Skip to main content

Implementation Guides

Use the implementation guides when you need to turn secure-by-design decisions into product controls, release workflows, and post-market operating processes.

The guides are organised around two parts of the product lifecycle:

  • Build Phase: Engineering controls designed into the product, firmware, software, update path, identity model, configuration, and release artifacts.
  • Operate Phase: Processes used after release, including vulnerability intake, patch cadence, logging, monitoring, CI/CD hardening, and support-period evidence.

Choose By Task

If you need to...Start withThen use
Identify product security risksThreat ModelingTypes of Embedded Device, CRA Readiness Gap Analysis
Protect firmware integritySecure BootKey Provisioning & Storage, ETSI EN 304 623
Design device identity and credentialsUnique Device IdentityKey Provisioning & Storage, Cryptography under the CRA
Deliver security fixesSecure OTA UpdatesPatch Cadence & Rollback Strategy, Vulnerability Disclosure
Manage component and vulnerability evidenceSBOM & VEX WorkflowsSecure-by-Design Evidence Pack
Handle vulnerability reportsVulnerability DisclosurePatch Cadence & Rollback Strategy, Security Logging & Monitoring
Retain implementation evidenceSecure-by-Design Evidence PackCRA Readiness Gap Analysis

How To Use These Guides

Start with the product risk and architecture, then choose controls. Most teams should move in this order:

  1. Model the product boundary and threats.
  2. Decide which device, identity, key, boot, update, configuration, and data controls are needed.
  3. Connect those controls to release workflows such as SBOM/VEX, signing, testing, and approval.
  4. Define post-market workflows for vulnerability disclosure, patch cadence, logging, monitoring, and evidence refresh.

For a broader route through the site, use How to Use This Handbook.