EU Cyber Resilience Act (CRA)

Discover how SYSGO’s embedded platforms and services help you build secure, resilient, and future-ready systems.

Quick Links

Our Products     Our Services     Our Company

New EU Baseline for secure digital Products

The Cyber Resilience Act (CRA) is a European Union regulation designed to improve the Cybersecurity of products with digital elements placed on the EU market. It sets mandatory Security requirements throughout a product’s life cycle, including secure development, risk management, vulnerability handling, and maintenance obligations.

The CRA predominantly affects sectors such as Railway, Space, Agriculture, and Industrial Automation, where Safety- and Security-critical digital products are sold in the EU. Other markets like Avionics, Automotive, and Medical already have their own stringent Cybersecurity and Safety standards, but CRA may still influence life cycle Security practices in these domains due to its broad scope.

EU Cyber Resilience Act for Product Security

How does the CRA affect embedded Software like PikeOS and ELinOS?

The CRA applies to all software products with digital elements placed on the EU market, including embedded operating systems, hypervisors, middleware, and development toolchains that become part of a commercial device. This means that foundational platform software such as PikeOS and ELinOS is considered part of the product’s Cybersecurity posture and must support secure development, maintenance, and vulnerability management throughout the full life cycle.

For embedded systems manufacturers, the operating system forms the root of trust and Security boundary. Therefore, platform choices directly influence compliance effort.

PikeOS and ELinOS were engineered with Security by Design and long-term maintainability as primary goals. They help customers address CRA obligations by providing:

  • Strong system isolation and reduced attack surfaces
  • Deterministic and controlled update processes
  • Structured vulnerability management and patch availability
  • Long-term supported product lifecycles (often 15+ years typical in critical industries)

While CRA conformity ultimately depends on the final device manufacturer, selecting PikeOS or ELinOS significantly lowers technical and process risks when demonstrating compliance.

What Security Assurance does PikeOS provide out of the Box?

PikeOS delivers a high level of pre-certified assurance, reducing the need for customers to build and justify low-level Security mechanisms themselves.

It is certified to Common Criteria EAL 5+, demonstrating independently verified:

  • Secure architecture design
  • Formalized development processes
  • Rigorous testing and verification
  • Controlled configuration management

Its separation kernel architecture enforces strict partitioning between applications of different criticality or trust levels. Compromise of one partition does not propagate to others, which directly supports CRA principles such as risk reduction, damage containment, and resilience by design.

This architecture also enables:

  • Mixed-criticality consolidation on a single hardware platform
  • Reduced trusted computing base (TCB)
  • Smaller attack surface compared to monolithic systems
  • Easier security argumentation during audits

With the EUCC (European Cybersecurity Certification) scheme, PikeOS’s existing EAL 5+ foundation provides a strong starting point for streamlined transition and future certifications.

What Security Measures are integrated into PikeOS and ELinOS?

Both platforms deeply embed Security mechanisms at architectural, system, and operational levels to directly support CRA requirements such as secure design, protection against unauthorized access, and secure maintenance.

➡️ PikeOS

  • Separation kernel with hardware-enforced partitioning and time/space isolation
  • Minimal microkernel to reduce exploitable code surface
  • Secure boot and runtime integrity verification
  • Controlled inter-partition communication channels
  • Deterministic system behavior suitable for Safety- and Security-critical use cases
  • Long-term maintenance branches with Security backports
  • Structured vulnerability handling within SYSGO’s ISO 27001-certified processes

➡️ ELinOS

  • Hardened embedded Linux distribution optimized for industrial and connected devices
  • Secure boot and chain-of-trust implementation
  • Hardened kernel configuration and optional attack-surface reduction features
  • Cryptographic services and secure communication stacks
  • Secure update frameworks for reliable field patching
  • License manifest generation and SBOM export for supply chain transparency

Together, these capabilities enable customers to implement secure-by-design products without adding extensive custom Security infrastructure, accelerating CRA readiness.

Can SYSGO’s Products help me meet the CRA’s Update and Patch Obligations?

