RSS Feed

Embedded Systems Blog

Regulation to Revenue: Turning CRA Into a Business Win

May 17th, 2025 No comments

While preparing our new Cyber Resilience Act (CRA) training classes and working with customers tackling CRA requirements, we’ve often encountered a sense of reluctance. The regulation is new, and the workload can seem daunting. But we’ve also seen how those who engage early start to discover real advantages. That’s why we want to share not just the obligations, but also the positive side of CRA compliance.

The CRA is reshaping how digital products are developed and integrated in the European market. Forward-looking component vendors are turning CRA readiness into a commercial advantage. For suppliers of embedded systems, firmware modules, or sub-systems used in larger machines, early alignment offers a real competitive edge.

Turning Compliance into a Market Differentiator

The CRA applies to “products with digital elements, so all components with software or connectivity. OEMs and system integrators, responsible for CRA conformity of their products, will seek suppliers who make compliance easier.I

If you offer CRA-ready components with complete documentation, like technical files, SBOMs, support periods, vulnerability processes or voluntarily the entire risk assessment, then you reduce risk and speed up certification for your customer. That makes you a preferred supplier.

This is especially important for embedded vendors: CAN-based modules, industrial sensors, smart controllers, security gateways, they are all in scope. If your documentation is ready, you’re ahead of the competition.

The Shift Has Already Begun

Full CRA enforcement begins in December 2027, but purchasing departments will already soon start auditing suppliers about planned compliance. Early adopters have a window to build long-term relationships based on trust and readiness.

Customers will soon ask:

  • Do you have a CRA technical file?
  • Can you provide an SBOM?
  • How and for how long will you provide updates?
  • What’s your vulnerability disclosure process?

If you can answer swiftly and confidently, your product becomes more than compliant, it becomes attractive.

Defense in Depth Starts at the Component Level

CRA embeds specific cybersecurity principles, especially defense in depth: limiting attack surfaces, managing access, validating inputs, secure updates, and ongoing vulnerability management.

Even minor components can be attack vectors. An unmaintained module or undocumented interface can compromise a full system. Your customers want components that help them build secure systems. Your documentation must show that you’re part of the solution.

Short-Term Effort, Long-Term Advantage

Yes, CRA adds some effort:

  • Documenting processes
  • Clarifying support periods
  • Generating SBOMs
  • Setting up secure update mechanisms

But these are reusable across product lines. And they become selling points:
“We provide a pre-filled CRA technical file, saving you time and audit effort.”
Soon, CRA alignment will be part of RFQs, especially in regulated industries. Early movers will already have what’s needed.

How to Start Now

You don’t need a full conformity assessment yet. Start with these:

  1. Draft the basic technical documentation: risk analysis, update policy, SBOM, and contact point.
  2. Educate your team: make sure product and sales staff can explain how you support CRA obligations.
  3. Label your products: terms like “CRA-ready” or “CRA-aligned” will gain traction fast.

Conclusion: Be the Easy Choice

CRA isn’t just a legal requirement, it’s a new trust signal. Vendors who invest in documentation and defense in depth today won’t just be compliant, they’ll be strategic partners.

Integrators will ask: does your component help us get CRA-certified?

If the answer is yes, you’re the easy choice.

If you want to stay updated on our upcoming CRA training classes, follow us on LinkedIn or check this blog regularly. We’ll share practical tips, updates, and announce training availability as we go live.

Upcoming NXP / EmSA / CANopen (FD) Webinar and Videos

April 16th, 2020 Comments off

NXP and EmSA are inviting you to the one hour seminar “Accelerate Development of Robust Network Communications with CANopen and CANopen FD” on Tuesday April 21st 2020. This webinar is a hands-on session about customized CANopen (FD) development on NXP MCUs.

In the hands-on part, we take the CANopen (FD) device/slave example included with the NXP MCUXpresso SDK and use the free CANopen Architect Mini software utility to modify and configure the CANopen (FD) communication of the device. Code modifications are made using the MCUXpresso SDK to support the custom generated CANopen (FD) object dictionary entries. Click here to register for this webinar.

