{"id":80347,"date":"2026-03-19T15:55:38","date_gmt":"2026-03-19T14:55:38","guid":{"rendered":"https:\/\/fhi.nl\/?post_type=news&#038;p=80347"},"modified":"2026-03-19T16:30:23","modified_gmt":"2026-03-19T15:30:23","slug":"80347","status":"publish","type":"news","link":"https:\/\/fhi.nl\/en\/news\/80347\/","title":{"rendered":"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development"},"content":{"rendered":"<header id=\"header\" class=\"header header--low\">\n\n\t\n\t\t\t<div class=\"header__background header__background--graphic\"><\/div>\n\t\n\t<div class=\"container\">\n\t\t<div class=\"header__content\">\n\t\t\t<div class=\"header__first header__first--alone\">\n\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h6 class=\"header__subtitle\">By Bram Blaauwendraad, Bureau Veritas<\/h6>\n\t\t\t\t\n\t\t\t\t<h1 class=\"header__title\" >\n\t\t\t\t\tEngineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development\t\t\t\t<\/h1>\n\n\t\t\t\t<div class=\"header__dots-line\">\n\t\t\t\t\t<svg width=\"431\" height=\"9\" viewbox=\"0 0 431 9\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M430.799 4.192a1.136 1.136 0 1 1-2.272-.001 1.136 1.136 0 0 1 2.272 0Zm-27.272 0a1.135 1.135 0 1 1-2.27 0 1.135 1.135 0 0 1 2.27 0Zm-27.27 0a1.136 1.136 0 1 1-2.272-.001 1.136 1.136 0 0 1 2.272 0Zm-27.272 0a1.39 1.39 0 1 1-2.78 0 1.39 1.39 0 0 1 2.78 0Zm-27.78 0a1.645 1.645 0 1 1-3.29 0 1.645 1.645 0 0 1 3.29 0Zm-28.29 0a1.9 1.9 0 1 1-3.799 0 1.9 1.9 0 0 1 3.799 0Zm-28.799 0a2.154 2.154 0 1 1-4.308 0 2.154 2.154 0 0 1 4.308 0Zm-29.308 0a2.41 2.41 0 1 1-4.819 0 2.41 2.41 0 0 1 4.819 0Zm-29.819 0a2.663 2.663 0 1 1-5.326.001 2.663 2.663 0 0 1 5.326-.001Zm-30.327 0a2.919 2.919 0 1 1-5.837 0 2.919 2.919 0 0 1 5.837 0Zm-30.837 0a3.173 3.173 0 1 1-6.345.001 3.173 3.173 0 0 1 6.345 0Zm-31.346 0a3.428 3.428 0 1 1-6.856 0 3.428 3.428 0 0 1 6.856 0Zm-31.856 0a3.683 3.683 0 1 1-7.365 0 3.683 3.683 0 0 1 7.365 0Zm-32.365 0a3.937 3.937 0 1 1-7.875 0 3.937 3.937 0 0 1 7.875 0Zm-32.874 0a4.192 4.192 0 1 1-8.384 0 4.192 4.192 0 0 1 8.384 0Z\" fill=\"#FFF960\"\/><\/svg>\t\t\t\t<\/div>\n\n\t\t\t\t\n\t\t\t\t\n\t\t\t<\/div>\n\n\t\t\t\n\t\t<\/div>\n\t<\/div>\n<\/header>\n\n\n\n\n\n<div class=\"text bg--offwhite\">\n\t<div class=\"container\">\n\t\t\t\t\t\t<div class=\"text__content text__content--1-col\">\n\t\t\t<p>This guest post by Bram Blaauwendraad (Bureau Veritas) focuses on the engineering side of CRA readiness, especially for embedded systems. It highlights four practical areas where teams can make the biggest impact.<\/p>\n<p><b><span style=\"color: black;\">1. Make secure development practical for engineers<\/span><\/b><\/p>\n<p><span style=\"color: black;\">The CRA expects products to be secure by design and by default, but in practice this only works if developers know what that actually means in their day-to-day work. It helps to define a small, consistent set of secure development practices that apply across all products, regardless of their classification, and make these easy to find and use. Think of guidance that is embedded in engineering workflows rather than sitting in policy documents.<\/span><\/p>\n<p><span style=\"color: black;\">Training and tooling are key here. Integrating checks into IDEs, pipelines, and templates makes it much easier to follow the right practices by default. In our experience, organizations that operationalize security in this way move much faster towards CRA compliance than those that rely on policy alone.<\/span><\/p>\n<p><b><span style=\"color: black;\">2. Assess Full Solutions<\/span><\/b><\/p>\n<p><span style=\"color: black;\">Although the CRA seems to focus on transactional products (eg if you sell a phone, it needs to be secure), in reality many organizations deliver integrated solutions made up of multiple components. From a risk perspective, the final solution is what matters. This means you need to understand how components interact and what risks emerge when they are combined, especially in engineering-to-order (ETO) scenarios.<\/span><\/p>\n<p><span style=\"color: black;\">When a client asks you to deviate from a reference architecture, it is good practice to perform a \u201cdeviation risk assessment\u201d on what has changed and why it matters. The CRA also requires products to be secure by default, so if a customer requests a change that weakens security, that risk should be clearly documented and agreed. In some cases, organizations choose to formally transfer that risk through contractual arrangements, but the key point is transparency and traceability.