Electronics World May 2026

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

Feature: Security

the product if shorter, and requires that manufacturers provide a specifi ed end-of- support date upon market release. When an actively exploited vulnerability

is discovered, manufacturers must disclose it to their national Computer Security Incident Response Team (CSIRT) and European Network and Information Security Agency (ENISA), the EU agency for cybersecurity. T is reporting commitment comes into eff ect on September 11, 2026, with the following timeframe requirements: • 24 hours: Early warning reports must be sent to ENISA and the national CSIRT.

• 72 hours: A formal vulnerability notifi cation must be generated that details the exploit and how it aff ects a system.

• 14 days: A fi nal report must be submitted once a security patch is available. Naturally, continuous vulnerability

management requires some level of real- time threat monitoring. Public frameworks like the Common Vulnerabilities and Exposures (CVE) system can help manufacturers spot and patch new threats in third-party soſt ware components, even before they are actively exploited within their own devices. To support this, the CRA also mandates

that manufacturers maintain technical documentation for every update. In particular, a soſt ware bill-of-materials (SBOM) must be provided in a machine- readable format, such as CycloneDX or SPDX, covering all top-level dependencies at a minimum. T is format enables automated tools to scan every soſt ware build against CVE databases, to identify new vulnerabilities as soon as they are reported. DevSecOps teams can then deliver patches that fi x in-house issues without introducing third-party soſt ware.

Figure 2: CRA conformity requires that manufacturers produce comprehensive, up-to-date technical documentation for all products

In addition to SBOMs, CRA conformity

requires extensive documentation that includes a high-level security risk assessment, system architecture diagrams with a description of the development process, and descriptions of the vulnerability handling process; see Figure 2. T ese are used to verify that the system is secure-by-design within CRA guidelines. Logged documentation must be retained throughout a device’s lifecycle and made available to auditors and surveillance authorities, and notify bodies for ten years aſt er market release, or for the duration of a longer support period. Finally, a formal declaration of

conformity (DoC) allows manufacturers

to use the CE marking for EU market access. T e DoC document contains details that include the manufacturer’s name and address, a unique identifi cation for the product, and references to specifi c standards and technical specifi cations used to prove compliance. For certain digital products that come under the CRA’s “Important Class I”, “Important Class II” and “Critical” categories, details of a third-party auditor must also be included to verify compliance. Such devices include industrial control systems, IoT gateways and soſt ware for privileged access, where breaches may cause wider infrastructure damage. By signing a DoC, manufacturers take full

responsibility for CRA compliance. Given the depth of these commitments,

With full regulatory rollout marked for December 11, 2027, and other mandatory requirements coming too, it is essential for engineering teams and product managers to understand the legislation

OTA updates provide the most eff ective way to quickly deliver patches and maintain connected device integrity. Continuous OTA updates, however, require a sophisticated soſt ware architecture that specifi cally caters to CRA-aligned updates.

Designing for regular OTA security Under the CRA, DevSecOps teams face immense time pressure when locating,

www.electronicsworld.co.uk May 2026 31

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44