What the Cyber Resilience Act means for the future of chip design

By Arteris

June 25, 2026

For years, cybersecurity regulation has mainly focused on software companies, cloud platforms, and operators of critical infrastructure. Hardware security existed in the background as an important issue to engineers and security researchers but has rarely surfaced in the mainstream regulatory discussion. Until now.

The European Union’s Cyber Resilience Act (CRA) represents one of the clearest signs, yet that cybersecurity is becoming a product-level requirement across the online economy. Although the regulation applies broadly to products with digital elements, its implications for the semiconductor industry are especially significant. Modern chips now underpin AI infrastructure, connected vehicles, industrial automation, medical systems, communications equipment, and countless intelligent edge devices.

For the most part, the CRA does not regulate semiconductors as standalone goods, but centers on the cybersecurity of connected systems and digital products placed on the EU market. Since today’s systems and products increasingly depend on highly integrated silicon platforms, especially with the growth of AI, the semiconductor ecosystem is being pulled directly into the spotlight around cybersecurity accountability, lifecycle support, and regulatory readiness.

For chip manufacturers, SoC architects, IP providers, and system designers, the CRA signals a broader industry transition: cybersecurity is becoming part of product compliance, not simply a feature enhancement or competitive differentiator.

What is the Cyber Resilience Act?

The Cyber Resilience Act is a European Union regulation intended to improve the cybersecurity of connected products sold within the EU. It establishes mandatory cybersecurity obligations for products with digital elements throughout their lifecycle, which means from design and development through deployment, maintenance, vulnerability handling, and end-of-support transparency.

The regulation officially entered into force in December 2024, with phased implementation deadlines extending into 2026 and 2027. Beginning in September 2026, manufacturers have to report actively exploited vulnerabilities and significant cybersecurity incidents. The broader compliance obligations, including conformity assessment and lifecycle security requirements, take effect in December 2027.

Unlike earlier cybersecurity frameworks that focused primarily on organizational processes or data protection, the CRA targets the products themselves. It applies across a wide range of connected technologies, including hardware, software, firmware, embedded systems, industrial equipment, IoT devices, and many categories of consumer electronics.

At a high level, the regulation emphasizes several key principles:

• Security by design and by default
• Ongoing vulnerability management
• Coordinated vulnerability disclosure
• Secure update mechanisms
• Product lifecycle cybersecurity support
• Technical documentation and traceability
• Cybersecurity risk assessment and mitigation

For the semiconductor industry, the significance lies less in any single requirement and more in what the regulation signals and that is security is increasingly being treated as a measurable and maintainable property of the product itself.

Why semiconductor companies are paying attention

The CRA arrives at a moment when semiconductor complexity is expanding at an extraordinary pace. Modern SoCs combine CPUs, GPUs, AI accelerators, NPUs, memory hierarchies, chiplets, interconnect fabrics, firmware, embedded software, and large amounts of reusable third-party IP. Many designs now span multiple dies, heterogeneous compute domains, and distributed software environments.

At the same time, the attack surface around hardware and firmware continues to grow. As a result, security researchers are devoting more attention to side-channel attacks, supply-chain compromise, insecure firmware paths, debug interfaces,hardware roots of trust, and vulnerabilities that sit below the operating system layer.

Historically, many discussions around cybersecurity focused primarily on software remediation. But over the last decade, high-profile hardware and firmware vulnerabilities have demonstrated that trust in modern computing systems depends heavily on the integrity of the underlying silicon architecture, and the CRA reflects that broader industry realization.

Cybersecurity is increasingly viewed as a system-level challenge that spans hardware, firmware, software, and supply-chain dependencies together and for semiconductor companies, that changes where and how security conversations happen. Security considerations that once emerged late in development increasingly need to be addressed from architecture through system validation, driving closer collaboration between design, security, and compliance teams.

Hardware assurance becomes more important

One of the most consequential aspects of the CRA is its emphasis on accountability and evidence. The regulation does not simply encourage companies to implement cybersecurity features, it requires organizations to demonstrate that cybersecurity risks were considered, assessed, mitigated, documented, and maintained over time.

That is particularly challenging in semiconductor development because modern chips depend on deeply intertwined ecosystems of reusable IP, firmware components, open-source software, development tools, and external suppliers. As a result, hardware assurance is becoming increasingly important.

Organizations are under growing pressure to understand not only whether a system performs correctly, but also whether security assumptions hold across increasingly complex architectures. Questions around traceability, visibility, dependency management, and vulnerability exposure are becoming harder to separate from the overall product development process, and this is especially true in industries with long deployment lifecycles and elevated safety or reliability expectations, including automotive, industrial infrastructure, aerospace, and healthcare systems.

The rise of AI-enabled systems adds further complexity and risk. AI workloads often require larger data flows, more heterogeneous compute architectures, higher bandwidth connectivity, and additional layers of embedded software and firmware orchestration. Security protections typically impact performance forcing implementors to make compromises between security and performance. As AI moves into vehicles, robotics, edge computing, and industrial systems, regulators and customers alike are placing greater scrutiny on resilience and trustworthiness.

In practical terms, semiconductor organizations are increasingly being asked questions such as:

• How are vulnerabilities identified across hardware and firmware layers?
• How are third-party dependencies tracked and monitored?
• What processes exist for coordinated vulnerability disclosure?
• How is security evidence documented and maintained?
• How are remediation and update responsibilities handled over time?
• What mechanisms support long-term cybersecurity maintenance?

These are no longer purely technical discussions confined to security specialists as they increasingly affect procurement decisions, customer expectations, product qualification processes, and regulatory exposure.

Cybersecurity becomes a lifecycle responsibility

Another important shift introduced by the CRA is the move away from viewing cybersecurity as a one-time development milestone. Traditionally, many hardware programs mainly concentrated on pre-silicon validation and production readiness. Once systems shipped, responsibility often shifted primarily toward downstream software or system vendors.

The CRA pushes against that model by emphasizing ongoing cybersecurity obligations after deployment. Manufacturers are expected to maintain visibility into vulnerabilities, support secure update processes, provide transparency around support periods, and respond appropriately to significant security issues that emerge during a product’s supported lifecycle.

For semiconductor companies, this matters because silicon products often remain deployed for many years, particularly in automotive, industrial, networking, and infrastructure environments. Vulnerabilities discovered long after deployment can still affect product security, placing greater emphasis on ongoing monitoring, remediation, and support. The CRA formalizes this responsibility, reinforcing a broader industry shift toward treating cybersecurity as an operational discipline that extends well beyond initial product release.

This transition is creating pressure for stronger collaboration between engineering, product security, compliance, supply chain, and lifecycle management teams. It also increases the importance of maintaining visibility across increasingly fragmented hardware and software ecosystems.

The bigger picture for the industry

The CRA is ultimately about more than European regulation. It reflects a broader global shift toward mandatory cybersecurity accountability for connected technologies. As governments and industries place greater emphasis on resilience, transparency, and supply-chain trust, semiconductor companies are likely to face increasing expectations around how security is designed, validated, documented, and maintained.

In many ways, the industry is approaching a point where cybersecurity assurance becomes another core design requirement alongside performance, power efficiency, reliability, functional safety, and time to market. That does not mean innovation will slow, but it does mean security considerations are moving closer to the center of semiconductor architecture and system design.

For an industry already navigating the complexity of AI acceleration, heterogeneous compute, chiplets, software-defined systems, and advanced packaging, the CRA adds another important dimension to the future of semiconductor development: proving not only that systems perform as intended, but that they can also be trusted over time.