IN Brief:
- Direct Insight will present Cyber Resilience Act guidance at Hardware Pioneers Max in London.
- The session will focus on SBOMs, vulnerability handling, and mitigation for connected products.
- CRA compliance is moving security work into the design stage for embedded and industrial electronics.
Direct Insight will use Hardware Pioneers Max in London to brief embedded developers on practical preparation for the EU Cyber Resilience Act, with a focus on vulnerability handling, software bills of materials, and secure product development.
The company will present at the event, which takes place on 10 and 11 June, and will also be present on the QNX stand. Its technical session will examine how developers can prepare connected products before the regulation comes fully into force in December 2027.
The Cyber Resilience Act changes the compliance burden for manufacturers of connected hardware and software products. Security can no longer sit at the end of the development process as a final test activity or a documentation exercise after launch. Product developers must be able to identify software components, track vulnerabilities, manage updates, and retain evidence that security risks have been considered across the product lifecycle.
Direct Insight’s session will concentrate on vulnerability handling in working embedded systems. That includes generating and maintaining SBOMs, identifying exploitable weaknesses, assessing risk in the product environment, and creating mitigation processes before devices reach customers.
The same compliance pressure is already reshaping connected device development. ByteSnap and Digi’s work on SBOM security for medical and industrial IoT reflects the growing need for traceable software content, component visibility, and vulnerability management in embedded products.
Industrial and medical devices make the challenge sharper because product lifetimes often extend well beyond the support cycles of individual software libraries or wireless stacks. A device may operate for years in a controlled environment, but its security exposure can change whenever a new vulnerability is disclosed or a network interface is updated.
An SBOM provides the inventory needed to understand that exposure, although the inventory only becomes useful when connected to a working process. Manufacturers need to match newly disclosed weaknesses against deployed systems, prioritise affected products, and update or mitigate them without undermining safety, certification, or service continuity.
That pushes security decisions further into the architecture stage. Engineers selecting operating systems, modules, communication stacks, and middleware must consider supplier maintenance policies, update mechanisms, cryptographic support, and long-term availability. Procurement teams will also need clearer evidence from component and module suppliers on disclosure processes and lifecycle support.
Hardware Pioneers Max brings that discussion close to embedded product decisions. As CRA deadlines approach, secure-by-design requirements will have to become repeatable engineering routines: traceable software content, disciplined vulnerability assessment, maintainable update paths, and product architectures that can be supported long after deployment.
