Navigate new EU security regulations with ST solutions

Security is now a core part of product development. The EU’s Cyber Resilience Act (CRA) and Radio Equipment Directive (RED) have set mandatory cybersecurity and safety standards for connected digital and radio devices.

The CRA is a new EU law requiring connected digital products to meet strict cybersecurity standards throughout their lifecycle, protecting users and reducing cyber risks.

The RED is an EU regulation ensuring radio and telecom devices are safe, free from harmful interference, and equipped with essential security features for reliable wireless communication.

As developers, integrating these requirements early helps build secure, reliable products that protect users, avoid costly penalties, and maintain market access.

These regulations are designed to close security gaps early in the product lifecycle, ensuring devices are secure by design, regularly updated, and capable of resisting attacks. Non-compliance not only risks user safety and data integrity but can also lead to costly penalties and market access restrictions.

Key reasons to prioritize CRA and RED regulations

• Build devices for the long term: security is now mandatory and will bear further requirements in the future.
• Protect users and data: prevent cyberattacks, unauthorized access, and data breaches by embedding security early and maintaining it throughout the product lifecycle.
• Protect your market and bring confidence: meet high security and safety standards to earn customer trust and ensure your products remain competitive in the European market.
• Avoid risks and penalties: stay ahead of regulatory requirements to prevent product recalls, fines, and legal liabilities.
• Reduce costs of non-security: adopt secure-by-design principles that reduce vulnerabilities and future-proof your products.

How ST helps you achieve compliance

ST integrates cybersecurity deeply into its product design and manufacturing processes, and embedded software, offering a comprehensive portfolio of security features aligned with CRA and RED requirements:

• Certified security solutions: ST products come with certifications like SESIP (EN 17927:2023) and PSA and have a background of process certification such as ISO 21434, Common Criteria, and others, demonstrating compliance readiness.
• Vulnerability management: ST maintains transparent vulnerability disclosure and mitigation processes compliant with international standards (ISO/IEC 29147, 30111).
• Secure development lifecycle: ST promotes secure boot, firmware updates, cryptographic accelerators, and hardware tamper protections to ensure device integrity and confidentiality.
• Support and ecosystem: through STM32Trust and partner networks, ST provides tools, frameworks, and guidance to implement robust security measures tailored to product risk profiles.
• Long-term security support: ST commits to extended security update availability, helping customers meet CRA’s mandatory support periods.

By leveraging ST’s proven security expertise and solutions, you can confidently build compliant, secure products that protect users and maintain market access.

Learn further details on the dedicated Security wiki pages.

• Deep dive on RED
• Deep dive on CRA

Additional resources

• STM32Trust our STM32 security framework
• STM32 Explore | On-demand webinar part one
• STM32 Explore | On-demand webinar part two
• PSIRT: Product Security Incident Response Team

First published on Aug 5, 2025