CRA assessment support

The Cyber Resilience Act entered into force in 2024, with progressive obligations applying over time.

Key milestones include:

• 2026 September 11th: Mandatory vulnerability handling and reporting obligations
• 2027 December 11th: Full application of CRA requirements for products with digital elements
• 2028 June 11th: End of transition period for devices certified under RED

This means companies must start adapting development, maintenance, and operational processes well in advance to avoid delays, penalties, or blocked market access.

Early preparation is critical — especially for embedded platforms with long lifecycles.

DAVE Embedded System provides end‑to‑end CRA enablement, combining technical expertise, tooling, and long-term support for embedded products.

Our approach is practical, engineering-driven, and fully aligned with the realities of industrial and embedded environments.

Security Assessment

We start with a CRA-oriented security assessment of your product , including:

• Architecture and threat surface analysis
• Review of software and hardware components
• Identification of CRA applicability and product classification
• Gap analysis against CRA essential requirements

The outcome is a clear roadmap with requirements and prioritized actions.

Security by Design

DAVE helps integrate security by design principles directly into your embedded architecture from the earliest stages.

Typical services include:

• Secure boot and root of trust
• Hardware security features (TPM, HSM, secure elements)
• Trusted key storage and cryptographic acceleration
• Hardening of bootloader, kernel, and userspace
• Secure OTA update design
• Device identity and authentication mechanisms

By aligning hardware and software security, we help reduce attack surfaces and long-term maintenance costs.

Vulnerability Monitor

CRA requires continuous vulnerability monitoring and response.

DAVE provides structured vulnerability monitoring for your embedded platforms, including:

• Tracking known vulnerabilities affecting hardware and software system components
• Risk assessment and triage for vulnerabilities of your specific configuration
• Support mitigation planning

This ensures that security does not stop at product release.

SBOM / HWBOM Monitoring

Vulnerability monitoring of HWBOM and SBOM is a core CRA requirement.

We support:

• Software Bill of Materials (SBOM) generation, maintenance and vulnerability scanning
• Hardware Bill of Materials (HWBOM) generation, maintenance and vulnerability scanning
• Mapping vulnerabilities to specific components and versions
• Lifecycle-aware updates across product releases

This enables fast impact analysis and transparent compliance documentation.

BSP Maintenance

Maintaining a secure Board Support Package (BSP) over time is one of the biggest CRA challenges.

DAVE offers long-term BSP maintenance, including:

• Kernel, bootloader, and distribution updates
• Stable and periodic update streams across product lifecycle
• Vendor-independent maintenance strategies

We help ensure your platforms remain secure and compliant for years — not just at launch.

Automatic Testing and Publishing

To support secure and repeatable releases, DAVE integrates:

• Automated build pipelines
• Security-focused regression testing
• Vulnerability and dependency checks
• Controlled image generation and publishing workflows
• Automated tests on real hardware (Hardware-In-the-Loop)

Automation reduces human error, speeds up compliance activities, and ensures consistency across releases.

Reporting and Documentation

CRA places strong emphasis on technical documentation and evidence.

DAVE supports the creation and maintenance of:

• CRA-aligned technical documentation
• Security architecture descriptions
• Vulnerability handling procedures
• Update and support policies
• Audit-ready compliance reports

This documentation is designed not only for regulators, but also for customers, partners, and internal stakeholders.