What CRA requirements apply specifically to firmware updates?

The CRA requires that firmware updates be delivered securely, meaning signed and integrity-verified. Updates must be provided throughout the expected product lifecycle, but for at least five years. Additionally, a documented process for receiving and handling vulnerability reports must exist.

How do I handle legacy embedded products that don't support updates?

For existing products without update capability, manufacturers must develop a strategy: either retrofit update capability or create clear end-of-support communication with replacement recommendations. The CRA applies to products placed on the market after the effective date. Kunnus helps plan both scenarios.

How do I create an SBOM for firmware without source code access?

When source code is not fully accessible, for example with third-party binary components, binary analysis can be used. This identifies compiled libraries and versions from the firmware image. Kunnus supports this process and combines the results into a complete SBOM.

How long must I provide security updates for long-lifecycle embedded products?

The CRA requires security updates throughout the expected product lifecycle, but for at least five years. For embedded products with 15 to 25-year lifespans, a phased strategy with active support, limited support, and planned end-of-life is recommended. Kunnus helps you document this strategy in a CRA-compliant manner.

All Industries

Embedded Systems & Firmware

Firmware is the invisible foundation of modern products with digital elements and a central topic of the Cyber Resilience Act. Embedded systems in control units, microcontrollers, and real-time systems often have lifecycles spanning decades. The CRA demands continuous security updates, complete SBOMs, and structured vulnerability processes even for these systems.

Start CRA Assessment Now

CRA Relevance for Embedded Systems & Firmware

Firmware is directly subject to CRA requirements as a core component of products with digital elements. The unique characteristics of embedded systems, including long lifecycles, resource-constrained hardware, and limited update capabilities, make compliance particularly demanding.

Firmware in control units, sensors, and actuators is an integral part of the product with digital elements and is fully subject to the CRA
Long product lifecycles of 10 to 25 years require sustainable strategies for security updates and vulnerability management
Resource-constrained hardware with limited memory and processing power complicates the integration of modern security mechanisms
Real-time requirements in safety-critical applications set tight boundaries for patching and update procedures
Legacy systems without designed-in update mechanisms must be retrofitted or phased out through clear end-of-life strategies

Compliance Challenges for Embedded Systems

Legacy Firmware Without Update Mechanisms

Many existing embedded products were designed without OTA update capability. Retrofitting secure update channels is technically complex and often requires hardware modifications.

Resource Constraints for Security Features

Microcontrollers with limited memory and processing power cannot readily implement encryption, secure boot processes, or comprehensive security monitors. CRA requirements must be aligned with hardware realities.

Long Product Lifecycles vs. Mandatory Update Obligations

Embedded systems in industrial plants or medical devices are deployed for 15 to 25 years. Providing security updates over this period requires long-term planning and resource commitment.

Hardware-Software Interface Security

The tight coupling between firmware and hardware creates specific attack vectors. Side-channel attacks, hardware tampering, and debug interfaces must be addressed in the CRA risk assessment.

How Kunnus Supports Embedded Manufacturers

Firmware SBOM Management

Kunnus creates and maintains SBOMs for firmware products, including real-time operating systems, HAL layers, and embedded libraries. The platform supports both source code and binary analysis-based SBOM generation.

Binary Analysis for Vulnerability Detection

For firmware without available source code or with third-party binary components, Kunnus offers binary analysis capabilities to identify included libraries and uncover known vulnerabilities.

OTA Update Strategy and Compliance

Kunnus documents your OTA update infrastructure in a CRA-compliant manner and assists in planning secure update mechanisms, from signed firmware delivery to rollback scenarios.

Lifecycle Security Planning

Plan the entire security lifecycle of your embedded products: from secure development through market surveillance to end of life. Kunnus assists with documenting and maintaining long-term obligations.

Explore All Features

Frequently Asked Questions

Common questions about CRA compliance in this industry.

Check Your Embedded Products' CRA Readiness

Determine in just a few minutes how well your embedded systems and firmware products are prepared for the Cyber Resilience Act and what steps to take next.

Start CRA Assessment Now

Embedded Systems & Firmware