{"id":80427,"date":"2026-03-23T09:42:26","date_gmt":"2026-03-23T08:42:26","guid":{"rendered":"https:\/\/fhi.nl\/?post_type=news&p=80427"},"modified":"2026-03-23T10:41:24","modified_gmt":"2026-03-23T09:41:24","slug":"how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap","status":"publish","type":"news","link":"https:\/\/fhi.nl\/en\/news\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/","title":{"rendered":"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap"},"content":{"rendered":"
\n\n\t\n\t\t\t
<\/div>\n\t\n\t
\n\t\t
\n\t\t\t
\n\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t

\n\t\t\t\t\tHow to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap \t\t\t\t<\/h1>\n\n\t\t\t\t
\n\t\t\t\t\t<\/svg>\t\t\t\t<\/div>\n\n\t\t\t\t\n\t\t\t\t\n\t\t\t<\/div>\n\n\t\t\t\t\t\t\t
\n\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t<\/div>\n\t\t\t\n\t\t<\/div>\n\t<\/div>\n<\/header>\n\n\t
\n\t
\n\t\t
\n\n\t\t\t\t\t\t\t
\n\t\t\t\t\t
Branch<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tIndustrial Electronics\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\n\t\t\t\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n
\n\t
\n\t\t\t\t\t\t
\n\t\t\t

The hack at Odido in March 2026 once again highlights the importance of cybersecurity for businesses. In addition to the material damage, which is estimated to run into the millions, the reputational damage to Odido is incalculable. <\/strong><\/p>\n

This could happen to your company too, warn Bram Blaauwendraad and Gaurav Raina of the cybersecurity consulting company Veritas. FHI spoke with both security experts about what companies can do now to get their cybersecurity in order and to become compliant with the Cyber Resilience Act (CRA) in time.<\/strong><\/p>\n

The CRA aims to enhance the cybersecurity of digital products and services within the European Union. Bram and Gaurav will deliver a keynote on this new law during the D&E event<\/a> on April 14 in Den Bosch. They will focus on its practical application in the business world, drawing on their experience with RED 3.3, the European directive governing the security of radio equipment.<\/p>\n

Ecosystems<\/strong><\/h2>\n

As a Senior Security Consultant & Service Lead, Gaurav is well versed in RED 3.3. and uses that knowledge to address the uncertainties surrounding the CRA. \u201cYou can think of RED 3.3 as a narrower precursor to the CRA,\u201d Gaurav explains. \u201cWhile RED focuses mainly on radio equipment, the CRA covers entire ecosystems: devices, software, backend systems, and their interactions. How do you ensure devices communicate securely with each other , even in critical environments? And how do you test devices, apps, and backends responsibly?\u201d<\/p>\n

Act Now<\/strong><\/h2>\n

\u201cThe full CRA obligations for placing new products on the EU market apply from 11 December 2027but the advice is to start preparing now. Not just because it's 'nice' to be compliant, but also to prevent business damage like what recently happened at Odido,\u2018 the security specialist continues. He gives another example: \u2019In 2021, an unauthenticated reset flaw in Western Digital's My Book Live led to mass remote wipes of internet-exposed devices \u2013 a lesson in defining support periods, securing default configurations, and executing post-market vulnerability handling, all of which the CRA now makes mandatory (with reporting from 11 Sep 2026).\u201d The examples underline the social relevance of the CRA. \u201cCompanies are willing to act but often lack clear guidance. And that's exactly what Bram and I want to provide during our presentation at the D&E event.\u201d<\/p>\n

Understanding CRA Standards<\/strong><\/h2>\n

A major challenge for industry and Bureau Veritas is the fact that the technical standards have not yet been formally harmonized. Gaurav: \u201cThe CRA works with two types of standards: horizontal and vertical. Horizontal standards are broadly applicable and focus on general principles of cybersecurity. Vertical standards are specific to certain sectors or industries and take into account the unique characteristics and risks associated with them, such as additional rules for healthcare or industrial control systems. The standards are still under development, but the CRA's legal text has already been finalized. That text forms the basis for our advice.\u201d<\/p>\n

The uncertainty surrounding the harmonization of the standards is frustrating, but according to Gaurav, the biggest challenge lies in the supply chain. \u201cCRA assigns manufacturer responsibilities but requires end-to-end assurance across the supply chain. Practically, that means you can't be compliant if your suppliers aren't. So as a business owner, you must not only consider your own company but also the compliance of your suppliers. On top of that, it's not always clear where the responsibilities lie.\u201d<\/p>\n

Secure By Design<\/strong><\/h2>\n

Gaurav's colleague Bram, who works as a Senior Security Consultant, joins the conversation. \u201cEngineers need clear advice: how do we tackle this? We address this by developing practical documentation for our clients. For example, one CRA requirement is that every product must be 'secure by design' at its core. Secure by design means integrating security from the start, for example by performing threat modeling, enforcing secure coding practices, and validating designs through testing. We've written a plan that explains, step by step, how to create such a secure design and what a company needs to take into account.\u2018<\/p>\n

Bram continues: \u201cIt's important that engineers can easily work with the guidelines and that they're part of the normal workflow. Think of tips and checks that automatically appear in IDEs, pipelines, and templates. Organizations that handle this well become CRA-compliant much faster than those that rely solely on policy.\u201d<\/p>\n

