Who Defines Minimum Security for Default Products?
Episode 69: Better Built By Burkhard
Dear Reader,
I am looking back at a difficult year. 2025 was my worst year in 12 years of running my solo business. There are some good reasons.
I spent 9 months managing the construction of our log house in St. Gallen (Styria, Austria). We’ll move in our new house on 16 January 2026. I’ll also move my business. EmbeddedUse will become a proper company called Small Step Systems GmbH. Stay tuned!
At the end of 2023, I accepted a fixed-price project to implement a CRA-ready embedded Linux system for a Variscite iMX8M Plus SoM. My cautious estimate was 6 months. It took me 1.5 years and I couldn’t deliver everything. More severe than the financial loss was that I didn’t do enough marketing - writing posts and talking at conferences. Consequently, my sales pipeline was pretty empty in 2025.
The economic uncertainty in 2025 caused by the imperialistic policies of Russia, China and the USA didn’t help. This makes businesses think twice with spending money.
Don’t worry. I have enough financial reserves and I am savvy enough to get out of this little slump.
Most importantly, I am looking forward to an exciting year 2026 in a new country. I hope you feel a similar excitement about the new year. Have a happy, healthy and successful 2026!
Enjoy reading,
Burkhard 💜
Who Defines Minimum Security for Default Products?
The short and sad answer is: The courts will decide what makes up the minimum set of security measures required for CRA compliance of default products. Manufacturers stand a good chance in court to lower the bar for required security measures, to water down the CRA and even to delay the application of the CRA. This is a very sad prospect, because the intent of the CRA - strengthening cybersecurity - is good, necessary and long overdue. However, the execution is lousy.
The main problem is that cybersecurity experts aren’t able to define the “state of the art” for cybersecurity. Worse, they are convinced that they don’t have to: Manufacturers should just do the risk assessment of the essential product requirements and everything is OK. Even worse, cybersecurity experts think that they define the state of the art by cranking out vertical and horizontal standards for default, important and critical products at a record pace. These standards come far too late. They are vague and hard to understand. And - they resemble a random collection of security measure much more than a minimum of security measures cooperating to achieve a common goal: lifting the security level for all products.
On LinkedIn, I pushed some cybersecurity experts on the missing definition of minimum security. The answers were revealing and don’t give me reason for optimism. CRA compliance will be decided in court, although this is totally wrong!
Sarah Fluchs: Have the Guts to Use Your Own Risk Analysis!
Sarah Fluchs, CTO of the IT security company admeritia GmbH and member of the CRA expert group at the EU Commission, wrote an article in German about the CRA in the Berlin daily newspaper Tagesspiegel. With the original title Habt Mut, euch eurer eigenen Risikoanalyse zu bedienen!, she encourages manufacturers to have the guts to use their own risk analysis. Let me summarise the article in English. The translations are mine.
Businesses must implement the requirements [of Annex I] according to the assessment of the cybersecurity risks. Simply put, this means: Only where manufacturers identify a risk, they must take measures. And their own risk analysis decides what is an effective measure.
Sarah Fluchs [SF1]
Manufacturers complain about the vagueness of the CRA. Sarah Fluchs regards this vagueness as a “chance for manufacturers who can make competent decisions based on the risk analysis how to best implement the requirements for their products”.
With its heavy penalties and sales bans, the CRA is a “severe intervention into the free market”. The risk analysis is a counterbalance by giving manufacturers the power to limit the intervention.
The harmonised standards make the vague requirements of the CRA more concrete. However, they don’t replace the risk analysis - for three reasons.
The harmonised standards for default products (with 90-95% the biggest group of products) won’t be available by 11 December 2027.
Harmonised standards are not mandatory for manufacturers.
No matter which conformity assessment procedure manufacturers choose for their products, they must always perform a risk assessment.
As the CRA mandates the risk assessment, manufacturers must do it.
All requirements of the CRA apply only if a risk exists. The risk analysis tells whether this is the case. If a requirement applies, manufacturers must be allowed to decide for themselves, how to implement it. And the risk analysis is the tool for this decision.
Sarah Fluchs [SF2]
The previous and the next statement show that risk analysis is the panacea for CRA compliance.
Risk analysis is […] the only rational tool to make security decisions. With the risk analysis, businesses can evaluate how effective security measures are. Hence, they can decide which security measures are important - and which not. But also when a product is secure enough and when more measures are disproportionate.
Sarah Fluchs [SF3]
Manufacturers should neither ask nor wait for checklists of security measures. They should, instead, use the power of the risk analysis to define and implement their own set of security measures.
Nobody Knows How Much Security is Enough
Both the Tagesspiegel and Sarah Fluchs posted the article on LinkedIn (see here and here; both in German but the automatic translations are pretty good). I commented on both LinkedIn posts, because I regard statements like [SF1] and [SF2] as too exaggerated to be good advice for manufacturers.
