Service 02 β€” CRA

Software Security & CRA

Stop bolting on security at the end of your development cycle. Align your DevSecOps pipelines with the EU Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED Art. 3.3) to prevent market bans and heavy fines.

Step 01 β€” EngageBook a Software Audit
The Hazard

The "Open-Source & Monolithic Update" Trap

Many software teams rely on generic Android Open Source Project (AOSP) builds or third-party SDKs without tracking their vulnerabilities. When a flaw is found, they push massive, monolithic firmware updates. Under the new EU Cyber Resilience Act, this is no longer legal. The EU strictly mandates machine-readable dependency tracking, the separation of security patches from feature updates, and a mandatory 24-hour early warning to European authorities in case of an actively exploited vulnerability. We audit your software architecture to ensure your code is EU-compliant before it compiles.

What We Offer: Engineering-Driven Compliance

01

Firmware Architecture & Hardening (CRA Annex I, Part I)

We translate EU legal requirements into strict coding guidelines. We assess your architecture to ensure your product is delivered with a secure by default configuration:

  • Attack Surface Reduction

    Ensuring debug interfaces (like ADB or UART) are disabled in production.

  • Cryptography

    Validating your encryption standards to meet EU privacy requirements, enforcing File-Based Encryption (FBE) for data at rest and mandatory TLS 1.3 for data in transit.

  • Access Control

    Enforcing Hardware Root of Trust and Verified Boot to guarantee firmware integrity.
02

Machine-Readable SBOM & Dependency Management

  • Software Bill of Materials

    The EU requires an SBOM covering at least the top-level dependencies of your product. We guide your team to seamlessly integrate automated, machine-readable SBOM generation (JSON, SPDX, CycloneDX) into your CI/CD pipelines, mapping all first-party, Open-Source (OSS), and third-party binaries.
03

Secure FOTA & Lifecycle Management

Your update mechanism must comply with strict EU rules. We help you design a compliant Firmware Over-The-Air (FOTA) architecture where:

  • Default Secure Distribution

    Updates are distributed securely and automatically by default (with an opt-out option for the user).

  • Decoupled Security Patches

    Security patches are decoupled from feature updates whenever technically feasible, as legally mandated by the CRA.

  • Legally-Binding Support Period

    A Support Period is defined and documented. We help you justify this timeframe (legally set to a minimum of 5 years, unless the product's expected lifetime is shorter).
04

Vulnerability Handling & EU Reporting (Article 14)

  • Coordinated Vulnerability Disclosure

    We help you establish a CVD policy and set up the legal reporting pipelines to notify the EU ENISA and national CSIRTs within 24 hours (early warning) and 72 hours (full notification) of actively exploited vulnerabilities.