<\/span><\/p>\n<p><b><span style=\"color: black;\">3. Maintain clear Software and Hardware BOMs<\/span><\/b><\/p>\n<p><span style=\"color: black;\">The CRA puts strong emphasis on handling vulnerabilities throughout the product lifecycle, not just before release. This includes identifying components, monitoring for vulnerabilities, and providing timely fixes. In practice, this means you need a clear view of what is inside your product, including third-party software and hardware.<\/span><\/p>\n<p><span style=\"color: black;\">Maintaining a Software Bill of Materials, and where relevant a Hardware BOM, makes this much more manageable. It allows you to track newly disclosed vulnerabilities and assess their impact quickly. Organizations that already have structured processes for monitoring CVEs and distributing patches will find themselves in a much better position when the CRA requirements become fully enforceable.<\/span><\/p>\n<p><b><span style=\"color: black;\">4. Threat Modeling as part of risk assessment<\/span><\/b><\/p>\n<p><span style=\"color: black;\">A well-documented cybersecurity risk assessment is at the heart of CRA compliance. It should describe how the product is used, what assets need protection, and which risks are relevant in its expected environment. In practice, this often takes the form of threat modeling combined with architectural documentation of security controls, data flows, and trust boundaries.<\/span><\/p>\n<p><span style=\"color: black;\">This is not just a one-off. The risk assessment needs to be maintained over time and updated periodically or when new vulnerabilities or changes arise. It also becomes an important piece of evidence during conformity assessments or after incidents. Organizations that invest in this early tendency to have a much clearer and defensible security posture later on. Threat Modeling is generally something that engineers can excel at as they know the technical details of their products intimately, although there tends to be a small learning curve.<\/span><\/p>\n<p><em>Bram Blaauwendraad and his colleague Gaurav Raina (Bureau Veritas) are keynote speakers at the D&amp;E event. You can register for the event free of charge at: <a href=\"https:\/\/fhi.nl\/en\/dene\/\" target=\"_blank\" rel=\"noopener\">fhi.nl\/dene<\/a>.<\/em><\/p>\n\t\t<\/div>\n\t<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"featured_media":0,"template":"","branches":[],"events":[361],"secretariat":[],"categories":[],"themes_tax":[515],"content_types":[526],"class_list":["post-80347","news","type-news","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development - FHI, federatie van technologiebranches<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/fhi.nl\/en\/nieuws\/80347\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development - FHI, federatie van technologiebranches\" \/>\n<meta property=\"og:url\" content=\"https:\/\/fhi.nl\/en\/nieuws\/80347\/\" \/>\n<meta property=\"og:site_name\" content=\"FHI, federatie van technologiebranches\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-19T15:30:23+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/fhi.nl\/nieuws\/80347\/\",\"url\":\"https:\/\/fhi.nl\/nieuws\/80347\/\",\"name\":\"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development - FHI, federatie van technologiebranches\",\"isPartOf\":{\"@id\":\"https:\/\/fhi.nl\/#website\"},\"datePublished\":\"2026-03-19T14:55:38+00:00\",\"dateModified\":\"2026-03-19T15:30:23+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/fhi.nl\/nieuws\/80347\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/fhi.nl\/nieuws\/80347\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/fhi.nl\/nieuws\/80347\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/fhi.