The Response to My First Comment
My first comment was provocative - along the following lines. Statement [SF2] implies that manufacturers can simply accept all risks in their risk assessment. The market surveillance authorities can’t impose any penalties or sales bans. The CRA is superfluous. I end my comment as follows.
Absurd, isn’t it? We can only avoid this, if there is a minimum of cybersecurity measures that allows manufacturers to comply with the product properties. In the end, courts will define this minimum (“state of the art”), although they are the totally wrong choice.
As a manufacturer, I’d want cybersecurity experts to define this minimum based on practical examples. We don’t need more vague standards that are incomprehensible for anyone else but cybersecurity experts.
Burkhard Stubert, LinkedIn comment
In her response, Sarah Fluchs confirmed that manufacturers cannot simply accept all risks. Of course, they can’t. But, how much security is just enough? Here is the first part of her answer.
Work on harmonised standards is in progress to define a minimum of concrete security measures. Manufacturers’ demand for such a minimum makes sense to the people involved in the standards, which are produced at record pace.
Sarah Fluchs, LinkedIn comment
The horizontal standard for explaining the essential product requirements (Annex I.I) will be published on 30 October 2027, if everything goes according to plan. This is just six weeks before the CRA becomes fully applicable. Manufacturers of default products - that is, almost all manufacturers - won’t get any help in the transition period ending 10 December 2027.
The requirements in the vertical standards for important and critical products must not contradict the requirements of the horizontal standard for essential product requirements. The vertical standards must be ready by 30 August 2026 - 14 months before the horizontal standard on which they are based. Really?! This reeks of substantial rework, missed deadlines and low quality.
If I hear from a software development team that they write code “at record pace”, I know that this team is headed for disaster. I am pretty sure that the same is true for writing cybersecurity standards. You can check for yourself. The mature drafts for the vertical standards are available through the website ETSI TC Cyber working group.
Do these standards define a minimum set of security measures for important and critical products as they are supposed to? After reading two standards - routers (PDF) and operating systems (PDF), my answer is no. The standards look more like wish lists of cybersecurity experts. The lists are too broad. The authors don’t minimise the lists. They only look at security measures individually. If you let security measures cooperate to make a product more secure, you would need much fewer security measures. That’s basic systems theory:
A system is not the sum of the behaviors of its parts, but the product of its interactions.
Russell Ackoff, On Systems Thinking
If manufacturers follow the standard, they will have to argue very thoroughly why they ignore certain security measures. No matter how good their argument, the market surveillance authority can and will disagree with some of the arguments. Only courts can decide. If manufacturers don’t follow the standard, which is their good right, the authority can and will ask, why they ignored certain measures from the standard. Same result!
So far, I haven’t even addressed the elephant in the room. As the CRA is a massive change of law, all these standards should have been available before the transition period started on 11 December 2024. Businesses must know the rules before a law enters into effect. Otherwise, the law violates the constitutional rights of legal certainty and non-retroactive application of law.
These rights are part of the constitutions of almost all EU countries and of the Treaty of Lisbon (the closest thing to an EU constitution). I would expect that the transition period will be significantly extended by the European Commission (the wise thing to do) or that sales bans and penalties will be repealed by courts on a case-by-case basis.
Last but not least: Yes, manufacturers of digital products must now become cybersecurity experts to a certain extent. Similarly, machine manufacturers must, to a certain extent, become [safety] experts to avoid accidents with the machine.
Sarah Fluchs, LinkedIn comment
The comparison between cybersecurity and safety is misleading. If an operator gets a hand into a metal sheet bending machine, the hand is pulp. Every manufacturer will easily recognise this as a safety hazard and will take some countermeasures.
Assessing cybersecurity issues is much more difficult. CVE-2024-12084 describes a heap-based buffer overflow in the rsync daemon. It puts the CVSS score at 9.8 out of 10. In layman's terms, this vulnerability is very critical. How can the manufacturer judge whether it must fix this vulnerability on the metal sheet bending machine?
This assessment is much more difficult and time consuming than the one for the safety hazard. Moreover, there are hundreds of similar CVEs on typical embedded Linux systems beckoning: “Fix me! I’m super critical! Fix me!”
Even if manufacturers were lucky enough to have a security expert in their team, the effort of a proper assessment would be prohibitively large. The manufacturers’ experts wouldn’t be the right people to assess vulnerabilities buried five levels deep in their Linux system.
The group providing the embedded Linux system is much better placed for that assessment. There are companies who have understood this. Toradex has a team of security experts filtering out many of the CVEs for Torizon, their embedded Linux system. This makes the lives of manufacturers a lot easier.
Manufacturers must become “cybersecurity experts to a certain extent”. No doubt about that. But to what extent? Well, to a lot less extent than Sarah Fluchs demands. I think that cybersecurity experts should get much better at explaining their issues to manufacturers. Manufacturers shouldn’t have to learn a new language, let alone get a PhD in cybersecurity. Last but not least: The sales model of cybersecurity sucks. It is based on fear (heavy penalties, sales bans and potential attacks) and the power of authority (law)!
