On Monday, March 2, 2026, wolfSSL Inc. announced the transition of its entire embedded security and cryptographic portfolio to full compliance with the European Union’s Cyber Resilience Act (CRA).
The move establishes a verified pathway for manufacturers of connected and embedded devices to meet mandatory cybersecurity obligations for products sold within the EU market, covering the complete lifecycle from secure design to post-market maintenance.
Cryptographic Foundations and Firmware Integrity
To address the CRA’s technical requirements for data protection and firmware resilience, wolfSSL has integrated several high-assurance components into its compliance framework. The company’s core library supports TLS 1.3 and DTLS 1.3 for authenticated encryption in resource-constrained environments, alongside a FIPS 140-3 validated cryptographic module (Certificate #5041) for regulated sectors.
Furthermore, the wolfBoot secure bootloader has been updated to provide deterministic verification paths for firmware integrity. This includes cryptographic verification at the boot stage and authenticated over-the-air (OTA) delivery systems. To protect against the reintroduction of known vulnerabilities—a specific CRA concern—wolfBoot now includes optional hardware-backed rollback protection mechanisms.
Vulnerability Management and Supply Chain Transparency
Central to the CRA’s 2026 enforcement phase is the requirement for active vulnerability management and the maintenance of a Software Bill of Materials (SBOM). wolfSSL’s compliance strategy includes structured vulnerability intake and coordinated disclosure processes, directly aligned with the EU’s Single Reporting Platform (SRP). The company provides detailed component traceability and documentation compatible with existing standards, including IEC 62443 and DO-178C, to assist manufacturers in generating mandatory SBOMs and conducting conformity assessments.
Timeline for 2026 Reporting Obligations
While the full application of the CRA is scheduled for Dec. 11, 2027, manufacturers must prepare for the initial reporting mandates taking effect on Sept. 11, 2026. From that date, companies are required to notify the European Union Agency for Cybersecurity (ENISA) of any actively exploited vulnerabilities within 24 hours of discovery. wolfSSL has confirmed that its long-term maintenance options and CVE remediation support are already operational to help clients meet these aggressive statutory deadlines.
