CRA Compliance Blog

Practical EU Cyber Resilience Act guidance for embedded product teams.

2 April 2026·14 min read

CRA Annex I Checklist for Firmware Engineers

Map all 13 CRA Annex I security requirements and 8 vulnerability handling obligations to concrete firmware engineering tasks. Embedded checklist.

19 March 2026·10 min read

CRA Article 14: Embedded Vulnerability Reporting

CRA Article 14 vulnerability reporting: 24-hour, 72-hour, and 14-day deadlines explained, plus how to set up a minimum viable PSIRT for embedded teams.

5 March 2026·13 min read

CRA Compliance for Zephyr RTOS Projects

Map CRA Annex I requirements to Zephyr's security ecosystem (MCUboot, Mbed TLS, PSA Crypto, MPU) and find the gaps you still need to build.

19 February 2026·13 min read

CRA Compliance for FreeRTOS Firmware Projects

Map CRA Annex I requirements to FreeRTOS variants—vanilla kernel, AWS FreeRTOS, and vendor SDKs—and find the gaps the kernel doesn't cover.

5 February 2026·13 min read

CRA Secure Boot and Firmware Signing for MCUs

CRA Annex I secure boot for MCUs in practice: root of trust, code signing, anti-rollback, and choosing a bootloader for your product.

22 January 2026·12 min read

CRA-Compliant OTA Updates for Embedded Firmware

Build a CRA-compliant OTA firmware update pipeline for MCU and embedded Linux products—free, timely, and meeting Annex I lifecycle requirements.

8 January 2026·15 min read

From west spdx to a CRA-Compliant Zephyr SBOM

Zephyr's west spdx misses CPE/PURL identifiers and binary blobs needed for CRA vulnerability scanning. Full SBOM enrichment tutorial.

18 December 2025·11 min read

Generating a CRA-Compliant SBOM for Embedded Firmware

Generate a CRA-compliant SBOM for embedded firmware: handle binary blobs, vendor SDKs, and RTOS forks that break standard SBOM tools.

4 December 2025·12 min read

CRA Threat Modeling for Embedded Products

Threat modeling for embedded products under CRA Annex VII: handling physical attacks, JTAG access, and constrained environments with STRIDE.

20 November 2025·10 min read

CRA Classification: Default, Class I, or Class II?

CRA Default, Class I, and Class II tiers explained: which conformity assessment path you take and what it costs in time and money.

6 November 2025·9 min read

Is Your Embedded Product in CRA Scope?

Does the EU Cyber Resilience Act apply to your embedded product? Decision framework for digital elements, offline devices, and OEM components.