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Nieuws\",\"item\":\"https:\/\/fhi.nl\/nieuws\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/fhi.nl\/#website\",\"url\":\"https:\/\/fhi.nl\/\",\"name\":\"FHI, federatie van technologiebranches\",\"description\":\"Nederlandse branchevereniging voor technologiebranches\",\"publisher\":{\"@id\":\"https:\/\/fhi.nl\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/fhi.nl\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/fhi.nl\/#organization\",\"name\":\"FHI, federatie van technologiebranches\",\"url\":\"https:\/\/fhi.nl\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/fhi.nl\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png\",\"contentUrl\":\"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png\",\"width\":732,\"height\":136,\"caption\":\"FHI, federatie van technologiebranches\"},\"image\":{\"@id\":\"https:\/\/fhi.nl\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/fhi-federation-of-technology-branches\",\"https:\/\/www.instagram.com\/fhi_nl\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development - FHI, Federation of Technology Industries","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/fhi.nl\/en\/nieuws\/80347\/","og_locale":"en_GB","og_type":"article","og_title":"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development - FHI, federatie van technologiebranches","og_url":"https:\/\/fhi.nl\/en\/nieuws\/80347\/","og_site_name":"FHI, federatie van technologiebranches","article_modified_time":"2026-03-19T15:30:23+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/fhi.nl\/nieuws\/80347\/","url":"https:\/\/fhi.nl\/nieuws\/80347\/","name":"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development - FHI, Federation of Technology Industries","isPartOf":{"@id":"https:\/\/fhi.nl\/#website"},"datePublished":"2026-03-19T14:55:38+00:00","dateModified":"2026-03-19T15:30:23+00:00","breadcrumb":{"@id":"https:\/\/fhi.nl\/nieuws\/80347\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/fhi.nl\/nieuws\/80347\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/fhi.nl\/nieuws\/80347\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/fhi.nl\/"},{"@type":"ListItem","position":2,"name":"Nieuws","item":"https:\/\/fhi.nl\/nieuws\/"},{"@type":"ListItem","position":3,"name":"Engineering Secure\u2011by\u2011Design Systems: Practical Patterns for CRA\u2011Compliant Product Development"}]},{"@type":"WebSite","@id":"https:\/\/fhi.nl\/#website","url":"https:\/\/fhi.nl\/","name":"FHI, federation of technology industries","description":"Dutch trade association for technology industries","publisher":{"@id":"https:\/\/fhi.nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/fhi.nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/fhi.nl\/#organization","name":"FHI, federation of technology industries","url":"https:\/\/fhi.nl\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/fhi.nl\/#\/schema\/logo\/image\/","url":"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png","contentUrl":"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png","width":732,"height":136,"caption":"FHI, federatie van technologiebranches"},"image":{"@id":"https:\/\/fhi.nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/fhi-federation-of-technology-branches","https:\/\/www.instagram.com\/fhi_nl\/"]}]}},"_links":{"self":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news\/80347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news"}],"about":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/types\/news"}],"version-history":[{"count":8,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news\/80347\/revisions"}],"predecessor-version":[{"id":80359,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news\/80347\/revisions\/80359"}],"wp:attachment":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/media?parent=80347"}],"wp:term":[{"taxonomy":"branches","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/branches?post=80347"},{"taxonomy":"events","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/events?post=80347"},{"taxonomy":"secretariat","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/secretariat?post=80347"},{"taxonomy":"categories","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/categories?post=80347"},{"taxonomy":"themes","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/themes_tax?post=80347"},{"taxonomy":"content_types","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/content_types?post=80347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}