Embedded Systems Academy

Turning Compliance into a Market Differentiator

The Shift Has Already Begun

Full CRA enforcement begins in December 2027, but purchasing departments will already soon start auditing suppliers about planned compliance. Early adopters have a window to build long-term relationships based on trust and readiness.

Customers will soon ask:

• Do you have a CRA technical file?
• Can you provide an SBOM?
• How and for how long will you provide updates?
• What’s your vulnerability disclosure process?

If you can answer swiftly and confidently, your product becomes more than compliant, it becomes attractive.

Defense in Depth Starts at the Component Level

CRA embeds specific cybersecurity principles, especially defense in depth: limiting attack surfaces, managing access, validating inputs, secure updates, and ongoing vulnerability management.

Even minor components can be attack vectors. An unmaintained module or undocumented interface can compromise a full system. Your customers want components that help them build secure systems. Your documentation must show that you’re part of the solution.

Short-Term Effort, Long-Term Advantage

Yes, CRA adds some effort:

• Documenting processes
• Clarifying support periods
• Generating SBOMs
• Setting up secure update mechanisms

But these are reusable across product lines. And they become selling points:
“We provide a pre-filled CRA technical file, saving you time and audit effort.”
Soon, CRA alignment will be part of RFQs, especially in regulated industries. Early movers will already have what’s needed.

How to Start Now

You don’t need a full conformity assessment yet. Start with these:

1. Draft the basic technical documentation: risk analysis, update policy, SBOM, and contact point.
2. Educate your team: make sure product and sales staff can explain how you support CRA obligations.
3. Label your products: terms like “CRA-ready” or “CRA-aligned” will gain traction fast.

Conclusion: Be the Easy Choice

CRA isn’t just a legal requirement, it’s a new trust signal. Vendors who invest in documentation and defense in depth today won’t just be compliant, they’ll be strategic partners.

Integrators will ask: does your component help us get CRA-certified?

If the answer is yes, you’re the easy choice.

If you want to stay updated on our upcoming CRA training classes, follow us on LinkedIn or check this blog regularly. We’ll share practical tips, updates, and announce training availability as we go live.

NXP and EmSA are inviting you to the one hour seminar “Accelerate Development of Robust Network Communications with CANopen and CANopen FD” on Tuesday April 21st 2020. This webinar is a hands-on session about customized CANopen (FD) development on NXP MCUs.

In the hands-on part, we take the CANopen (FD) device/slave example included with the NXP MCUXpresso SDK and use the free CANopen Architect Mini software utility to modify and configure the CANopen (FD) communication of the device. Code modifications are made using the MCUXpresso SDK to support the custom generated CANopen (FD) object dictionary entries. Click here to register for this webinar.

The webinar requires some basic CANopen (FD) and MCUXpresso knowledge. See our courses at www.em-sa.com/video to learn the basics about these technologies.

Over the last years we published more than 50 articles, papers, books, webinars and we also continuously updated our training materials. However, some of the training material and especially scientific papers only reach a small percentage of the embedded community. Therefore we decided to publish more free educational videos to reach more of you. As a start we created several playlists on our EmSA Youtube channel. These include:

• CANopen FD Intro:
  Introductory videos to CANopen FD, also covering some basics like an introduction to the CANopen Object Dictionary concept
• CAN (FD) Security:
  Video collection about CAN and CAN FD security challenges and solutions
• MCUXpresso Middleware:
  Video collection about NXP’s MCUXpresso and CANopen libraries included

We plan to publish more videos in the upcoming month, further focusing on CAN, CAN FD, CANopen, CANopen FD topics including introductory videos as well as in-depth technology classes.

Please subscribe to the channel to stay informed about new videos published.

Together with NXP, the Embedded Systems Academy implements a secure CAN FD bootloader based on the CANcrypt security protocols. The bootloader will be available to users of the LPC546xx as free download. It is a “secondary bootloader”, meaning that it only provides security for the added bootloading channel, in this case the CAN FD interface. Someone with physical access to the LPC546xx will always be able to use the primary, on-chip bootloader to re-flash the device with any code.

The security system of the bootloader uses two security levels, each based on a symmetric key (default 128bit, up to 1024bit optional).

1. On the CAN FD communication level, the CANcrypt protocol (www.cancrypt.eu) is used to ensure that only an authorized communication partner can activate the bootloader, erase the flash memory and send new code to the LPC546xx. The CANcrypt connection key used for this level is generated by the system builder or integrator that initially assembles the entire system.
2. On the file transfer level, the file containing the new code to be loaded is encrypted using an encryption and authentication method based on a code protection key that gets programmed into the LPC546xx at the same time when the bootloader is installed (typically at manufacturer end-of-line assembly and test).

These two levels ensure a separation of the security features between manufacturer and system integrator/builder or service technician. Only an authorized technician will be able to connect his diagnostic device or software to the bootloader. But at this security level alone it will not be possible to generate authorized firmware, that requires an additional key only known to the manufacturer.

If you want to learn more about this bootloader, register now for the webinar (Thursday, June 29, 5:00 PM – 6:00 PM CEST) on the NXP website at: http://www.nxp.com/support/training-events/online-academy/lpc54000-series-online-training:LPC54000-Series-Online-Training

The version for free download is a binary only and will use a pre-selected cipher algorithms, fixed default configuration for parameters like CAN FD bit rates, CAN IDs and timings and timeouts used. The full source code is available from Embedded Systems Academy, giving users full control over all configurations and cipher algorithms used.

NXP offers a Two-Part Webinar based on the LPC54000 series about CAN-FD and secure bootloaders.

Part I: “An intro to CAN-FD” will be held on Thursday, May 25, 5:00 PM – 6:00 PM CEST.
In this webinar CAN bus expert Andy Ayre from Embedded Systems Academy will give you a technical overview of the improvements and benefits of CAN-FD over classic CAN, and how to specifically leverage this new technology on the LPC54618 MCU.

Part II: “CAN stack porting and secure bootloaders” will be held on Thursday, June 29, 5:00 PM – 6:00 PM CEST.
Experts from Embedded Systems Academy explain the requirements for an implementation of secure and non-secure bootloaders in CAN and CAN-FD systems – leveraging the LPC546xx MCU family as an example.

Register now for these events on the NXP website at: http://www.nxp.com/support/training-events/online-academy/lpc54000-series-online-training:LPC54000-Series-Online-Training