{"id":1759,"date":"2026-04-08T10:46:16","date_gmt":"2026-04-08T10:46:16","guid":{"rendered":"https:\/\/www.pickplace.de\/?p=1759"},"modified":"2026-05-04T18:52:10","modified_gmt":"2026-05-04T18:52:10","slug":"cyber-resilience-act-embedded-software","status":"publish","type":"post","link":"https:\/\/www.pickplace.de\/en\/cyber-resilience-act-embedded-software\/","title":{"rendered":"Cyber Resilience Act Embedded Software Article Series"},"content":{"rendered":"<div class=\"wp-block-stackable-heading stk-block-heading stk-block-heading--v2 stk-block stk-a4fb045\" id=\"artikelserie-teil-1-bedeutung-und-einordnung\" data-block-id=\"a4fb045\"><h2 class=\"stk-block-heading__text\">Article Series Part 1: Significance and Classification<\/h2><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Der Cyber Resilience Act (CRA), im Oktober 2024 vom EU-Rat verabschiedet, definiert erstmals verbindliche Cybersicherheitsanforderungen f&#xFC;r digitale Produkte und verkn&#xFC;pft diese direkt mit der CE-Kennzeichnung. Der Cyber Resilence Act hat damit f&#xFC;r Hersteller von Embedded Software und Embedded Systems eine strukturelle &#xC4;nderung parat: Cybersecurity ist kein optionaler Bestandteil mehr, sondern Voraussetzung f&#xFC;r den Marktzugang. Produkte mit Softwareanteil &#x2013; insbesondere firmwaregetriebene Systeme auf Mikrocontrollern und Mikroprozessoren &#x2013; m&#xFC;ssen k&#xFC;nftig nachweisen, dass Sicherheitsanforderungen &#xFC;ber den gesamten Lebenszyklus hinweg ber&#xFC;cksichtigt wurden. Wie der Cyber Resilience Act Embedded Software ver&#xE4;ndert, erl&#xE4;utert dieser Artikel.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Content<\/h2><nav><ul><li class=\"\"><a href=\"#e\">Peculiarities of Embedded Systems<\/a><\/li><li class=\"\"><a href=\"#bedeutung-des-cra-fur-elektronik-in-produkten-und-geraten\">Cyber Resilience Act for Electronics in Products and Devices<\/a><ul><li class=\"\"><a href=\"#tara-und-stride\">TARA and STRIDE<\/a><\/li><li class=\"\"><a href=\"#schutzmassnahmen-in-abhangigkeit-von-auswirkungen\">Protective measures as a function of impact<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#die-vier-saulen-von-cyber-resilience-in-embedded-systems\">The Four Pillars of Cyber Resilience in Embedded Systems<\/a><\/li><li class=\"\"><a href=\"#m\">Measures Overview<\/a><\/li><li class=\"\"><a href=\"#zusammenfassung\">Summary<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<div class=\"wp-block-stackable-columns stk-block-columns stk-block stk-e341cf3\" data-block-id=\"e341cf3\"><style>.stk-e341cf3 {border-top-left-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;border-top-right-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;border-bottom-right-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;border-bottom-left-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;overflow:hidden !important;}<\/style><div class=\"stk-row stk-inner-blocks stk-block-content stk-content-align stk-e341cf3-column\">\n<div class=\"wp-block-stackable-column stk-block-column stk-column stk-block stk-4606a65 stk-block-background\" data-v=\"4\" data-block-id=\"4606a65\"><div class=\"stk-column-wrapper stk-block-column__content stk-container stk-4606a65-container stk--no-background stk--no-padding\"><div class=\"stk-block-content stk-inner-blocks stk-4606a65-inner-blocks\">\n<p class=\"wp-block-paragraph\">This article is part of our \u201eCyber Resilience Act Embedded Software\u201c article series. The following parts have already been published:<\/p>\n\n\n\n<div class=\"wp-block-stackable-icon-list stk-block-icon-list stk-block stk-e4c58ff\" data-block-id=\"e4c58ff\"><style>.stk-e4c58ff {--stk-icon-list-marker-color:var(--theme-palette-color-1, #EE4B6A) !important;}<\/style><svg style=\"display:none\"><defs><g id=\"stk-icon-list__icon-svg-def-e4c58ff\"><svg xmlns=\"https:\/\/www.w3.org\/2000\/svg\" viewbox=\"0 0 512 512\"><path d=\"M256 0c4.6 0 9.2 1 13.4 2.9L457.7 82.8c22 9.3 38.4 31 38.3 57.2c-.5 99.2-41.3 280.7-213.6 363.2c-16.7 8-36.1 8-52.8 0C57.3 420.7 16.5 239.2 16 140c-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256 0z\"><\/path><\/svg><\/g><\/defs><\/svg><ul class=\"stk-block-icon-list__ul stk-block-icon-list--column\">\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-6dd44ce\" data-block-id=\"6dd44ce\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\"><a href=\"https:\/\/www.pickplace.de\/en\/hub\/cyber-resilience-act-embedded-software\/\">Meaning and Classification (this page)<\/a><\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-53fa3a8\" data-block-id=\"53fa3a8\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\"><a href=\"https:\/\/www.pickplace.de\/en\/hub\/spoofing-and-tampering-attacks-in-bus-systems\/\" data-type=\"post\" data-id=\"2001\">Spoofing and Tampering Attacks in Bus