5 posts tagged with "Secure-by-Design"

The Cyber-Resilience Act (CRA) is the EU's first horizontal law that legally mandates Secure-by-Design for products with digital elements. It sets clear obligations for confidentiality and integrity, but it deliberately avoids naming specific algorithms or key sizes. That raises an immediate question for device makers:

What exactly counts as “state-of-the-art” cryptography under the CRA?

Inspired by Markku-Juhani O. Saarinen’s paper “CRA and Cryptography: The Story Thus Far” (IACR ePrint 2025/2092), this post explains how European standardisation work is answering that question – and what it means for your products.

On June 27, 2025, the US Food and Drug Administration (FDA) published a landmark update to its premarket cybersecurity guidance, superseding the version from September 2023. This new document provides critical clarity for medical device manufacturers by consolidating previous guidances and formally defining the legal obligations for "cyber devices" under Section 524B of the FD&C Act.

On November 20, 2024, the Cyber-Resilience Act (CRA) was officially published in the EU's Official Journal as Regulation (EU) 2024/2847. This marks the final, formal step in a legislative process that will fundamentally reshape the market for connected devices.

The UK's Ministry of Defence (MOD) recently published a thought-provoking document via its Defence Science and Technology Laboratory (Dstl) that every product security leader should read: the Secure by Design Problem Book.

Welcome to the SecureByDesignHandbook.com project!