The webinar requires some basic CANopen (FD) and MCUXpresso knowledge. See our courses at www.em-sa.com/video to learn the basics about these technologies.

Training and event paper presentation videos online

February 13th, 2020 Comments off

Over the last years we published more than 50 articles, papers, books, webinars and we also continuously updated our training materials. However, some of the training material and especially scientific papers only reach a small percentage of the embedded community. Therefore we decided to publish more free educational videos to reach more of you. As a start we created several playlists on our EmSA Youtube channel. These include:

  • CANopen FD Intro:
    Introductory videos to CANopen FD, also covering some basics like an introduction to the CANopen Object Dictionary concept
  • CAN (FD) Security:
    Video collection about CAN and CAN FD security challenges and solutions
  • MCUXpresso Middleware:
    Video collection about NXP’s MCUXpresso and CANopen libraries included

We plan to publish more videos in the upcoming month, further focusing on CAN, CAN FD, CANopen, CANopen FD topics including introductory videos as well as in-depth technology classes.

Please subscribe to the channel to stay informed about new videos published.

Secure CANcrypt CAN FD Bootloader for NXP LPC546xx

June 15th, 2017 Comments off

Together with NXP, the Embedded Systems Academy implements a secure CAN FD bootloader based on the CANcrypt security protocols. The bootloader will be available to users of the LPC546xx as free download. It is a “secondary bootloader”, meaning that it only provides security for the added bootloading channel, in this case the CAN FD interface. Someone with physical access to the LPC546xx will always be able to use the primary, on-chip bootloader to re-flash the device with any code.

The security system of the bootloader uses two security levels, each based on a symmetric key (default 128bit, up to 1024bit optional).

  1. On the CAN FD communication level, the CANcrypt protocol (www.cancrypt.eu) is used to ensure that only an authorized communication partner can activate the bootloader, erase the flash memory and send new code to the LPC546xx. The CANcrypt connection key used for this level is generated by the system builder or integrator that initially assembles the entire system.
  2. On the file transfer level, the file containing the new code to be loaded is encrypted using an encryption and authentication method based on a code protection key that gets programmed into the LPC546xx at the same time when the bootloader is installed (typically at manufacturer end-of-line assembly and test).

Secure bootloader security levels

Figure: Secure bootloader security levels

These two levels ensure a separation of the security features between manufacturer and system integrator/builder or service technician. Only an authorized technician will be able to connect his diagnostic device or software to the bootloader. But at this security level alone it will not be possible to generate authorized firmware, that requires an additional key only known to the manufacturer.

If you want to learn more about this bootloader, register now for the webinar (Thursday, June 29, 5:00 PM – 6:00 PM CEST) on the NXP website at: http://www.nxp.com/support/training-events/online-academy/lpc54000-series-online-training:LPC54000-Series-Online-Training

The version for free download is a binary only and will use a pre-selected cipher algorithms, fixed default configuration for parameters like CAN FD bit rates, CAN IDs and timings and timeouts used. The full source code is available from Embedded Systems Academy, giving users full control over all configurations and cipher algorithms used.

What CAN you accomplish with CAN-FD? – A Two-Part Webinar Series

May 17th, 2017 Comments off

NXP offers a Two-Part Webinar based on the LPC54000 series about CAN-FD and secure bootloaders.

Part I: “An intro to CAN-FD” will be held on Thursday, May 25, 5:00 PM – 6:00 PM CEST.
In this webinar CAN bus expert Andy Ayre from Embedded Systems Academy will give you a technical overview of the improvements and benefits of CAN-FD over classic CAN, and how to specifically leverage this new technology on the LPC54618 MCU.

Part II: “CAN stack porting and secure bootloaders” will be held on Thursday, June 29, 5:00 PM – 6:00 PM CEST.
Experts from Embedded Systems Academy explain the requirements for an implementation of secure and non-secure bootloaders in CAN and CAN-FD systems – leveraging the LPC546xx MCU family as an example.

Register now for these events on the NXP website at: http://www.nxp.com/support/training-events/online-academy/lpc54000-series-online-training:LPC54000-Series-Online-Training