CRA Compliance in Embedded Systems: A Practical Look from the Yocto Project World

Embedded products are at the core of the Cyber Resilience Act, yet they face unique compliance challenges. Hardware vendors ship heavily patched BSPs, software modules often diverge from upstream, and reliable identification of modified components is still far from solved. For teams building products on top of these layers, translating CRA requirements into daily engineering practice is not straightforward.

This talk provides a practical overview of where CRA compliance currently stands for embedded devices, using Yocto Project–based workflows as a representative example. We will explore what is already achievable today with existing tooling (SBOM generation, vulnerability scanning, provenance capture), and highlight the gaps that still require industry-wide definitions - from consistent software identification to handling vendor modifications and long-tail dependencies.

Participants will gain a grounded, realistic understanding of how CRA obligations map to actual embedded development, what can be implemented now, and where the ecosystem still needs collective work to reach a "working" state.