What the CRA actually requires of your firmware
The thirteen essential requirements, in plain terms, and what each one means for the code on the device.
Coming soonAceman builds the firmware-level security, software updates and audit-ready evidence the EU Cyber Resilience Act requires, so you ship on time and compliant without hiring a security team you can’t find.
We build the engineering. The evidence comes from your build, not from a form.
CRA reporting obligations begin on 11 September 2026; the main obligations apply from 11 December 2027. PSTI and the RED cybersecurity rules already apply today. The firmware is the hardest part, and it is the part many teams have no one in-house to own.
What this means for your product →Actively exploited vulnerabilities must be reported within 24 hours from this date.
Every team gets there differently: some want it done, some want to own it, some want to learn it. Pick the path that matches yours, or take the two-minute check and it will point you to one.
Readiness assessment, then we implement the secure boot, signed updates, SBOM and vulnerability handling, and hand over an audit-ready technical file.
Point our platform at the build you already produce. It generates your SBOM, watches your components for vulnerabilities, and assembles the evidence as you work.
The Academy teaches the builder’s side of embedded security: the same mechanisms and evidence we deliver in real engagements, taught by the engineer doing the work.
Whichever path you take, the same discipline stands behind it: built to the standard, evidenced for the assessor, learned where firmware is not allowed to fail.
Secure boot, signed updates, SBOMs and vulnerability handling, implemented to satisfy the CRA’s essential requirements rather than approximate them.
Every deliverable maps to what a notified body or test lab expects to see: the technical file, the traceability, the test reports.
The discipline of the industry with the least tolerance for firmware that fails, brought to your connected product.
Practical, specific, and grounded in real implementations: the part most write-ups skip.
The thirteen essential requirements, in plain terms, and what each one means for the code on the device.
Coming soonA real walkthrough: from build metadata to a machine-readable bill of materials you can actually maintain.
Coming soonA career spent where firmware isn’t allowed to fail, and why connected products are about to learn the same lessons.
Coming soonTwo minutes tells you where you stand. The rest becomes a plan.