Practical Examples<\/strong><\/h2>\n

The CRA permeates the entire development process, according to Gaurav and Bram. That's why it's crucial to conduct a risk analysis in advance and document everything for the CRA. Bram gives an example: \u201cSuppose a company delivers complete solutions consisting of multiple components. The risk then lies primarily in the connection between the components. Another common example in practice is a customer wanting to deviate from the standard architecture (engineering to order). In such a case, I consider three aspects: what exactly is changing, what is the risk involved, and who is responsible for it. For the CRA, it is especially important that the process is clear and traceable.\u201d<\/p>\n

Collaboration<\/strong><\/h2>\n

\u201cCompliance requires collaboration and commitment from all levels of the organization: from the engineer soldering components onto a circuit board to the CEO,\u201d Bram concludes. \u201cIt is often necessary to draft new policies or agree on different procedures. That is why it is important that everyone is on the same page. Organizations that integrate security into their development processes now will not only meet CRA requirements faster, they will also reduce risk and build more resilient products,\u201d Bram concludes.<\/p>\n

Interested in learning more? Join the D&E event<\/a> on April 14 in Den Bosch.<\/p>\n\t\t<\/div>\n\t<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"featured_media":0,"template":"","branches":[13],"events":[361],"secretariat":[],"categories":[],"themes_tax":[515],"content_types":[501],"class_list":["post-80427","news","type-news","status-publish","hentry"],"acf":[],"yoast_head":"\nHow to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap - FHI, federatie van technologiebranches<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/fhi.nl\/en\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap - FHI, federatie van technologiebranches\" \/>\n<meta property=\"og:url\" content=\"https:\/\/fhi.nl\/en\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/\" \/>\n<meta property=\"og:site_name\" content=\"FHI, federatie van technologiebranches\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-23T09:41:24+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/\",\"url\":\"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/\",\"name\":\"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap - FHI, federatie van technologiebranches\",\"isPartOf\":{\"@id\":\"https:\/\/fhi.nl\/#website\"},\"datePublished\":\"2026-03-23T08:42:26+00:00\",\"dateModified\":\"2026-03-23T09:41:24+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/fhi.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Nieuws\",\"item\":\"https:\/\/fhi.nl\/nieuws\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/fhi.nl\/#website\",\"url\":\"https:\/\/fhi.nl\/\",\"name\":\"FHI, federatie van technologiebranches\",\"description\":\"Nederlandse branchevereniging voor technologiebranches\",\"publisher\":{\"@id\":\"https:\/\/fhi.nl\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/fhi.nl\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/fhi.nl\/#organization\",\"name\":\"FHI, federatie van technologiebranches\",\"url\":\"https:\/\/fhi.nl\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/fhi.nl\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png\",\"contentUrl\":\"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png\",\"width\":732,\"height\":136,\"caption\":\"FHI, federatie van technologiebranches\"},\"image\":{\"@id\":\"https:\/\/fhi.nl\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/fhi-federation-of-technology-branches\",\"https:\/\/www.instagram.com\/fhi_nl\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap - FHI, federation of technology industries","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/fhi.nl\/en\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/","og_locale":"en_GB","og_type":"article","og_title":"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap - FHI, federatie van technologiebranches","og_url":"https:\/\/fhi.nl\/en\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/","og_site_name":"FHI, federatie van technologiebranches","article_modified_time":"2026-03-23T09:41:24+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/","url":"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/","name":"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap - FHI, federation of technology industries","isPartOf":{"@id":"https:\/\/fhi.nl\/#website"},"datePublished":"2026-03-23T08:42:26+00:00","dateModified":"2026-03-23T09:41:24+00:00","breadcrumb":{"@id":"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/fhi.nl\/nieuws\/how-to-make-embedded-systems-and-iot-products-cra-compliant-a-practical-roadmap\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/fhi.nl\/"},{"@type":"ListItem","position":2,"name":"Nieuws","item":"https:\/\/fhi.nl\/nieuws\/"},{"@type":"ListItem","position":3,"name":"How to Make Embedded Systems and IoT Products CRA-Compliant: A Practical Roadmap"}]},{"@type":"WebSite","@id":"https:\/\/fhi.nl\/#website","url":"https:\/\/fhi.nl\/","name":"FHI, federation of technology industries","description":"Dutch trade association for technology industries","publisher":{"@id":"https:\/\/fhi.nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/fhi.nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/fhi.nl\/#organization","name":"FHI, federation of technology industries","url":"https:\/\/fhi.nl\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/fhi.nl\/#\/schema\/logo\/image\/","url":"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png","contentUrl":"https:\/\/fhi.nl\/app\/uploads\/2024\/06\/3-e1722349014385.png","width":732,"height":136,"caption":"FHI, federatie van technologiebranches"},"image":{"@id":"https:\/\/fhi.nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/fhi-federation-of-technology-branches","https:\/\/www.instagram.com\/fhi_nl\/"]}]}},"_links":{"self":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news\/80427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news"}],"about":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/types\/news"}],"version-history":[{"count":3,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news\/80427\/revisions"}],"predecessor-version":[{"id":80449,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/news\/80427\/revisions\/80449"}],"wp:attachment":[{"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/media?parent=80427"}],"wp:term":[{"taxonomy":"branches","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/branches?post=80427"},{"taxonomy":"events","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/events?post=80427"},{"taxonomy":"secretariat","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/secretariat?post=80427"},{"taxonomy":"categories","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/categories?post=80427"},{"taxonomy":"themes","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/themes_tax?post=80427"},{"taxonomy":"content_types","embeddable":true,"href":"https:\/\/fhi.nl\/en\/wp-json\/wp\/v2\/content_types?post=80427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}