[{"data":1,"prerenderedAt":1042},["ShallowReactive",2],{"blog-cra-compliance-zephyr-rtos":3},{"id":4,"title":5,"body":6,"date":1025,"description":1026,"extension":1027,"image":1028,"keywords":1029,"meta":1036,"navigation":607,"path":1037,"readTime":1038,"seo":1039,"stem":1040,"__hash__":1041},"blog/blog/cra-compliance-zephyr-rtos.md","CRA Compliance for Zephyr RTOS Projects",{"type":7,"value":8,"toc":1006},"minimark",[9,13,16,25,30,33,68,71,75,80,85,100,108,113,116,124,129,132,140,143,154,162,167,175,180,183,188,208,211,217,227,232,240,245,257,262,270,275,291,296,308,313,321,326,329,333,338,345,351,354,393,404,409,417,424,429,436,440,444,447,461,465,468,472,475,552,555,559,569,573,576,587,591,596,637,642,678,683,709,714,741,746,773,778,809,814,848,852,857,871,876,890,895,909,914,935,943,946,952,956],[10,11,12],"p",{},"Zephyr is the RTOS with the richest built-in security ecosystem in the embedded world. MCUboot for secure boot, Mbed TLS for cryptography and TLS, PSA Crypto API support, MPU-based memory isolation, and MCUmgr for device management — these aren't third-party add-ons; they're part of the project.",[10,14,15],{},"For CRA compliance, this is both an advantage and a trap. The advantage: many Annex I requirements can be met with features Zephyr already provides. The trap: having the features available doesn't mean they're configured, enabled, or documented in a way that satisfies the regulation. And there are genuine gaps where Zephyr's ecosystem doesn't cover the CRA requirement at all.",[10,17,18,19,24],{},"This post maps every relevant Annex I requirement to Zephyr features, identifies the gaps, and provides a Zephyr-specific compliance checklist. Using FreeRTOS instead? See our ",[20,21,23],"a",{"href":22},"/blog/cra-compliance-freertos/","FreeRTOS CRA compliance guide",".",[26,27,29],"h2",{"id":28},"why-zephyrs-security-posture-matters","Why Zephyr's Security Posture Matters",[10,31,32],{},"Zephyr has invested more in built-in security than any other MCU-class RTOS:",[34,35,36,44,50,56,62],"ul",{},[37,38,39,43],"li",{},[40,41,42],"strong",{},"MCUboot integration"," is first-class — Zephyr's build system generates MCUboot-compatible images natively",[37,45,46,49],{},[40,47,48],{},"Mbed TLS"," is the default TLS library, with PSA Crypto API support",[37,51,52,55],{},[40,53,54],{},"MPU support"," across Cortex-M, RISC-V, and other architectures provides hardware memory isolation",[37,57,58,61],{},[40,59,60],{},"MCUmgr"," provides a device management protocol for firmware updates via BLE, UART, or UDP",[37,63,64,67],{},[40,65,66],{},"West manifest"," tracks all project dependencies with exact revisions",[10,69,70],{},"But Zephyr is a framework, not a product. The security features need to be configured, tested, and documented for your specific product. CRA compliance is about what your product does, not what the RTOS it's built on is capable of.",[26,72,74],{"id":73},"annex-i-mapping-to-zephyr-features","Annex I Mapping to Zephyr Features",[76,77,79],"h3",{"id":78},"part-i-security-requirements","Part I: Security Requirements",[10,81,82],{},[40,83,84],{},"Requirement 1 — Appropriate cybersecurity level (threat model)",[10,86,87,88,94,95,99],{},"Zephyr doesn't provide a threat model for your product — that's your responsibility. However, Zephyr's own ",[20,89,93],{"href":90,"rel":91},"https://docs.zephyrproject.org/latest/security/",[92],"nofollow","security documentation"," and threat model can serve as a starting point for the RTOS layer of your product's threat model. See our ",[20,96,98],{"href":97},"/blog/cra-threat-modeling-embedded/","CRA threat modeling guide"," for the full approach.",[34,101,102,105],{},[37,103,104],{},"Zephyr provides: