Insights & Resources
Expert guidance on cybersecurity compliance, IoT security best practices, and CRA regulations

IoT Threat Modeling: A Step-by-Step Guide for Hardware Manufacturers
Learn how to build a threat model for your IoT device using STRIDE. A practical step-by-step guide for hardware manufacturers preparing for EU CRA compliance.

CRA Article 14: Vulnerability Reporting Obligations Starting September 2026 — What Manufacturers Must Prepare Now
CRA Article 14 mandatory vulnerability reporting starts September 11, 2026. What IoT and hardware manufacturers must have in place technically and operationally before the deadline.

Secure OTA Updates for IoT Devices: What Can Go Wrong and How to Build It Right
Unsigned OTA updates are one of the most common IoT security failures. Here is what a correct secure firmware update architecture looks like - and what CRA requires from it.

SBOM for IoT Manufacturers: What CRA Requires and How to Create One
CRA requires an SBOM for every connected product. Here is what it must contain, which format to use, how to generate it for embedded firmware, and how to keep it current post-release.

June 11, 2026: The EU Just Made CRA Enforcement Real - Here Is What Changes for Manufacturers
On June 11, 2026, the EU activated its CRA conformity assessment infrastructure. What this milestone means for IoT and hardware manufacturers - and why the window to prepare is closing.

What is Secure Boot - and Why Every IoT Device Needs It
Secure boot verifies that your device runs only firmware you signed. Here is how it works, why CRA treats it as a baseline requirement, and what a correct implementation looks like on Nordic nRF and STM32.

How to Classify Your Product Under CRA: Default, Important Class I, or Class II
Your CRA product category determines your entire compliance path. Here is how to correctly classify your IoT or hardware device under the Cyber Resilience Act - and why getting it wrong costs time and money.

September 11, 2026: The First CRA Deadline Most Manufacturers Are Not Ready For
September 11, 2026 is the first binding CRA deadline - and it applies to products already on the EU market. Here is what the 24-hour reporting obligation requires and how to prepare.

EU Cyber Resilience Act: A Complete Guide for IoT and Hardware Manufacturers (2026)
The EU Cyber Resilience Act requires IoT and hardware manufacturers to comply by December 2027. Deadlines, requirements, SBOM, penalties up to €15M - complete guide by Platanor.