Market access creates urgency
CRA makes connected-product security a board-level and product-launch issue. OEMs need to preserve EU market access with controls they can operate.
CRA readiness for connected-product OEMs
Support CRA readiness with device-trust workflows and evidence
OEMs need practical controls and evidence to preserve European market access under the CRA, even when partners build, manufacture, integrate, or operate parts of the connected product. QuarkLink helps turn that accountability into device-trust workflows across provisioning, certificates, secure updates, lifecycle state, revocation, and evidence retention.
Why CRA changes OEM accountability
Manufacturer accountability needs workflows
Secure-by-design, secure-default, update, support-period, and vulnerability-handling expectations need repeatable device-level workflows.
Evidence burden changes the conversation
Product-security and compliance teams need records for what was provisioned, updated, revoked, quarantined, or decommissioned.
CRA timeline at a glance
The Cyber Resilience Act entered into force on 10 December 2024. Reporting obligations start on 11 September 2026, and the main obligations apply from 11 December 2027. Sources: European Commission summary · Regulation (EU) 2024/2847
Map CRA concerns to device-trust controls and evidence
Use this map to connect common CRA readiness concerns to the device-level controls and evidence QuarkLink can help produce.
| CRA concern | Device-trust control | QuarkLink proof |
|---|---|---|
| Secure by design | Device identity, secure provisioning, credentials, certificates, secure update workflows, and lifecycle evidence are designed into the product. | Policy, provisioning record, certificate detail, update rule, and lifecycle history. |
| Secure by default | Devices start from a trusted initial state with per-device credentials, controlled onboarding, and firmware integrity support. | First-connection record, certificate issue event, onboarding target, and firmware-integrity status where supported. |
| Security updates / automatic-update readiness | Firmware is signed, eligible devices are identified, rollout policy is governed, and rollout state is recorded. | Signed firmware record, eligibility rule, rollout status history, retry or rollback decision. |
| Protection from unauthorised access | Genuine device identity, certificates, mutual authentication, and trust policy control which devices can connect. | Device identity detail, certificate state, onboarding target, and access history. |
| Data integrity | Firmware, configuration, commands, and device communications are protected through signed, authenticated, and policy-controlled workflows where supported. | Signed firmware record, firmware-integrity status, update workflow, and audit events. |
| Support period | Trust remains manageable through certificate renewal, update support, revocation, quarantine, and decommissioning. | Certificate renewal history, lifecycle state changes, revocation and decommission records. |
| Vulnerability handling | Affected devices can be found, updated, quarantined, revoked, or decommissioned as the response requires. | Device cohort, update campaign, quarantine state, revocation event, audit log. |
| Technical documentation / evidence | Device-trust workflows create records that support product security files and customer assurance. | Evidence summary covering provisioning, certificates, updates, revocation, and lifecycle state. |
A practical device-trust path for CRA readiness
- Identify exposed products
- Define trust model
- Provision identities
- Govern updates
- Operate device trust
- Retain evidence
Product and architecture decisions
- Identify which connected products, variants, and support periods are CRA-exposed.
- Define the device identity model, key boundary, trust policy, and firmware-integrity controls.
- Decide how device trust connects to product risk assessment and secure-by-design architecture.
Operational workflow decisions
- Plan provisioning for manufacturing, first boot, or controlled first connection.
- Define certificate issuance, renewal, rotation, expiry, and revocation workflows.
- Define secure firmware update workflows, device eligibility, rollout rules, retry/rollback handling, quarantine, and decommissioning workflows.
Evidence and boundary decisions
- Capture lifecycle states such as active, revoked, quarantined, transferred, and decommissioned.
- Decide which records support technical documentation, customer assurance, and support-period review.
- Separate device-trust evidence from SBOM, vulnerability disclosure, incident reporting, CE marking, and conformity assessment.
Review a device-trust evidence pack
Review how QuarkLink can retain device-trust records across identity, certificates, updates, lifecycle state, and revocation, then surface them for technical documentation, customer assurance, and support-period review.
Device-trust evidence pack
Smart Controller Evaluation Fleet
Identity
Device identities issued
8,240 per-device identity records retained.Certificate
Certificate history available
Issuance, renewal, expiry, and revocation records retained.Update
Signed update workflow retained
Firmware signing, eligibility, rollout state, retry/rollback decision, and status retained.Lifecycle
Device state history tracked
Active, quarantined, revoked, transferred, and decommissioned state changes retained.Risk response
Revocation path available
Risky devices can be quarantined, revoked, or decommissioned.Audit
Evidence export ready
Lifecycle record available for technical documentation and assurance review. Export package device-trust-evidence-smart-controller-fleet.pdf
Export ready Representative QuarkLink app screen. Example data shown.
Where QuarkLink helps — and where the broader CRA programme remains
QuarkLink helps implement and evidence the device-trust layer of CRA readiness. OEMs still own the broader compliance programme.
QuarkLink helps
Device SDK, QuarkLink Cloud, CLI / API automation, provisioning, certificates, secure updates, lifecycle state, revocation, and evidence.
Broader CRA programme remains
SBOM, vulnerability disclosure, incident reporting, conformity assessment, CE marking, full product risk assessment, mobile and cloud application security, and the complete technical documentation package.
Start your CRA readiness path
Explore how QuarkLink connects device-side trust, lifecycle operations, secure update workflows, and evidence — or talk to us about production and partner delivery.