Feature: Security


Figure 1: An immutable root of trust forms the basis upon which each stage of the boot process can be verifi ed as authentic


Futureproofi ng software infrastructure to ensure compliance


T


By Francesco Vaiani, Senior Product Manager, SECO In addition, manufacturers that are found


he European Union (EU) Cyber Resilience Act (CRA) marks an era-defi ning regulation for all products that contain digital elements. With full regulatory rollout


marked for December 11, 2027, and other mandatory requirements coming too, it is essential for engineering teams and product managers to understand the legislation. Aſt er all, manufacturers bear primary responsibility for ensuring all devices are compliant before market release. Alongside full liability in the event of


cybersecurity incidents, the penalties for non-conformity are severe: • Fines to €15m or 2.5% of global annual turnover, with non-compliant products banned, withdrawn, or recalled from EU markets.


• Loss of CE marking, meaning that products can’t legally be sold in the EU.


• Possible automatic exclusion from tenders and partnerships, since many requests for proposal require CRA-compliant solutions.


30 May 2026 www.electronicsworld.co.uk


not to comply risk losing market credibility and trust, since critical sector customers – like those from government, fi nancial and industrial organisations – avoid products that lack comprehensive security guarantees. Given these risks, system designers must


now consider the security implications of key hardware and soſt ware choices from the start of the design process, since both will aff ect long-term compliance and therefore market access.


CRA security commitments From consumer devices to distributed infrastructure components, modern edge systems suff er from an increasing number of security vulnerabilities. Outdated fi rmware and insecure communication protocols can lead to data breaches and unauthorised access that compromise device integrity. Accordingly, the CRA mandates several measures to maintain a minimal attack surface: First, manufacturers must protect devices against unauthorised tampering and


ensure soſt ware integrity from boot-up. While the CRA does not defi ne a specifi c framework for achieving this, secure boot, in combination with a root of trust (RoT), serves as a fundamental baseline for meeting this requirement. Secure boot uses cryptography to ensure


that only authentic, verifi ed soſt ware runs on the device. T is RoT forms the fi rst link in a chain of trust that authenticates each stage of the boot process, to ensure device integrity, as shown in Figure 1. If, for example, a hash of a soſt ware component is encrypted with a private key that does not match the public keys in the RoT, whether due to tampering or corruption, the boot process will either stop or restrict higher system capabilities (like network access) to prevent potential malware or botnets from spreading. Manufacturers must ensure integrity


via continuous vulnerability management and timely security updates throughout the entire product lifecycle. T e CRA defi nes a mandated support period of at least fi ve years, or the expected lifetime of


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44