Systems<\/a><\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-34c08cc\" data-block-id=\"34c08cc\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\">Zero-Trust Communication on Low-Level Bus Systems<\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-d1fe372\" data-block-id=\"d1fe372\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\">Anti-Denial-of-Service Measures for Peripherals<\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-529c437\" data-block-id=\"529c437\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\">Secure updates via communication buses<\/span><\/div><\/li>\n<\/ul><\/div>\n<\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The CRA does not address isolated IT systems, but rather physical devices with integrated software \u2013 in other words, classic embedded designs. Compliance with these requirements will become mandatory starting October 2026. This leaves manufacturers with a limited two-year window to adapt development processes, architectural decisions, and security concepts to demonstrably ensure both software integrity and system resilience against attacks. The EU Council's press release on the Cyber Resilience Act is <a href=\"https:\/\/www.consilium.europa.eu\/de\/press\/press-releases\/2024\/10\/10\/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products\/\" target=\"_blank\" rel=\"noreferrer noopener\">at the following link<\/a> to find.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For manufacturers of electronics and embedded systems, this means they will have to adapt their development and production processes over the next two years to integrate the new security standards. Previously, the CE marking primarily referred to physical safety aspects, such as electrical safety or health harmlessness. The CRA adds new requirements to ensure that digital products containing software and hardware components are also protected against cyberattacks. In the future, manufacturers will also have to prove that they have taken measures to ensure IT security before they can affix the CE mark. This last point often primarily concerns the IT and OT of companies, and many companies have already become active in this area in recent years.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"e\">Peculiarities of Embedded Systems<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Embedded Systems sind funktionsgebundene Recheneinheiten, die spezifische Aufgaben innerhalb eines technischen Gesamtsystems &#xFC;bernehmen, typischerweise in Form von Mikrocontroller- oder Mikroprozessor-basierten Architekturen &#x2013; entweder als Bare-Metal-Implementierung oder auf Basis eines RTOS. Ihr Verhalten ist deterministisch ausgelegt, da sie h&#xE4;ufig zeitkritische Steuerungs- und Regelungsfunktionen &#xFC;bernehmen. Im vernetzten Einsatz, etwa &#xFC;ber CAN, Ethernet oder industrielle Feldbusse, werden sie Teil komplexer Systemlandschaften und damit auch potenziell angreifbar. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This results in a close coupling of functional safety (safety) and <a href=\"https:\/\/www.pickplace.de\/en\/embedded-systems-cybersecurity\/\" data-type=\"page\" data-id=\"954\">Cyber Security<\/a> (Security): While safety ensures that the system assumes defined states even in the event of errors, security addresses targeted external manipulation. Since embedded systems interact directly with physical processes, successful attacks or malfunctions can cause real-world damage\u2014from system failures to critical endangerment of people and infrastructure. Accordingly, the focus is on controllable system behavior, robust architecture, and the security of all relevant interfaces.<\/p>\n\n\n\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-612aa43\" data-block-id=\"612aa43\"><style>.stk-612aa43 .stk-img-figcaption{text-align:center !important;}.stk-612aa43 .stk-img-wrapper{width:70% !important;}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-1761\" src=\"https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/image.png\" width=\"825\" height=\"725\" alt=\"Cyber Resilience Act Annex III - This section specifically lists product categories classified as security-relevant, which are therefore subject to stricter requirements.\" srcset=\"https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/image.png 825w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/image-300x264.png 300w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/image-768x675.png 768w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/image-14x12.png 14w\" sizes=\"auto, (max-width: 825px) 100vw, 825px\"\/><\/span><figcaption class=\"stk-img-figcaption\"><em>Cyber Resilience Act Annex III<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">In the Cyber Resilience Act <strong>Annex III<\/strong> specifically lists product categories that are classified as safety-relevant and are therefore subject to stricter requirements. These include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Network interfaces<\/li>\n\n\n\n<li>Firewalls<\/li>\n\n\n\n<li>Microcontroller<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">and additionally:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CPUs<\/li>\n\n\n\n<li>\u201eSecure Elements\u201c<\/li>\n\n\n\n<li>Operating Systems<\/li>\n\n\n\n<li>Industrial Firewalls<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These components form central building blocks of networked systems and are particularly relevant for cybersecurity and system integrity due to their function.