CRA in practice
CRA Compliance in Embedded Systems: A Practical Look from the Yocto Project World
<p>Embedded products are at the core of the Cyber Resilience Act, yet they face unique compliance challenges. Hardware vendors ship heavily patched BSPs, software modules often diverge from upstream, and reliable identification of modified components is still far from solved. For teams building products on top of these layers, translating CRA requirements into daily engineering practice is not straightforward.</p>
<p>This talk provides a practical overview of where CRA compliance currently stands for embedded devices, using Yocto Project–based workflows as a representative example. We will explore what is already achievable today with existing tooling (SBOM generation, vulnerability scanning, provenance capture), and highlight the gaps that still require industry-wide definitions - from consistent software identification to handling vendor modifications and long-tail dependencies.</p>
<p>Participants will gain a grounded, realistic understanding of how CRA obligations map to actual embedded development, what can be implemented now, and where the ecosystem still needs collective work to reach a "working" state.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ua2114 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>Opening remarks and housekeeping.</p>
|
| 1/31/26 |
<p>Deutsche Bahn, with its 230,000 employees and hundreds of subsidiaries, is far from an average organization. Yet it faces the same challenges under the CRA as many others. In this session, we will show how we connected the concrete requirements of CRA compliance with our broader effort to bring transparency to our software supply chains. This forms the basis for security and license compliance processes, as well as for proactively shaping the ecosystems we depend on.</p> <p>We will outline ...
|
| 1/31/26 |
<p>EV charging stations expose a uniquely difficult CRA landscape: A single physical device can be accessed through very different user paths: ISO 15118 (Plug&Charge), RFID cards, mobile apps, credit-card terminals, and OEM-backends. Between the end user and the actual product manufacturer sit multiple intermediaries (CSMS, OEM cloud, roaming hubs, payment processors), each with partial control over configuration, telemetry, and security posture. How to deliver all the CRA obligations across ...
|
| 1/31/26 |
<p><a href="https://github.com/erlang/otp">Erlang/OTP</a> is an open source programming language designed for the development of concurrent and distributed systems. Created 40 years ago and open sourced in 1998, Erlang is used by <a href="https://www.ericsson.com/en">Ericsson</a>, <a href="https://www.cisco.com/">Cisco</a>, <a href="https://www.whatsapp.com/">WhatsApp</a>, <a href="https://discord.com/">Discord</a>, and <a href="https://www.klarna.com/se/">Klarna</a> for mission critical ...
|
| 1/31/26 |
<p>The Cyber Resilience Act (CRA) is reshaping expectations around open source software, introducing new requirements for security, traceability, and documentation. While maintainers are responsible for technical compliance, community managers play a critical but often overlooked role in helping projects adapt. This session is designed for community managers, project maintainers, stewards, and open source contributors interested in practical CRA readiness. The focus is on practical enablement by ...
|
| 1/31/26 |
<p>This panel brings together experts to discuss the practical realities of implementing the CRA steward role, as defined by the regulation, and how organisations are approaching its execution. Panelists will explore how the concept of CRA stewards is being interpreted, what responsibilities are emerging in practice, and the challenges organisations face in preparing for this new function. They will also highlight which elements remain unclear, what support or guidance is still needed, and how ...
|
| 1/31/26 |
<p>Security teams are currently drowning in vulnerability data, but the Vulnerability Exploitability eXchange (VEX) offers a solution by providing machine-readable clarity on which exploits actually matter. This technology is rapidly evolving from a "nice-to-have" efficiency tool into a critical compliance enabler for the EU Cyber Resilience Act (CRA), which mandates effective vulnerability handling for the European market.</p> <p>In this session, Georg and Rao present the findings from the VEX ...
|
