Topic Questions
What are your thoughts on CRA?
- The CRA shifts how manufacturers must think about security, making it as fundamental as safety. To obtain the CE marking, manufacturers must meet essential security requirements, including vulnerability management and defined support periods, taking clear ownership of their products’ security. The regulation has broad reach, applying to both hardware and software - from finished products like TVs to individual components such as operating systems and microcontrollers. While certain sectors like medical and automotive are exempt to avoid overregulation, the individual components used within those products must still comply with the CRA.
What are your thoughts on security regulations outside of CRA?
- Cyber regulations now impact a wide range of markets, from NIST and ISO standards to medical and automotive requirements. While the frameworks differ, they largely rely on the same core foundations - cryptography, isolation, and device identity - which the CRA adds to rather than replaces. As a result, companies are moving toward unified internal processes that emphasize documentation, testing, and ongoing monitoring, regardless of market. At the same time, end customers are often overwhelmed by the added security burden, making turnkey tools, development kits, and built-in security services increasingly critical to avoid rushed, incorrect implementations and growing development costs.
What support can developers get to face these regulatory challenges?
- Beyond the CRA, security now starts with threat modeling, which drives the required use cases throughout the product lifecycle - from implementation and certification to production and post-production security management. Manufacturers increasingly rely on tools and services to manage device security after deployment, with semiconductor vendors offering packaged use cases, example code, and services layered on top of silicon. Unlike earlier IoT approaches where security often stopped at production, new regulations require ongoing certification and lifecycle security management well beyond launch.
What are common security gaps that occur in the development cycle? How can that be better addressed?
- The most effective way to improve security is to start early, beginning with a threat assessment that shapes the entire product development journey. Early planning ensures security requirements - such as documentation, testing, secure boot, secure updates, and supply-chain protection - are built in rather than retrofitted, reducing risk at the weakest links. This includes protecting firmware, cryptographic keys, and proprietary IP, even when using untrusted manufacturers through Zero Trust approaches. Under the CRA, this responsibility extends well beyond launch, requiring manufacturers to maintain security updates for at least five years, with continued obligations after the product is in the field.
Can you tell us more about Zero Trust systems? Why are they so important?
- In today’s era of hyperconnectivity, devices operate in distributed systems where sensors and edge devices continuously share data without centralized control. As AI and machine learning move to the edge and decisions are made without human oversight, establishing trust becomes critical - devices must verify who they communicate with and whether data is secure, trustworthy, and appropriate to use. This shift drives the need for Zero Trust principles, where access and data sharing are never assumed and are only allowed after clear rules and controls establish trust.
Could you tell us more about secure enclave and what technology is included within it?
- A secure enclave can be compared to a hotel safe: even within a protected room, it provides an extra layer of isolation for high-value assets. In a system-on-chip, the secure enclave is a hardware- and software-based isolation environment that protects sensitive data and executes critical security functions, separate from application cores. This isolation allows untrusted or less-trusted applications to run without compromising the core system, while features such as secure boot and updates, cryptographic key management, and runtime integrity monitoring ensure authenticated execution and detect anomalies. These enclave capabilities form the foundation of security compliance, requiring manufacturers to implement protections proportional to product risk under evolving regulations.
If you could give one item of advice to embedded developers about security, what would it be?
- The secure enclave is delivered as a qualified silicon solution that combines secure memory and cryptographic accelerators within an isolated boundary to protect credentials and critical code. This foundation is supported by tools, predefined use cases, and services - such as trust management - that enable integration across microcontroller products and manufacturing processes. As a result, this technology is increasingly being embedded across product lines to provide consistent, scalable security.
What is Trust Zone? What security threats does it help protect against?
- Trust Zone support is determined by the ARM instruction set and can only be implemented on cores that natively support it. Older cores like Cortex-M4 and M7 do not support Trust Zone, while newer cores such as Cortex-M33 typically do. When available, Trust Zone is commonly implemented as a hardware-enforced layer that isolates and protects secure code execution.
YouTube Video Sources
If you would like to watch this video or any other Let’s Talk Technical Series, please utilize the sources below.
Video on this Topic
Let’s Talk Technical: Embedded Security and the Cyber Resilience Act | DigiKey - YouTube
Other Videos from this Series
Let’s Talk Technical Playlist - YouTube
Suppliers Featured in Video
NXP Semiconductors
NXP Semiconductors enables secure connections and infrastructure for a smarter world, advancing solutions that make lives easier, better and safer. As the world leader in secure connectivity solutions for embedded applications, NXP is driving innovation in the secure connected vehicle, end-to-end security and privacy and smart connected solutions markets.
Analog Devices, Inc.
Analog Devices (NASDAQ: ADI) is a world leader in the design, manufacture, and marketing of a broad portfolio of high performance analog, mixed-signal, and digital signal processing (DSP) integrated circuits (ICs) used in virtually all types of electronic equipment. Since their inception in 1965, they have focused on solving the engineering challenges associated with signal processing in electronic equipment. Used by over 100,000 customers worldwide, their signal processing products play a fundamental role in converting, conditioning, and processing real-world phenomena such as temperature, pressure, sound, light, speed, and motion into electrical signals to be used in a wide array of electronic devices.
Microchip Technology
Microchip Technology Inc. is a leading provider of microcontroller and analog semiconductors, providing low-risk product development, lower total system cost and faster time to market for thousands of diverse customer applications worldwide. Headquartered in Chandler, Arizona, Microchip offers outstanding technical support along with dependable delivery and quality.
STMicroelectronics
STMicroelectronics is a global independent semiconductor company and is a leader in developing and delivering semiconductor solutions across the spectrum of microelectronics applications. An unrivaled combination of silicon and system expertise, manufacturing strength, Intellectual Property (IP) portfolio and strategic partners positions the Company at the forefront of System-on-Chip (SoC) technology and its products play a key role in enabling today’s convergence trends.