Insights on the Cyber Resilience Act with Infineon’s Thomas Rosteck
With the rapid expansion of connected devices, cybersecurity has become a global priority. The European Union’s Cyber Resilience Act (CRA), set to take effect in 2027, aims to enforce stricter security standards for IoT products. In this exclusive interview, Thomas Rosteck, Division President of Connected Secure Systems at Infineon Technologies, discusses the CRA’s objectives, its impact on global and Indian manufacturers, and how companies can stay ahead of evolving cybersecurity regulations.
The Cyber Resilience Act (CRA) is a hot topic today. What are its primary objectives, and how will it impact global and Indian manufacturers?
The CRA is a European regulation passed in October 2024, set to become effective in December 2027. Its goal is to enhance cybersecurity in connected products and services, as many IoT devices today lack proper security controls. The CRA classifies products into three security levels:
1. Critical Products (e.g., smart meter gateways) – Require third-party certification.
2. Important Products (e.g., connected cameras) – Require moderate security compliance.
3. Default Products – Must meet basic security standards and can be self-certified.
Under the CRA, all products sold in the EU must comply with cybersecurity requirements, ensuring a higher level of security across industries. How will CRA compliance be marked on products?
CRA-compliant products will carry the well-established CE mark, which currently assures safety but will then also indicate security compliance in the future. Unlike voluntary cybersecurity labeling schemes— such as the US Cyber Trust Mark, which is optional—the CRA is mandatory for all products and services with digital elements sold in the EU. This ensures a seamless transition for consumers, as they won’t need to learn a new certification system.
What does CRA mean for Indian manufacturers?
The CE mark requirement means that any product shipped to and sold in the EU must comply with CRA regulations. Indian manufacturers exporting to the EU will need to integrate cybersecurity measures into their products to continue accessing the European market post-2027. This presents an opportunity for Indian companies to enhance their security standards, making their products globally competitive.
Companies like Infineon already produce security chips for IoT devices. How does CRA further improve security?
While some manufacturers already use security chips, many IoT devices still lack proper cybersecurity controls. Everyday products like smoke detectors, coffee machines, televisions, and smart home devices are often vulnerable. Not all products will require security chips but having them can simplify CRA compliance. Some cybersecurity issues can be solved via software, but many require hardware-based security. This is where trust anchors play a role—a secured hardware component that protects devices from tampering and cyberattacks. Hardware manipulation is far more difficult than attacking software only, making it a stronger security solution.
Will CRA encourage cybersecurity regulations in other countries?
Yes. While CRA is mandatory for the EU, its impact will likely extend globally. Manufacturers developing CRA-compliant products may choose to apply the same security standards to other markets, including the US, India, and beyond. Since meeting CRA requirements will likely align with other security standards, companies would be able gain multiple certifications (e.g., US Cyber Trust Mark) and present themselves as trusted global suppliers.
How is Infineon helping companies comply with CRA?
Infineon is taking a three-step approach:
1. Educating Customers – Many companies are unaware that they must comply with CRA by 2027.
2. Consulting & Support – Helping companies understand and implement CRA security measures using security by design principles.
3. Providing Security Solutions – Offering hardware-based security to ensure devices meet regulatory standards.
Infineon also works closely with governments and industry bodies to develop security regulations and standards.
What lessons can Indian manufacturers learn from CRA?
Companies that already prioritize security won’t face major compliance challenges. However, those that haven’t focused on cybersecurity must now integrate security from the start rather than adding it later. Security should be designed into products from the beginning, just like how a cake’s taste is determined before baking—it can’t be changed later. Indian companies must adapt their product designs to meet these new security demands.
With the increasing complexity of IoT and connected devices, what are the main cybersecurity challenges?
The biggest security challenges are:
1. Device Integrity – Preventing unauthorized modifications.
2. Data Confidentiality – Protecting personal and sensitive information.
3. Authentication – Ensuring devices communicate securely.
For example, smart homes and connected cars require strong cybersecurity to prevent attacks and to protect user privacy. As devices become more connected, the need for robust security grows.
How do global cybersecurity standards impact CRA?
Security is also being built into functional standards, which are solving security requirements and with this supporting the targets of CRA. Some examples are:
- Wi-Fi Alliance (ensuring secured wireless communications)
- USB Standards (enhancing data security in devices)
- Matter Standard (CSA) (smart home security compliance)
By integrating security into global technology standards, companies can meet CRA requirements more easily.
Infineon is a leader in security solutions for automotive, home automation, and industrial applications. How has the company evolved in this space?
Infineon has been a pioneer in security for 30 years. Our journey began in the 1990s with SIM cards and secured payment solutions. Over time, we expanded into:
- Embedded security for IoT
- Automotive security
- Trusted Platform Modules (TPMs)
- Secure elements for smart homes
We also actively contribute to global standards and collaborate with governments to support the definition of cybersecurity policies.
Can you share insights into new security technologies Infineon is working on?
A major focus is post-quantum security. Quantum computers will break current encryption methods, so we are developing post-quantum cryptography (PQC) to protect future devices. Infineon was the first company to receive a high-level security certification for the implementation of a post-quantum cryptography algorithm on a security controller, ensuring our solutions remain ahead of future threats. Another key innovation is the Infineon Integrity Guard, a security architecture that makes the success of attacks significantly more difficult.
What steps should India and other countries take to improve cybersecurity?
India is already exploring cybersecurity regulations, which is a critical step for a growing digital economy. Missing security measures can hinder progress, so strengthening security standards will benefit both businesses and consumers. With cybersecurity becoming a global necessity, every country must take action to protect data, infrastructure, and users from growing cyber threats.
