SMCC Working Group 8: First face-to-face workshop about implementing the Cyber Resilience Act (CRA) for the semiconductor industry

On February 20 and 21, 2025, the first face-to-face workshop held by Working Group 8 of the Semiconductor Manufacturing Cybersecurity Consortium (SMCC) took place in Brussels. The newly founded working group is dedicated to implementing the Cyber Resilience Act (CRA) for the semiconductor industry and is working to define uniform security standards. 

We are also actively involved in SMCC Working Group 8 to help shape the new guidelines and ensure the best possible protection for all CRA users. Maximilian Junge, Sales Manager for our ToolCommander® software framework for equipment control, was at the first workshop in Brussels. We asked him a few questions after the SMCC meeting. 

What is the composition of the working group and what were the participants' key questions? 

Maximilian: The working group consists of participants along the semiconductor supply chain – from component manufacturers and software suppliers like us at Kontron AIS, to OEMs and the operators of the fabs themselves. A central question that concerned everyone is what was the reason to create the CRA? After all, cybersecurity has long been a matter of course for us in the semiconductor industry. A person involved in drafting the Cyber Resilience Act answered this question for us:

• Focus on companies who need to catch up: the CRA should focus on cybersecurity, especially among companies in the EU that have not yet dealt with the issue of security.
• Basic security and long-term commitment: a basic level of security should be established so that companies commit to security issues and guarantee them over the long term. The main aim is to better protect consumers, infrastructure and industrial know-how.

The wording of the CRA is very vague because it applies to all products across multiple industries. This gave rise to two further key questions: 

1. What are the minimum specifications for a secure product?
2. When is compliance with the CRA achieved? 

Although the Cyber Resilience Act defines a fundamental difference between compliant and non-compliant, there is no clear answer here. The minimum specifications depend heavily on the complexity of the respective product. For software suppliers, the path to CRA compliance is shorter than for machine manufacturers whose systems consist of individual components from several suppliers as well as software and their own in-house developments. Due to the complexity of the product, there are greater challenges here. 

The further a product has progressed in the supply chain, the more complex the issue of cybersecurity becomes. Companies have to provide evidence of cybersecurity and integrate new processes into their work sequences. This results in more administration, the extent of which is difficult to forecast – particularly because of the uncertainty regarding which minimum specifications for a secure product are actually going to apply. Each industry is responsible for defining the minimum standard for their products based on the guidelines of the CRA. 

There are also exceptions, and certain products and industries, such as the pharmaceutical and automotive industries, are excluded from the CRA because they have been recognized as self-regulated sectors by the EU.

What options are there for companies in the semiconductor industry to achieve compliance with the CRA? 

Maximilian: There are three possible options:

1. CRA compliance: The direct fulfillment of the requirements defined in the CRA. The products may only be sold in the EU if they comply with the CRA.
2. Sector-specific agreements: This option is based on the semiconductor industry gaining recognition as a self-regulated sector by the EU, similar to what has already happened in the pharmaceutical and automotive industries. This requires comprehensive, industry-specific security standards to be developed, which then independently cover the requirements of the CRA.
3. Contract regulations: Another option is for the product to fulfill the CRA, with contractual arrangements with customers allowing individual agreements apart from the CRA, as both parties agree it is more practical. For example: The CRA requires that support and updates be provided for a machine over the typical useful lifetime – around 15 years. In addition, however, a contractual agreement could be concluded between customer and supplier stating that updates are subject to a fee after two years due to typical release cycles in the software industry and are based on technical feasibility. 

Which path does the SMCC working group see as practicable for the semiconductor industry?

Maximilian: We are striving to gain recognition as a self-regulated industry. The main advantage of this is that we can develop regulations and requirements specifically tailored to our industry that are practical, feasible, and deliver the required level of security. Having said that, the previous SEMI cybersecurity standards (SEMI E187, E188 and E191) are not yet sufficient for this. That is why the next step is to intensify communication with the other working groups in the Semiconductor Manufacturing Cybersecurity Consortium (SMCC) in order to build on our preparatory work. At the same time, the regulations of international markets, for example in Asia and America, also need to be included so that we develop regulations that apply worldwide. 

Does the working group think it is feasible that the EU will recognize the semiconductor industry as exempt from the CRA by the time the CRA takes full effect in December 2027?

Maximilian: For that to happen, in addition to bundling the previous work of the individual SMCC groups, there are several important steps that need to be taken into account. 

1. Risk assessment: Every company in the semiconductor sector must carry out a risk assessment for each of its products. Depending on the type of product, there are different risks, which have to be analyzed, assessed and addressed with appropriate measures.
2. Expansion of SEMI cybersecurity standards: The new standards have to take into account the requirements for a variety of product groups, both hardware and software. The key challenge is getting these standards recognized by the EU as sufficient to be considered an alternative to CRA.
3. EU contacts and procedures: We need to clarify who the relevant contacts are within the EU, and what specific procedures have to be carried out in order to have the semiconductor industry identified as a self-regulated sector.

Within the SMCC, there is a consensus that the period leading up to December 11, 2027 is sufficient to review and assess the risks. A key problem, however, is that the current security measures and any necessary need for action cannot yet be assessed, because the implementation of CRA requirements into national law is the responsibility of each EU member state. Each country will set up its own monitoring bodies and implement national interpretations of the requirements, which may differ from country to country. That makes recognition as a self-regulated industry with its own well-established standards that apply worldwide all the more important. 

The three most important takeaways from the SMCC Working Group 8 CRA workshop in Brussels:

• SEMI will strive to be recognized by the EU as a self-regulated industry to form an exception in the Cyber Resilience Act.
• In order to cover the requirements of the CRA, additional SEMI standards need to be created.
• The costs of the overhead, which are difficult to plan as a result of the additional cybersecurity requirements, must be calculated as quickly as possible. To be able to do this, it is essential that the minimum specifications for a product in the semiconductor industry are made clear. 

Find out which measures we have already taken and what active cybersecurity means in our development in an interview with Michael Arndt, Product Owner of the ToolCommander^® system control framework and the SEMI-compliant FabLink^® interface solution for SECS/GEM, GEM300 and EDA interfaces.