Documented security architecture, security-focused development process",[37,106,107],{},"You still need: Product-specific threat model, risk assessment",[10,109,110],{},[40,111,112],{},"Requirement 2 — No known exploitable vulnerabilities",[10,114,115],{},"Zephyr has an active CVE process and publishes security advisories. But you're responsible for monitoring and patching.",[34,117,118,121],{},[37,119,120],{},"Zephyr provides: CVE tracking, security advisories, regular releases with fixes",[37,122,123],{},"You still need: CVE monitoring for your specific Zephyr version and configuration, VEX triage for all components in your build, update mechanism to deliver patches",[10,125,126],{},[40,127,128],{},"Requirement 3 — Integrity protection (secure boot, signed updates)",[10,130,131],{},"This is where Zephyr shines. MCUboot integration is mature and well-documented.",[34,133,134,137],{},[37,135,136],{},"Zephyr provides: MCUboot as the default bootloader with support for Ed25519, ECDSA P-256, and RSA signing algorithms, image swap and revert, hardware key storage integration for supported platforms",[37,138,139],{},"You still need: Key management infrastructure (HSM/KMS for signing keys), anti-rollback configuration (MCUboot supports it but it needs platform-specific counter support), production key provisioning process",[10,141,142],{},"Kconfig options to enable:",[144,145,150],"pre",{"className":146,"code":148,"language":149},[147],"language-text","# In your prj.conf or board overlay\nCONFIG_BOOTLOADER_MCUBOOT=y\nCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"path/to/your/signing-key.pem\"\n\n# In MCUboot's prj.conf\nCONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y  # or ED25519, RSA\nCONFIG_BOOT_SWAP_USING_MOVE=y             # Preferred over scratch-based swap\nCONFIG_BOOT_UPGRADE_ONLY=n                # Allow revert on failure\n","text",[151,152,148],"code",{"__ignoreMap":153},"",[10,155,156,157,161],{},"See our ",[20,158,160],{"href":159},"/blog/cra-secure-boot-firmware-signing/","secure boot guide"," for the full pipeline.",[10,163,164],{},[40,165,166],{},"Requirement 4 — Confidentiality (encryption)",[34,168,169,172],{},[37,170,171],{},"Zephyr provides: Mbed TLS for TLS/DTLS, PSA Crypto API for key management and cryptographic operations, hardware crypto acceleration on supported MCUs (STM32, nRF, NXP)",[37,173,174],{},"You still need: Secure key storage configuration (depends on your MCU — TrustZone, secure element, or software-emulated), encryption of data at rest in external flash (Zephyr doesn't provide this out of the box)",[10,176,177],{},[40,178,179],{},"Requirement 5 — Data minimisation",[10,181,182],{},"Not an RTOS concern — this is about your application's data collection practices.",[10,184,185],{},[40,186,187],{},"Requirement 6 — Minimise attack surface",[34,189,190,205],{},[37,191,192,193,196,197,200,201,204],{},"Zephyr provides: Kconfig-based build — only compiled features are included, MPU configuration for memory isolation (",[151,194,195],{},"CONFIG_USERSPACE=y","), stack canaries and overflow detection (",[151,198,199],{},"CONFIG_STACK_SENTINEL=y"," or ",[151,202,203],{},"CONFIG_HW_STACK_PROTECTION=y",")",[37,206,207],{},"You still need: JTAG/SWD disable in production (board-level Kconfig or OTP configuration), audit of enabled Kconfig options to remove unnecessary features, network stack hardening (disable unused protocols)",[10,209,210],{},"Key Kconfig options for hardening:",[144,212,215],{"className":213,"code":214,"language":149},[147],"CONFIG_HW_STACK_PROTECTION=y\nCONFIG_STACK_SENTINEL=y\nCONFIG_USERSPACE=y           # MPU-based isolation\nCONFIG_STACK_CANARIES=y\nCONFIG_FORTIFY_SOURCE=y\n",[151,216,214],{"__ignoreMap":153},[10,218,219,222,223,226],{},[40,220,221],{},"JTAG/SWD