Security by design, addressing the requirements for the EU Cyber Resilience Act
Neu-Isenburg, March 9, 2026 – Arrow Electronics is collaborating with NXP® Semiconductors to support customers preparing for the EU Cyber Resilience Act (CRA), which sets mandatory essential cybersecurity requirements for products with digital elements sold in the European Union. With full enforcement scheduled for Dec. 11, 2027, and severe penalties for non-compliance, manufacturers will need to demonstrate that cybersecurity is built into their products from design through deployment and lifecycle management. This means all new designs should already have cybersecurity built in.
To address these requirements, Arrow combines NXP’s semiconductor and security expertise with the engineering capabilities of eInfochips, an Arrow company. By leveraging NXP’s secure-by-design technologies and comprehensive security documentation, eInfochips can help streamline CRA-aligned development and reduce CRA compliance efforts.
The coordinated process spans from early-stage risk assessment to secure provisioning, creating a structured and repeatable path to compliance.
The process at eInfochips begins with a joint risk analysis conducted with the end customer. This includes threat modelling and the definition of cybersecurity requirements aligned with IEC 62443-4-1. The outcome is a documented cybersecurity plan and requirements framework that guides development activities across the product lifecycle.
eInfochips supports hardware design, firmware development, cloud and mobile application development, all with cybersecurity integrated throughout the product design lifecycle. This includes threat modelling, risk assessment, secure coding, SAST, DAST, PAN testing, implementation in projects targeting IEC 62443, RED3.3 or CRA compliance.
NXP’s security technologies, including the EdgeLock® Secure Enclave and EdgeLock Secure Elements and Authenticators, provide hardware roots of trust, protect device credentials, safeguard sensitive data and support secure lifecycle operations, with the secure enclave additionally reinforcing platform integrity. These security foundations help address essential CRA requirements for device integrity, authentication, access control, certification, data protection and update integrity.
Following development, Arrow provides secure provisioning at its primary distribution center in Venlo, The Netherlands, establishing device identity and secure configuration while enabling CRA-aligned lifecycle security throughout deployment. Leveraging NXP’s scalable, cloud-based EdgeLock 2GO service for secure provisioning and credential management, Arrow enables trusted injection of keys, certificates, and lifecycle credentials at scale, supporting CRA-relevant requirements for secure updates, monitoring and vulnerability management.
“Regulatory frameworks such as the EU Cyber Resilience Act are reshaping how connected products are developed and maintained,” said Philipp Mai, vice president engineering EMEA, Arrow. “Through our collaboration with NXP and eInfochips, we help customers align risk analysis, secure design and provisioning, providing a structured approach to cybersecurity across the full product lifecycle and accelerating their path to CRA compliance.”
“At NXP, we have a long history of secure-by-design engineering that naturally aligns with the requirements now formalized in the EU Cyber Resilience Act,” said Alasdair Ross, vice president of Secure Edge Identification, NXP Semiconductors. “Thanks to this longstanding commitment, we were ready for CRA from day one. We are proud to support customers with the secure architectures and lifecycle services they need to bring compliant, resilient and trusted products to market.”
Arrow Electronics will present this approach at embedded world, taking place from 10–12 March 2026 in Nuremberg, Germany, at Stand 4A-342. Visitors can discuss their CRA planning and take advantage of a risk analysis from eInfochips.
More Information