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bedeutung-des-cra-fur-elektronik-in-produkten-und-geraten\">Cyber Resilience Act for Electronics in Products and Devices<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">First things first: <strong>Manufacturers of devices based on microcontrollers and microprocessors must do something! <\/strong>The Cyber Resilience Act and embedded software are usually strongly related. Even more so: The Cyber Resilience Act will significantly shape embedded software and the related architecture.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"tara-und-stride\">TARA and STRIDE<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A central initial framework for action is the implementation of a <strong>Threat and Risk Assessment (TARA)<\/strong>, to identify and assess potential security vulnerabilities. Manufacturers must assess which attacks and exploits can occur on the device, regardless of the attacker's motives. The focus is on programmable hardware and on-board communication interfaces.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Manufacturers often lack a measure for the structured analysis of attack scenarios. However, many IT security methods can also be applied to electronics, partly with some compromises. For example, the classification of attack scenarios, for instance by the <strong>STRIDE<\/strong>-Methode vorgenommen werden. Diese deckt typische Bedrohungen wie Spoofing, Manipulation (Tampering), Leugnen von Handlungen (Repudiation), unautorisierte Informationsweitergabe (Information Disclosure), Denial-of-Service-Angriffe und unrechtm&#xE4;&#xDF;ige Privilegienerh&#xF6;hung ab.&#xA0;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"schutzmassnahmen-in-abhangigkeit-von-auswirkungen\">Protective measures as a function of impact<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The protective measures are individual per device and should be balanced, taking into account <strong>Engineering Costs <\/strong>and the possible impacts (single device \/ many devices \/ all devices) are made. Nevertheless, there are must-haves for manufacturers of devices with electronics and embedded systems that every R&amp;D department should reasonably have on its agenda in the coming years.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"die-vier-saulen-von-cyber-resilience-in-embedded-systems\">The Four Pillars of Cyber Resilience in Embedded Systems<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Embedded systems are present in practically all commercially available products, such as industrial sensors, control technology, or camera systems. Even household appliances like washing machines and fully automatic coffee machines incorporate microcontroller-based controls. This places practically all distributors and manufacturers of \u201esmarter\u201c systems under an obligation to implement measures.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Die vier S&#xE4;ulen von sicherer Embedded Software sind die folgenden:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Zero-Trust Communication<\/li>\n\n\n\n<li>Anti-Denial-of-Service Measures<\/li>\n\n\n\n<li>Secure updates<\/li>\n\n\n\n<li>Key Management<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-176c744\" data-block-id=\"176c744\"><style>.stk-176c744 .stk-img-figcaption{text-align:center !important;}.stk-176c744 .stk-img-wrapper{width:70% !important;}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-1765\" src=\"https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-scaled.png\" width=\"2560\" height=\"1745\" alt=\"Cyber Resilience Act Embedded Software - 4 Pillars\" srcset=\"https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-scaled.png 2560w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-300x204.png 300w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-1024x698.png 1024w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-768x523.png 768w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-1536x1047.png 1536w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-2048x1396.png 2048w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/04\/cyber-security-cra-18x12.png 18w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\"\/><\/span><figcaption class=\"stk-img-figcaption\"><em>Cyber Resilience Act Embedded Software \u2013 4 Pillars of Action Planning<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"m\">Measures Overview<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">So how does the Cyber Resilience Act affect embedded software?