disable:"," This is platform-specific. For nRF devices, use ",[151,224,225],{},"CONFIG_NRF_APPROTECT_LOCK=y",". For STM32, RDP Level 2 is set outside Zephyr (via STM32CubeProgrammer or OTP configuration). Document which mechanism you use.",[10,228,229],{},[40,230,231],{},"Requirement 7 — Secure defaults",[34,233,234,237],{},[37,235,236],{},"Zephyr provides: No default credentials in the RTOS itself",[37,238,239],{},"You still need: Ensure your application doesn't ship with default passwords or hardcoded credentials, first-boot provisioning flow that forces credential setup, disable unnecessary services by default in your application",[10,241,242],{},[40,243,244],{},"Requirement 8 — Access control",[34,246,247,254],{},[37,248,249,250,253],{},"Zephyr provides: Userspace/kernel separation via MPU (",[151,251,252],{},"CONFIG_USERSPACE","), system call interface for controlled kernel access",[37,255,256],{},"You still need: Application-level authentication for remote interfaces, role-based access if your product has multiple user levels",[10,258,259],{},[40,260,261],{},"Requirement 9 — Availability / resilience",[34,263,264,267],{},[37,265,266],{},"Zephyr provides: Hardware watchdog support, thread priority management, kernel-level resource management",[37,268,269],{},"You still need: Watchdog configuration in your application, network stack DoS resilience testing, resource limit configuration for connections and buffers",[10,271,272],{},[40,273,274],{},"Requirement 10 — Secure communications",[34,276,277,280],{},[37,278,279],{},"Zephyr provides: Mbed TLS for TLS 1.2/1.3 and DTLS 1.2, CoAP library with DTLS support, Bluetooth encryption (LE Secure Connections)",[37,281,282,283,286,287,290],{},"You still need: TLS/DTLS configuration with strong cipher suites (disable weak ciphers), server certificate verification (don't set ",[151,284,285],{},"mbedtls_ssl_conf_authmode"," to ",[151,288,289],{},"MBEDTLS_SSL_VERIFY_NONE","), certificate or PSK provisioning for your device fleet",[10,292,293],{},[40,294,295],{},"Requirement 11 — Security event logging",[34,297,298,305],{},[37,299,300,301,304],{},"Zephyr provides: Logging subsystem (",[151,302,303],{},"CONFIG_LOG=y",") with multiple backends (UART, RTT, flash)",[37,306,307],{},"You still need: Define which events are security-relevant for your product, configure log persistence (Zephyr logs are volatile by default), tamper protection for stored logs",[10,309,310],{},[40,311,312],{},"Requirement 12 — Secure data deletion",[34,314,315,318],{},[37,316,317],{},"Zephyr provides: Flash erase APIs",[37,319,320],{},"You still need: Factory reset implementation that securely erases user data, keys, and configuration, verification that erase actually clears data (not just marks sectors as available)",[10,322,323],{},[40,324,325],{},"Requirement 13 — User notification",[10,327,328],{},"Not an RTOS feature — depends on your product's user interface (companion app, web dashboard, LED indicators).",[76,330,332],{"id":331},"part-ii-vulnerability-handling","Part II: Vulnerability Handling",[10,334,335],{},[40,336,337],{},"VH1 — SBOM",[10,339,340,341,344],{},"Zephyr has a built-in SBOM generation command: ",[151,342,343],{},"west spdx",". Run it after any build, and it produces SPDX 2.3 documents covering the source files and libraries that were actually compiled. This is more than most RTOSes offer.",[10,346,347,348,350],{},"However, the raw ",[151,349,343],{}," output isn't CRA-compliant on its own. It lacks CPE/PURL identifiers (so vulnerability scanners can't match components to CVEs), rolls subsystem components like Bluetooth and MQTT into the kernel package instead of