The Responses to My Second Comment
My second comment makes clear that I regard the statement [SF1] as a bit too simple. I elaborated my point.
This statement suggests that manufacturers can decide on their own, which security measures to implement and which not. Of course, they can’t! The market surveillances authorities, the horizontal standard for the essential product requirements (available not before 30 October 2027!!!) and ultimately the courts will define the minimum of required security measures.
Therefore, the manufacturers of default products perform risk assessments and implement security measures for a moving target.
Burkhard Stubert, LinkedIn comment
Unsurprisingly, my comment garnered some disagreement.
Based on the risk assessment, the manufacturer can, by all means, decide on the specific measures to implement. That’s exactly the point! […] But risk analysis doesn’t mean: “I write on a slip of paper: Nobody will attack me and hence I don’t have to do anything.” Quite the contrary, [risk analysis] must be sound, plausible and based on the state of the art.
Florian Kauer, LinkedIn comment (emphasis mine)
There was a second comment along the same lines.
It’s exactly like [Sarah Fluchs says]! However, manufacturers don’t simply “decide”, which security measures to implement and which not. They must justify [their decision] in a sound way with their risk analysis. That is an important difference!
[…]
Alexander Aigner, LinkedIn comment (emphasis mine)
Of course, I pressed Florian Kauer and Alexander about the definition of “sound”, “plausible” and “state of the art”.
Who decides, whether the risk analysis is “sound” and “plausible” and what “state of the art” means?
Market surveillance authorities? TÜV Süd? Cybersecurity experts?
All wrong!!! Ultimately, courts will decide! They are the totally wrong entities for these decisions.
As a manufacturer, I’d like to know better what the CRA expects of me. I’d like to have a guideline […] with examples, how I can comply with the essential product requirements (Annex I.I 2b - 2m). I’d like to know when I’ll get a yellow card (only rework needed) or a red card (penalty and sales ban). It’s just stupid to let courts decide in a couple of years.
Burkhard Stubert, LinkedIn comment
Florian Kauer answered.
Basically correct. The courts will ultimately decide. They will use expert witnesses from market surveillance authorities, TÜV or security experts.
[…]
As a guideline, [manufacturers] can read the CRA or the published drafts of the harmonised standards. Then, they can decide which way to take.
Florian Kauer, LinkedIn comment
The gist of these responses is the same as of Sarah Fluchs’s article and response. Manufacturers just do the risk assessment “sound” and “plausible” way and they are fine. There is no need to define “sound” and “plausible, let alone a minimum set of security measures, the state of the art. The harmonised standards and the CRA itself are more than enough guidance.
I have argued above, where this will end: in court! The courts will definitely ask for the “state of the art” appropriate for the product under scrutiny. If such a definition of minimum security doesn’t exist, the lawyers of the manufacturers will have a field day. Manufacturers will get away with much fewer security measures than would be good for the ecosystems, in which their products operate. Dear cybersecurity experts: Is this really what you want?
The responses of Alexander Aigner and Florian Kauer contain some interesting tidbits - in parts that I have left out so far. Let me reveal what’s behind the “[…]”.
Moreover, the horizontal standard for the essential product requirements is not a lower-bound checklist of measures that manufacturers must implement. It can’t be, because the application of harmonised standards is voluntary.
Alexander Aigner, LinkedIn comment (emphasis mine)
Yes, you read that correctly. You do not have to use the horizontal and vertical standards currently prepared “at record pace”. Their application is optional. Although they are hard to read with their overwhelming cybersecurity lingo, I urge you to read them carefully and to pick out the advice most relevant to your products.
I find the drafts for routers, modems and switches (PDF) and for operating systems (PDF) best suited for embedded systems. Please keep in mind that these drafts are for important products, which must provide many more security measures than default products. Unfortunately, it is up to you, as the manufacturer, to decide which security measures your default product must have and to what extent.
Florian Kauer spells out the options for manufacturers.
That’s exactly the principle of the the NLF [(New Legal Framework)]. Either manufacturers are confident enough to perform the risk analysis on their own and risk to defend their risk analysis in court, or that’s too risky for them and they get issued a “presumption of conformity” (they still need a risk analysis), which makes it more difficult for the plaintiff.
Florian Kauer, LinkedIn comment
Manufacturers can either do the risk assessment on their own or have it certified by a notified body like the TÜV Süd. For default products, the first option would always be my recommendation. By doing the risk assessment and implementing the identified measures, manufacturers will truly improve the security of their products.
In contrast, certification by notified bodies - the second option - means going through lengthy checklists of security measures and bloated process descriptions. The longer the checklists and the heavier the process descriptions, the more notified bodies can charge to tick off all the boxes - with many of the boxes irrelevant. Notified bodies are in the business of making money. They don’t care whether small and medium businesses go bust because of the CRA. That’s what I learned from the keynote by Thomas Burkhardt from the TÜV Süd at the Torizon CRA Summit.