Silitics Logo
Contact Us

CRA Whitepaper with EY and Cumulocity

Summary: Together with EY and Cumulocity we have released a practical reference architecture for EU Cyber Resilience Act (CRA) compliance. Learn how our open-source tool suite, Rugix, provides the essential on-device functionality, from secure OTA updates to factory resets, needed to meet these new stringent regulations.

whitepaper cra security compliance rugix

The EU Cyber Resilience Act (CRA) introduces sweeping new cybersecurity obligations for manufacturers of products with digital elements. While full enforcement begins in December 2027, reporting obligations will already come into effect as early as September 11, 2026.

In our new whitepaper, A Practical Reference Architecture for Cyber Resilience Act (CRA) Compliance, co-authored with EY and Cumulocity, we present a modular approach to these challenge. By combining EY’s legal advice, Cumulocity’s IoT device management, and Silitics’ embedded engineering expertise and solutions, we have outlined a complete architecture for secure connected products.

The Role of Rugix in CRA Compliance

At Silitics, we help manufacturers build secure and reliable embedded Linux devices. A core component of the whitepaper’s reference architecture is Rugix, our open-source solution designed to address the CRA’s demanding technical requirements directly on the device.

Key CRA-relevant capabilities of Rugix include:

  • Robust Software Updates: The CRA mandates secure, timely updates to fix security vulnerabilities. Rugix implements atomic A/B updates with automatic rollback, ensuring devices remain operational no matter what. To make sure that updates can be trusted, Rugix uses cryptographic signature verification before writing anything to the device. With it’s best-in-class delta update mechanisms, Rugix does not only ensure that updates are secure and robust, but also that they are highly efficient.
  • Secure Factory Reset: The CRA requires that devices can be effectively reset for decommissioning, transfer, or to restore a secure-by-default configuration. Rugix provides a built-in state management mechanism to facilitate secure factory resets.

In addition, Rugix can be integrated into secure boot processes to validate the system and its data at startup, establishing trust in the running software and device’s integrity, all while preserving the ability to efficiently and robustly install over-the-air (OTA) updates. Rugix’s innovative state management mechanism also ensures device integrity by preventing unintended state changes from corrupting the system.

While Rugix is compatible with Yocto and other build systems for embedded Linux, it also comes with Rugix Bakery, an easy-to-use build tool for creating custom Linux distributions. Rugix Bakery can help manufacturers speed up the development process by building on proven binary distributions such as Debian or Alpine Linux. At the same time, Rugix Bakery can generate a machine-readable Software Bill of Materials (SBOM), a key requirement for traceability and CRA compliance.

Interested to learn more? Read the full whitepaper. (light version)

Get Started

Compliance in 2027 begins with the architecture decisions you make today. If you are evaluating your current device architecture against CRA requirements, we are ready to help. Reach out to us for a technical gap analysis or to learn more about integrating Rugix into your products.

About Silitics: Silitics helps manufacturers build secure, reliable, and maintainable connected products. We provide expert consulting, custom development, and ready-made solutions for embedded Linux. Our open-source tool suite, Rugix, delivers robust OTA updates and reproducible system builds, while our solution, Nexigon, provides secure remote access for device fleets.
← Back to News