Skip to main content

How to Use This Handbook

The Secure-by-Design Handbook is a practical, actionable guide for anyone involved in building and maintaining connected devices. It translates complex regulatory requirements from laws like the Cyber-Resilience Act (CRA) into concrete engineering tasks.

This page helps you find the content most relevant to your role and your immediate questions.

1. Structure of the Handbook

The handbook is organized into four main sections:

  • Quick Start: For when you need the essentials, fast. Start here if you're new to the topic or need a high-level overview.
  • Standards & Regulations: Deep-dives into the legal texts like the CRA, RED, and NIS 2. Read these for authoritative context on your legal obligations.
  • Implementation Guides: Step-by-step technical playbooks for implementing specific security controls like secure boot, OTA updates, and CI/CD hardening.
  • Resources: Downloadable artefacts like checklists and policy templates to use in your projects.

2. Paths by Role

Find your role below for a recommended reading path.

2.1 For the Product Manager or Team Lead

Your goal: Understand what we need to do, why, and how to plan the work.

  1. Start Here: Read the CRA 5-Minute Primer to grasp the business impact and key deadlines.
  2. Plan the Work: Use the First-Sprint Checklist to create an initial project plan and prioritize foundational tasks.
  3. Understand the Landscape: Skim the overviews in the Standards & Regulations section to understand the legal context your teams are working in.

2.2 For the Firmware or Embedded Engineer

Your goal: Understand what I need to build on the device.

  1. Understand Requirements: Read the CRA Overview, focusing on the Secure-by-Design Engineering Benchmarks. This is your list of technical requirements.
  2. Implement Core Features: Dive into the Build Phase implementation guides:
  3. Check Radio Requirements: If your product has Wi-Fi, Bluetooth, or any other radio, read the Radio Equipment Directive (RED) Overview.

2.3 For the DevOps or Security Engineer (SecOps)

Your goal: Understand how to automate security, manage vulnerabilities, and harden our infrastructure.

  1. Automate Security: Start with the CI/CD Pipeline Hardening guide to integrate security checks directly into your development workflow.
  2. Manage Supply Chain Risk: Read the SBOM & VEX Workflows guide to learn how to automate vulnerability detection in your third-party dependencies.
  3. Handle Vulnerabilities: Review the guides for Vulnerability Disclosure and establishing a Patch Cadence.

2.4 For the Compliance Lead or Auditor

Your goal: Understand the legal requirements in detail and find evidence of compliance.

  1. Know the Law: Read all the overviews in the Standards & Regulations section. These are your primary source of truth for the legal obligations.
  2. Assess Gaps: Use the Resources section for gap analysis and audit preparation materials.
  3. Verify Controls: Review the checklists at the end of each Implementation Guide to verify that the required technical controls have been implemented by the engineering teams.

3. How to Contribute

This handbook is a living document and a community effort. If you see something missing, find an error, or have a suggestion, please see our Contributing Guide or open an issue on our GitHub repository.