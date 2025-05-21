Getting Ready for the EU Cyber Resilience Act (CRA) with wolfSSL

By David Garske Senior Software Engineer wolfSSL

The European Union’s Cyber Resilience Act (CRA) is reshaping the way embedded device manufacturers approach cybersecurity. For teams building connected systems - from industrial controls to medical, and defense devices - CRA compliance isn’t just a checkbox. It’s a roadmap for securing products across the entire lifecycle. To assist in the process of securing these systems, wolfSSL offers a suite of tools designed to help meet the standards of the various systems.

1. Secure Communications with TLS 1.3

The CRA mandates protection of data in transit. wolfSSL’s flagship TLS/SSL library offers full TLS 1.3 and DTLS 1.3 support in a lightweight, embedded-friendly package. Whether you're building on a Cortex-M MCU or a Linux-based gateway, wolfSSL can secure your communication stack with proven cryptography and offers FIPS 140-3 validated versions where needed.

2. Strong Cryptography and Hardware Acceleration

wolfCrypt, the cryptographic engine beneath wolfSSL, provides optimized, portable implementations of AES, SHA-2/3, RSA, ECC, EdDSA, and more. It supports integration with hardware crypto engines through wolfCrypt ports, enabling performance and security benefits on platforms with secure elements, TPMs, or HSMs. Our support for post-quantum (FIPS-203 ML-KEM and FIPS-204 ML-DSA) and country-specific algorithms (like Shang Mi and Aria) ensures readiness for global deployments and evolving regulatory requirements.

3. Secure Boot and Firmware Updates

One of the CRA’s critical goals is to ensure device integrity, from first boot to firmware updates. wolfBoot, our secure bootloader, enforces firmware authentication via cryptographic signatures and supports secure over-the-air (OTA) updates. It's OS-agnostic, safety-oriented, and built for embedded environments, now supporting all the most common CPU architectures, up to x86_64.

4. SBOM, Vulnerability Management, and Lifecycle Security

The Cyber Resilience Act (CRA) calls for transparency and long-term security support. Our Vulnerability Management processes facilitate seamless integration of our projects into your Software Bill of Materials (SBOM), enabling transparent monitoring of Common Vulnerabilities and Exposures (CVEs). With no external dependencies in our solutions, we simplify your SBOM compliance efforts while reducing vulnerability vectors. We track versions of cryptographic libraries and monitor CVEs systematically. We provide timely vulnerability notifications, fixes, and long-term support options, crucial for product manufacturers required to respond quickly to emerging threats.

5. Ready for Documentation and Conformance Assessments

wolfSSL’s engineering-first ethos includes compliance-ready documentation for standards like FIPS, DO-178C, MISRA-C, and others. Our dual licensing model—offering both open-source and commercial licensing—enables rapid development and easier evaluation while supporting seamless transition to fully certified deployments. These assets are essential for demonstrating conformity during CRA assessments and audits. Additionally, the CRA provides specific relief for open-source developers or users, and all of wolfSSL’s GPL-licensed products are compatible.

6. Meeting CRA Classification Requirements

Whether your product falls under critical (Class I or II) or non-critical categories in the CRA framework, wolfSSL provides appropriately scaled security solutions:

For Critical Products: Our FIPS-validated libraries and comprehensive security suites meet the stringent third-party assessment requirements for critical applications

For Standard Products: Our efficient, standards-compliant implementations support self-assessment procedures while maintaining a strong security posture

7. CRA Compliance Timeline Alignment

wolfSSL's development roadmap is aligned with the CRA implementation timeline:

Immediate Readiness: Core security components are available now for early adopters

24-Month Horizon: Enhanced features for full compliance when CRA takes full effect

Long-term Support: Maintenance and updates throughout your product lifecycle, meeting the CRA's requirements for ongoing security support

Whether you’re developing a connected medical device, an industrial controller, or a military-grade communication system, wolfSSL gives you the cryptographic backbone, tooling, and expert support to build secure-by-design products that align with CRA from day one.

David Garske, Senior Software Engineer at wolfSSL, joined the team in 2015 as an Embedded Software Engineer and has worked in IoT embedded software development since 2005. He specializes in embedded security and helps maintain and add features to the wolfTPM, wolfMQTT, and wolfSSL projects.

