyber Resilience Act and UK Cyber Security Bill Mean for Manufacturers
Manufacturers will be expected to embed secure-by-design principles throughout product development, manage vulnerabilities across the product’s operational life, and implement structured processes for incident detection and reporting. In addition, extensive technical documentation, detailed risk assessments, and rigorous conformity procedures will become prerequisites for CE marking. While full enforcement is scheduled for 2027, the foundational groundwork for compliance is already being laid across the sector.
The UK’s PSTI Act: A More Focused Starting Point
In contrast, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act 2022, which came into effect in April 2024, applies exclusively to a defined subset of consumer connectable products – typically those found in domestic environments, such as smart speakers, internet routers, or fitness trackers. The PSTI does not currently extend to the majority of professional or industrial products, nor to embedded systems deployed in commercial settings.
This legislation imposes a limited number of core security requirements, including the prohibition of universal default passwords, the necessity to publish vulnerability disclosure channels, and a mandate to inform users about the duration of software support. While undoubtedly a meaningful stride towards enhanced product security, the PSTI framework remains comparatively lighter than the CRA and, at present, excludes more complex or industrial embedded systems.
The difference between Cyber Resilience Act (CRA) and the Product Security and Telecommunications Infrastructure (PSTI)
The divergence between the CRA and the PSTI Act is more than a simple difference in emphasis; it represents a concrete challenge for manufacturers. The CRA’s scope embraces a broad spectrum of digital products, ranging from standalone software to hardware containing embedded computing elements. It insists upon security throughout the entire product lifecycle, from initial development and production through to post-market surveillance and subsequent updates. These requirements extend comprehensively to software and firmware components, including those deeply embedded within hardware products.
The PSTI, conversely, has a focus on a narrower category of consumer devices. It does not address the full product lifecycle, is largely inapplicable to most commercial embedded systems, and does not mandate conformity assessment or incident reporting. Consequently, a manufacturer of a smart environmental sensor or an embedded industrial controller may find themselves obliged to meet CRA requirements for sales into the EU, whilst facing no directly equivalent obligations within the UK.
| PSTI | CRA | |
| Effective Dates |
Became active on April 29, 2024, impacting products already in the market or supply chain. |
Published in the Official Journal in Q2 2024, with most provisions taking effect within three years. |
| Applicability | Targets manufacturers, distributors, and importers of consumer connectable products within the UK. | Applies to manufacturers, distributors, and importers of "products with digital elements" sold in the EU market. |
| Product Scope | Encompasses products available to UK consumers that are internet-connectable or "network connectable." |
Covers any software or hardware product featuring digital elements, along with their remote data processing solutions that possess a direct or indirect logical or physical connection to a device or network. |
| Security Mandates | Requires unique or user-defined passwords, a defined vulnerability management program, and public disclosure of a minimum support period for security updates. | Enforces "essential" cybersecurity requirements, mandates cybersecurity risk assessments, necessitates conformity assessment and CE marking, and requires notification of vulnerabilities and serious incidents. |
| Enforcement Bodies |
Enforced by the Office for Product Safety and Standards (OPSS). |
Member States will designate market surveillance authorities for enforcement, and manufacturers are obliged to report vulnerabilities to relevant Computer Security Incident Response Teams and ENISA. |
| Potential Penalties |
Non-compliance with enforcement notices can lead to unlimited fines, or penalties of up to £10 million or 4% of global annual turnover, along with daily penalties for ongoing violations. |
Fines can reach up to €15 million or 2.5% of global turnover. |
Implications for UK-Based Embedded System Manufacturers
For manufacturers of embedded systems – irrespective of whether they operate in sectors such as automation, healthcare, utilities, or communications – the regulatory implications are considerable.
If your products are marketed and sold within the EU, compliance with the CRA will be mandatory, irrespective of their classification under UK law. This necessitates the adoption of secure development practices from the very outset, encompassing structured threat modelling, robust secure coding policies, and meticulously documented vulnerability management processes. Maintaining technical files and comprehensive compliance records will also be required to underpin CE marking.
Should your products be sold exclusively within the UK and not fall within the scope of the PSTI Act, you may currently be exempt from specific legal cybersecurity obligations. However, that isn’t a reality for many; commercial pressures, shortening product lifecycles and the economic demands of sales growth mean that manufacturers need to globalise product sales. Those commercial factors will also require, from the more regulated sectors, certified evidence of responsible security practices. Furthermore, the UK’s approach remains dynamic and future legislation could well expand the PSTI framework or introduce provisions like those of the CRA, especially in light of the most recent UK & EU realignment from earlier in 2025.
Manufacturers operating across both markets must now meticulously plan for dual compliance. This could involve separate product markings (UKCA for the UK, CE for the EU), distinct sets of documentation, and potentially differing security processes. While this undeniably introduces operational complexity, it also offers an invaluable opportunity to streamline product assurance and foster greater trust with customers in both jurisdictions.
One area often underestimated in the context of CRA compliance is the pivotal role of software. While many embedded systems are primarily perceived as hardware, the embedded software that powers their functionality – from firmware and operating systems to connectivity protocols – is central to the CRA’s remit. Ensuring that these components are developed securely, updated reliably, and documented clearly is now a fundamental obligation for achieving market access in the EU.
A Strategic Approach
The most effective strategy for manufacturers is to proactively align internal practices with CRA principles, even when their primary sales focus remains within the UK. Doing so not only strategically prepares your business for future legislative shifts but also helps demonstrate a consistent, high-assurance development approach that should demonstrate quality to end customers. Adhering to internationally recognised standards such as ISO/IEC 27001 or IEC 62443 will further assist in demonstrating due diligence and mitigating exposure to both legal and reputational risks.
Remaining actively engaged with the evolving regulatory landscape is equally crucial. The CRA itself is still subject to further refinement through secondary legislation and detailed guidance documents, whilst the UK government continues to assess the potential need for expanded cybersecurity rules.
Final Thoughts
For UK manufacturers of embedded electronic systems, the regulatory environment is certainly becoming more intricate and diverse. The EU Cyber Resilience Act imposes broad, binding obligations on products with digital functionality, whilst the UK’s PSTI Act currently offers a more focused and targeted framework. The net result is a clear imperative for dual compliance strategies, robust internal governance, and a forward-thinking approach to product security.
The judicious selection of already compliant modules provides a strong foundation for full system compliance; this is precisely where the choice of the correct embedded computing partner becomes essential. Advantech, as a global leader in embedded and edge computing, has already embarked upon a comprehensive programme to ensure CRA compliance across its portfolio in anticipation of the upcoming deadlines.
Those who commence their adaptation now – by investing in secure development lifecycles, enhancing technical documentation, and aligning with international standards – will be far better positioned to manage both current compliance demands and future legislative changes. Whether your systems are deployed in factories, hospitals or critical infrastructure, demonstrating resilience and accountability is no longer merely good practice; it is rapidly becoming an indispensable requirement.
Need assistance with CRA compliance requirements?
APC's Systems team, with the invaluable support of our technology partner network is dedicated to assisting UK manufacturers who build or sell embedded systems across international markets. Working alongside embedded computing experts, including Advantech, to deploy modular solutions our aim is to help systems builders and integrators to enhance compliance and provide scalable, future proofed systems that are resilient to the modern threats of today's digital environments.