listing them individually, and can't see inside vendor HAL binary blobs.",[10,352,353],{},"Making the output useful requires an enrichment workflow:",[355,356,357,365,371,377,387],"ol",{},[37,358,359,364],{},[40,360,361,362],{},"Run ",[151,363,343],{}," to generate the base SPDX documents from your build",[37,366,367,370],{},[40,368,369],{},"Add CPE/PURL identifiers"," to every package so scanners can match against NVD and OSV",[37,372,373,376],{},[40,374,375],{},"Add invisible components"," (Bluetooth stack, MQTT, cJSON) that are compiled in but not listed as discrete packages",[37,378,379,382,383,386],{},[40,380,381],{},"Document binary blobs"," from vendor HALs with available version info and ",[151,384,385],{},"NOASSERTION"," for opaque contents",[37,388,389,392],{},[40,390,391],{},"Merge the four SPDX files"," into a single document for submission and scanning",[10,394,156,395,399,400,24],{},[20,396,398],{"href":397},"/blog/zephyr-sbom-cra-compliance/","step-by-step Zephyr SBOM tutorial"," for the full enrichment workflow, including scripting CPE/PURL additions, CI/CD integration, and CycloneDX conversion. For broader SBOM context, see our ",[20,401,403],{"href":402},"/blog/cra-sbom-firmware/","SBOM guide",[10,405,406],{},[40,407,408],{},"VH2 — Security update delivery",[34,410,411,414],{},[37,412,413],{},"Zephyr provides: MCUmgr for BLE/UART/UDP device management including firmware upload, MCUboot for A/B updates with revert",[37,415,416],{},"You still need: Update server infrastructure, fleet management, staged rollout capability",[10,418,419,420,24],{},"MCUmgr provides the on-device update mechanism, but fleet-scale OTA requires additional infrastructure. See our ",[20,421,423],{"href":422},"/blog/cra-ota-firmware-updates/","OTA updates guide",[10,425,426],{},[40,427,428],{},"VH3–VH8 — Vulnerability handling processes",[10,430,431,432,24],{},"These are organisational requirements, not RTOS features. You need a PSIRT, CVD policy, ENISA registration, and patch management process regardless of your RTOS choice. See our ",[20,433,435],{"href":434},"/blog/cra-article-14-vulnerability-reporting/","Article 14 guide",[26,437,439],{"id":438},"gaps-in-zephyrs-cra-readiness","Gaps in Zephyr's CRA Readiness",[76,441,443],{"id":442},"_1-no-built-in-fleet-management","1. No Built-In Fleet Management",[10,445,446],{},"MCUmgr handles the on-device side of firmware updates, but there's no Zephyr-provided server component for managing updates across a fleet of devices. You need to build or adopt:",[34,448,449,452,455,458],{},[37,450,451],{},"Update server (hawkBit, custom, or cloud IoT platform)",[37,453,454],{},"Device registration and inventory",[37,456,457],{},"Update targeting and staged rollout",[37,459,460],{},"Update status tracking",[76,462,464],{"id":463},"_2-anti-rollback-requires-platform-support","2. Anti-Rollback Requires Platform Support",[10,466,467],{},"MCUboot supports anti-rollback via a monotonic counter, but the actual counter implementation depends on the hardware platform. Not all Zephyr-supported boards have this configured. You need to verify that your specific MCU and board configuration supports hardware-backed monotonic counters, or implement a flash-based counter with integrity protection.",[76,469,471],{"id":470},"_3-secure-storage-varies-by-platform","3. Secure Storage Varies by Platform",[10,473,474],{},"Zephyr's trusted storage story depends heavily on the MCU:",[476,477,478,494],"table",{},[479,480,481],"thead",{},[482,483,484,488,491],"tr",{},[485,486,487],"th",{},"Platform",[485,489,490],{},"Secure storage mechanism",[485,492,493],{},"Maturity in Zephyr",[495,496,497,509,520,530,541],"tbody",{},[482,498,499,503,506],{},[500,501,502],"td",{},"nRF91/nRF5340",[500,504,505],{},"TrustZone + KMU",[500,507,508],{},"Good — SPE/NSPE split well-supported",[482,510,511,514,517],{},[500,512,513],{},"STM32L5/U5",[500,515,516],{},"TrustZone + OTFDEC",[500,518,519],{},"Moderate — TF-M integration available",[482,521,522,525,528],{},[500,523,524],{},"NXP LPC55S",[500,526,527],{},"TrustZone + PUF",[500,529,519],{},[482,531,532,535,538],{},[500,533,534],{},"ESP32",[500,536,537],{},"Flash encryption + secure boot (ESP-IDF, not Zephyr-native)",[500,539,540],{},"Limited — ESP32 Zephyr support is less mature for security features",[482,542,543,546,549],{},[500,544,545],{},"Generic Cortex-M4 (no TrustZone)",[500,547,548],{},"Software-only, MPU isolation",[500,550,551],{},"Weak — no hardware-backed secret storage",[10,553,554],{},"For MCUs without TrustZone or a secure element, you may need an external secure element (ATECC608, SE050) for CRA-compliant key storage.",[76,556,558],{"id":557},"_4-sbom-tooling-requires-enrichment","4. SBOM Tooling Requires Enrichment",[10,560,561,562,564,565,568],{},"Zephyr's ",[151,563,343],{}," command generates SPDX documents, but the raw output lacks the CPE/PURL identifiers and component granularity needed for CRA-compliant vulnerability scanning. The tooling exists but requires a post-processing workflow to be useful. See our ",[20,566,567],{"href":397},"Zephyr SBOM tutorial"," for the full enrichment process.",[76,570,572],{"id":571},"_5-debug-interface-lockdown-is-board-specific","5. Debug Interface Lockdown Is Board-Specific",[10,574,575],{},"Disabling JTAG/SWD must be done per-board and per-MCU. Zephyr's Kconfig doesn't provide a universal \"disable debug interface\" option. You need to:",[34,577,578,581,584],{},[37,579,580],{},"Identify your MCU's debug disable mechanism (OTP fuse, register lock, AP disable)",[37,582,583],{},"Implement it in your board configuration or manufacturing provisioning",[37,585,586],{},"Document it in your technical documentation",[26,588,590],{"id":589},"zephyr-specific-compliance-checklist","Zephyr-Specific Compliance Checklist",[10,592,593],{},[40,594,595],{},"Secure boot (MCUboot)",[34,597,600,613,619,625,631],{"className":598},[599],"contains-task-list",[37,601,604,609,610,204],{"className":602},[603],"task-list-item",[605,606],"input",{"disabled":607,"type":608},true,"checkbox"," MCUboot enabled (",[151,611,612],{},"CONFIG_BOOTLOADER_MCUBOOT=y",[37,614,616,618],{"className":615},[603],[605,617],{"disabled":607,"type":608}," Signing key generated and stored in HSM/KMS",[37,620,622,624],{"className":621},[603],[605,623],{"disabled":607,"type":608}," Production images signed with production key (not the default development key)",[37,626,628,630],{"className":627},[603],[605,629],{"disabled":607,"type":608}," Swap-based update with revert on failure",[37,632,634,636],{"className":633},[603],[605,635],{"disabled":607,"type":608}," Anti-rollback counter configured for your platform",[10,638,639],{},[40,640,641],{},"Cryptography and TLS",[34,643,645,651,657,663,669],{"className":644},[599],[37,646,648,650],{"className":647},[603],[605,649],{"disabled":607,"type":608}," Mbed TLS configured with strong cipher suites only",[37,652,654,656],{"className":653},[603],[605,655],{"disabled":607,"type":608}," TLS 1.2+ or DTLS 1.2+ for all network communications",[37,658,660,662],{"className":659},[603],[605,661],{"disabled":607,"type":608}," Server certificate verification enabled",[37,664,666,668],{"className":665},[603],[605,667],{"disabled":607,"type":608}," PSA Crypto API used for key management where supported",[37,670,672,674,675,204],{"className":671},[603],[605,673],{"disabled":607,"type":608}," Hardware crypto acceleration enabled (",[151,676,677],{},"CONFIG_MBEDTLS_PSA_CRYPTO_C=y",[10,679,680],{},[40,681,682],{},"Memory protection",[34,684,686,695,703],{"className":685},[599],[37,687,689,691,692,694],{"className":688},[603],[605,690],{"disabled":607,"type":608}," MPU enabled (",[151,693,195],{},") for applications with multiple privilege levels",[37,696,698,700,701,204],{"className":697},[603],[605,699],{"disabled":607,"type":608}," Stack protection enabled (",[151,702,203],{},[37,704,706,708],{"className":705},[603],[605,707],{"disabled":607,"type":608}," Stack canaries or sentinels enabled",[10,710,711],{},[40,712,713],{},"Attack surface reduction",[34,715,717,723,729,735],{"className":716},[599],[37,718,720,722],{"className":719},[603],[605,721],{"disabled":607,"type":608}," JTAG/SWD disabled in production builds",[37,724,726,728],{"className":725},[603],[605,727],{"disabled":607,"type":608}," Unused Kconfig features disabled",[37,730,732,734],{"className":731},[603],[605,733],{"disabled":607,"type":608}," Debug logging disabled or secured in production",[37,736,738,740],{"className":737},[603],[605,739],{"disabled":607,"type":608}," Unused network protocols and services disabled",[10,742,743],{},[40,744,745],{},"OTA updates",[34,747,749,755,761,767],{"className":748},[599],[37,750,752,754],{"className":751},[603],[605,753],{"disabled":607,"type":608}," MCUmgr configured for firmware upload (BLE, UART, or UDP)",[37,756,758,760],{"className":757},[603],[605,759],{"disabled":607,"type":608}," Update server infrastructure operational",[37,762,764,766],{"className":763},[603],[605,765],{"disabled":607,"type":608}," Rollback tested and documented",[37,768,770,772],{"className":769},[603],[605,771],{"disabled":607,"type":608}," Update signing key matches boot signing trust chain",[10,774,775],{},[40,776,777],{},"SBOM",[34,779,781,791,797,803],{"className":780},[599],[37,782,784,786,787,790],{"className":783},[603],[605,785],{"disabled":607,"type":608}," ",[151,788,789],{},"west.yml"," manifest parsed for all dependencies",[37,792,794,796],{"className":793},[603],[605,795],{"disabled":607,"type":608}," CMake build output analysed for actual compiled components",[37,798,800,802],{"className":799},[603],[605,801],{"disabled":607,"type":608}," SPDX or CycloneDX document generated per release",[37,804,806,808],{"className":805},[603],[605,807],{"disabled":607,"type":608}," Binary blobs and external components documented",[10,810,811],{},[40,812,813],{},"Vulnerability management",[34,815,817,823,829,835],{"className":816},[599],[37,818,820,822],{"className":819},[603],[605,821],{"disabled":607,"type":608}," Zephyr security advisory feed monitored",[37,824,826,828],{"className":825},[603],[605,827],{"disabled":607,"type":608}," CVE monitoring for Mbed TLS, MCUboot, and all Zephyr modules",[37,830,832,834],{"className":831},[603],[605,833],{"disabled":607,"type":608}," Patch/update process covers Zephyr upstream updates",[37,836,838,840,841,843,844,847],{"className":837},[603],[605,839],{"disabled":607,"type":608}," Zephyr version pinned in ",[151,842,789],{}," (not tracking ",[151,845,846],{},"main"," in production)",[26,849,851],{"id":850},"recommended-implementation-roadmap","Recommended Implementation Roadmap",[10,853,854],{},[40,855,856],{},"Phase 1 (Month 1–2): Foundation",[355,858,859,862,865,868],{},[37,860,861],{},"Enable MCUboot with proper signing (not development keys)",[37,863,864],{},"Enable MPU and stack protection",[37,866,867],{},"Disable JTAG/SWD in production board config",[37,869,870],{},"Generate initial SBOM from west manifest",[10,872,873],{},[40,874,875],{},"Phase 2 (Month 2–3): Communications and Updates",[355,877,878,881,884,887],{},[37,879,880],{},"Configure Mbed TLS with CRA-appropriate