Dear Reader,
Will you release an embedded device within the next 2.5 years? Of course, you will, because otherwise you will be out of business soon.
Will you support the device after 11 December 2027? Of course, you will, because otherwise developing the device won’t be worth it.
Then, you better make sure that your board, SoC, Linux system and applications satisfy the essential requirements related to product properties and to vulnerability handling (Annex I) already now. If you need hardware modifications to comply with the requirements, you should select different hardware. If your board vendor has a history of providing out-of-date Linux systems, you should select a different vendor. Following this advice will save you a lot of time and money. You are welcome 🙏
The essential requirements of the EU CRA are not “yet another lunacy from Brussels” but they help you make security incidents very unlikely and avoid high damages. I explain how the essential requirements would have prevented the CrowdStrike update fiasco. The requirements make a lot of sense but also take considerable time to implement. Act now to avoid resource bottlenecks closer to the penalty date: 11 December 2027.
Enjoy reading,
Burkhard 💜