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Implementing zero-trust communication is an approach to prevent spoofing attacks. Spoofing describes the attempt to inject false identities or fake data in the form of messages into the system. To prevent this, the zero-trust principle is applied, where every communication attempt is fundamentally considered potentially insecure. There are two essential approaches to implement this. The first is the complete encryption of messages, so that only authorized participants can read the communication. The second approach is secure hashing, where unmanipulable cryptographic hashes are created to ensure the integrity of the messages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Protection against Denial-of-Service (DoS) attacks is particularly problematic with weak threading behavior. DoS attacks aim to render systems inoperable by overwhelming them, which is especially dangerous for embedded systems on critical communication buses such as ModBus, CAN, Profibus, or RS485. An attacker could infiltrate the bus and \u201eflood\u201c these systems with an overload of data, disabling them. This applies to both secure and insecure attempts. Anti-DoS mechanisms must ensure that such attacks are detected and repelled early on.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, systems must have secure mechanisms to receive software updates and ensure that only authorized and intact software is used. In embedded systems, updates are often transmitted unencrypted or without adequate protective measures, which poses a significant risk. Flash images should therefore always be transmitted encrypted to prevent manipulation. Cryptographically relevant functions should be stored in secured TrustZones or encrypted in flash memory. Additionally, a secure boot process ensures that the system only starts from trusted software.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, the management of cryptographic keys on the build and device sides is enormously important. These keys are used for data encryption and authentication and must be stored securely on both the device and the development side. On the development side, secure management is carried out, which severely restricts access to the keys. For secure transmission of the keys via bus protocols, encrypted and authenticated mechanisms must be used to ensure that no unauthorized party can access the keys, even in insecure environments.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"zusammenfassung\">Summary<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Cyber Resilience Act will change embedded systems in any case. This results in concrete measures on the one hand. On the other hand, cybersecurity for products with digital elements is a continuous development process from requirements, architecture, and implementation to verification, penetration testing, updates, and vulnerability management. The CRA strengthens precisely this lifecycle approach, making TARA, security requirements, and regular re-assessment cycles an integral part of product maintenance.<br><\/p>","protected":false},"excerpt":{"rendered":"<p>Artikelserie Teil 1: Bedeutung und Einordnung Der Cyber Resilience Act (CRA), im Oktober 2024 vom EU-Rat verabschiedet, definiert erstmals verbindliche Cybersicherheitsanforderungen f\u00fcr digitale Produkte und verkn\u00fcpft diese direkt mit der CE-Kennzeichnung. Der Cyber Resilence Act hat damit f\u00fcr Hersteller von Embedded Software und Embedded Systems eine strukturelle \u00c4nderung parat: Cybersecurity ist kein optionaler Bestandteil mehr, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1896,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37,41,32],"tags":[],"class_list":["post-1759","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-resilience-act","category-artikelserie-cra","category-cysec"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts\/1759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/comments?post=1759"}],"version-history":[{"count":12,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts\/1759\/revisions"}],"predecessor-version":[{"id":2034,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts\/1759\/revisions\/2034"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/media\/1896"}],"wp:attachment":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/media?parent=1759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/categories?post=1759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/tags?post=1759"}],"curies":[{"name":"WP","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}