Yes. The CRA requires manufacturers to provide timely vulnerability remediation and Security updates for the expected product lifetime. This can be challenging in embedded and long-lived industrial systems.

Both PikeOS and ELinOS support this through structured long-term maintenance programs that include:

  • Regular Security patches and vulnerability fixes
  • Backported fixes for stable releases
  • Clearly documented advisories and change logs
  • Traceable versioning for audit and compliance documentation
  • Separation of functional and Security updates to minimize operational risk
  • Long support windows aligned with industrial product lifecycles

This enables predictable maintenance planning and simplifies evidence generation during CRA audits or customer Security assessments.

What Processes does SYSGO have for Vulnerability and Security Incident Handling?

Beyond product features, the CRA requires organizational processes for vulnerability intake, assessment, coordinated disclosure, and customer communication.

SYSGO operates a formal, ISO 27001-certified Information Security Management System (ISMS) that includes:

  • Defined vulnerability intake and tracking workflows
  • Risk classification and prioritization
  • Coordinated remediation and patch development
  • Responsible disclosure practices
  • Structured customer notification

A dedicated Product Security Incident Response Team (PSIRT) supported by internal boards (e.g., Security Officer Board and Safety & Security Board) ensures rapid, cross-product coordination.

This process-driven approach helps customers demonstrate that not only their software stack, but also their supplier ecosystem, meets CRA expectations for continuous Security governance.

Does PikeOS support Separation of functional and Security Updates?

Yes. SYSGO offers separate update channels for functional changes and Security fixes. Providing these on distinct channels enables controlled update strategies aligned with customers’ risk profiles and life cycle obligations — a key element in maintaining secure systems over time.

Does the CRA apply to both PikeOS and ELinOS when sold as Product Components?

The CRA applies when PikeOS or ELinOS becomes part of a product with digital elements made available on the EU market. 

For example:

  • When an embedded device manufacturer includes PikeOS or ELinOS in their product firmware
  • When these products are integrated into an appliance or connected device that is sold as a complete system

In these contexts, the customer (as the manufacturer of the final product) is responsible for ensuring CRA obligations are met.

How do PikeOS and ELinOS Support secure Supply Chain Transparency?

The CRA introduces explicit requirements for software component transparency and supply chain risk management.

Both platforms provide mechanisms that make dependency tracking and documentation straightforward:

  • Detailed component traceability and controlled build environments
  • License manifests and third-party component listings
  • Software Bill of Materials (SBOM) generation for ELinOS
  • Version and patch provenance documentation
  • Long-term maintained and validated component sets (reducing exposure to untracked open-source risks)

These artifacts enable customers to quickly answer regulatory or auditor questions regarding:

  • Which components are included
  • Their origins and licenses
  • Known vulnerabilities
  • Applied fixes

This significantly lowers the administrative burden of CRA compliance reporting.

Can SYSGO help me with CRA Readiness beyond Product Features?

Yes. CRA compliance is not achieved by technology alone; it also requires process, documentation, and lifecycle governance.

SYSGO supports customers with consulting and engineering services that extend beyond the OS, including:

  • CRA gap analyses and readiness assessments
  • Threat and risk modeling
  • Secure architecture design and hardening guidance
  • Secure Development Lifecycle (SDL) integration
  • BSP and platform customization with minimized attack surface
  • Assistance preparing compliance evidence and documentation

This combination of certified platforms plus expert guidance helps manufacturers move from “secure components” to end-to-end compliant products.

PikeOS RTOS & Hypervisor

PikeOS for CRA-ready embedded Systems

Read the Blog Article

ELinOS Embedded Linux

ELinOS for CRA-ready embedded Systems

Read the Blog Article

Information

Where can I find more detailed CRA Guidance for my Product and Architecture?

For official CRA guidance, refer to published EU institutional FAQs and technical guidance. 

More information here: CRA FAQ (European Commission)

SYSGO’s Security documentation can also provide product-specific insights and answers relevant to PikeOS and ELinOS usage and integration into customer systems.

For more information, please contact us

Need more Information?

Tell us about your project and your needs.


Contact us