cipher suites",[37,882,883],{},"Set up MCUmgr for OTA updates",[37,885,886],{},"Implement update server infrastructure",[37,888,889],{},"Test and document rollback behaviour",[10,891,892],{},[40,893,894],{},"Phase 3 (Month 3–4): Vulnerability Handling",[355,896,897,900,903,906],{},[37,898,899],{},"Set up CVE monitoring for all Zephyr components",[37,901,902],{},"Establish PSIRT process and CVD policy",[37,904,905],{},"Register on ENISA reporting platform",[37,907,908],{},"Build VEX triage workflow",[10,910,911],{},[40,912,913],{},"Phase 4 (Month 4–5): Documentation and Testing",[355,915,916,922,929,932],{},[37,917,918,919],{},"Conduct product ",[20,920,921],{"href":97},"threat model",[37,923,924,925],{},"Run security testing against ",[20,926,928],{"href":927},"/blog/cra-annex-i-essential-requirements-checklist/","Annex I requirements",[37,930,931],{},"Prepare Annex VII technical documentation",[37,933,934],{},"Prepare EU Declaration of Conformity",[10,936,937,938,942],{},"The ",[20,939,941],{"href":940},"/","Stack Canary assessment tool"," will identify your specific gaps and help prioritise your remediation roadmap based on your Zephyr project's current configuration.",[944,945],"hr",{},[10,947,948],{},[949,950,951],"em",{},"Based on Regulation EU 2024/2847 Annex I, Zephyr Project documentation (v3.7+), MCUboot documentation, Mbed TLS documentation, and PSA Certified specifications. This does not constitute legal advice.",[26,953,955],{"id":954},"sources","Sources",[34,957,958,965,971,978,985,992,999],{},[37,959,960],{},[20,961,964],{"href":962,"rel":963},"https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng",[92],"Regulation (EU) 2024/2847 — Cyber Resilience Act (full text)",[37,966,967],{},[20,968,970],{"href":90,"rel":969},[92],"Zephyr Project — Security documentation",[37,972,973],{},[20,974,977],{"href":975,"rel":976},"https://docs.zephyrproject.org/latest/develop/west/zephyr-cmds.html",[92],"Zephyr Project — west spdx command",[37,979,980],{},[20,981,984],{"href":982,"rel":983},"https://docs.mcuboot.com/design.html",[92],"MCUboot — Design documentation",[37,986,987],{},[20,988,991],{"href":989,"rel":990},"https://www.trustedfirmware.org/projects/mbed-tls/",[92],"Mbed TLS — Documentation",[37,993,994],{},[20,995,998],{"href":996,"rel":997},"https://www.psacertified.org/getting-started/specifications/",[92],"PSA Certified — Specifications",[37,1000,1001],{},[20,1002,1005],{"href":1003,"rel":1004},"https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/index.html",[92],"Nordic Semiconductor — nRF Connect SDK security",{"title":153,"searchDepth":1007,"depth":1007,"links":1008},2,[1009,1010,1015,1022,1023,1024],{"id":28,"depth":1007,"text":29},{"id":73,"depth":1007,"text":74,"children":1011},[1012,1014],{"id":78,"depth":1013,"text":79},3,{"id":331,"depth":1013,"text":332},{"id":438,"depth":1007,"text":439,"children":1016},[1017,1018,1019,1020,1021],{"id":442,"depth":1013,"text":443},{"id":463,"depth":1013,"text":464},{"id":470,"depth":1013,"text":471},{"id":557,"depth":1013,"text":558},{"id":571,"depth":1013,"text":572},{"id":589,"depth":1007,"text":590},{"id":850,"depth":1007,"text":851},{"id":954,"depth":1007,"text":955},"2026-03-05","Map CRA Annex I requirements to Zephyr's security ecosystem (MCUboot, Mbed TLS, PSA Crypto, MPU) and find the gaps you still need to build.","md","/images/blog/previews/zephyr-rtos.svg",[1030,1031,1032,1033,1034,1035],"CRA Zephyr RTOS","Zephyr CRA compliance","Cyber Resilience Act Zephyr","Zephyr RTOS security CRA","MCUboot CRA","Zephyr security",{},"/blog/cra-compliance-zephyr-rtos","13 min",{"title":5,"description":1026},"blog/cra-compliance-zephyr-rtos","IT73m6bUOihX4cJH2kUrp6pcyrlnPY0V79AzTa6viS8",1775939691378]