- link Copy URL
- [     Share on X ](https://twitter.com/intent/tweet?text=Security Highlight: Cyber Resilience Act Requirements for Boot Managers https://www.3blmedia.com/markdownify/node/1308566?absolute=1&via=3blnews "Share on X")
- [  Share on linkedin ](https://www.linkedin.com/shareArticle?mini=true&url=https://www.3blmedia.com/markdownify/node/1308566?absolute=1 "Share on Linkedin")
- [  Share on facebook ](https://www.facebook.com/sharer/sharer.php?u=https://www.3blmedia.com/markdownify/node/1308566?absolute=1 "Share on Facebook")
- [ email Share via email ](mailto:?subject=Security Highlight: Cyber Resilience Act Requirements for Boot Managers&body=ESG News from Keysight Technologies https://www.3blmedia.com/markdownify/node/1308566?absolute=1 "Share via email")
 
 

 [Events, Media & Communications](/CSR-News/events-media-communications)

 # Security Highlight: Cyber Resilience Act Requirements for Boot Managers

 

##### By Marc Witteman - Senior Director, Keysight Device Security Testing

 

 

 Apr 17, 2026 10:30 AM ET

  Campaign:  [Purposeful Technology](/news/campaign/purposeful-technology)  ![Inserting a chip into electronics](/sites/default/files/styles/carousel_2x/public/images/security-highlight-cyber-resilience-act_KEYSIGHT-TECHNOLOGIES_021126.png) 

In 2024, the EU Cyber Resilience Act (CRA) became law, reshaping security expectations for digital products sold in the EU. By 2027, the regulation will be fully enforced, and new digital products will need to demonstrate compliance. The CRA introduces security-by-design and security-by-default requirements, raising the baseline for products that previously shipped with little or no protection.

To help manufacturers apply the CRA consistently, EU standards bodies are developing Harmonized Standards. Cybersecurity knowledge and resources are unevenly distributed across industry, and not every organization has the same in-house expertise to translate legislation into a robust test plan. Without a shared framework, vendors could interpret requirements differently, leading to inconsistent assessments, gaps in protection, and added risk for both manufacturers and the European marketplace. Harmonized Standards capture industry security expertise as risk-driven requirements. This approach offers a more straightforward path to compliance by defining process requirements in horizontal standards and specifying requirements for each device class in vertical standards.

The CRA aims to safeguard consumers and businesses by protecting not only personal data, such as credentials, but essentially any data that has value to its user. That can include, for example, operational data, configuration settings, usage information, or proprietary data processed by the device. Even if a product may not appear to handle “sensitive” data, this information can still reveal behavior, enable profiling, or be used to pivot into other systems. If a device is to be trusted to protect any data it handles, it is important that its functionality cannot be changed by adversaries. If an adversary can modify firmware, change configurations, or replace code with malicious code, they can bypass protections, alter outputs, or use the product as a foothold into a larger system. And even if the data itself isn’t valuable, users will still care that the device cannot be manipulated, because altered functionality can create safety or reliability risks.

Boot Managers appear as a line item in the CRA because of their vital role in the chain of trust. This function ensures a device only executes approved code and cannot be hijacked for malicious purposes. The Boot Manager sits in the SoC (System-on-Chip), the heart of any digital product, and consists of hardware and low-level software (firmware). The hardware consists of cryptographic functions, sensors, OTP registers, and memory. The firmware provides protected data flow, checkpoints, and error handling.

The new [ETSI EN 304 623](https://labs.etsi.org/rep/stan4cra/en-304-623) draft standard elaborates the high-level CRA requirements for Boot Managers, such as the use of cryptography to protect data, and a standard configuration enabling these security features. The standard includes a total of 92 detailed requirements that Boot Managers need to satisfy to be considered secure. These are derived from a threat and risk assessment (TARA), which is also included in the standard to provide evidence that threats have been modelled.

For a Boot Manager to be CRA compliant, it is important that its features are not only designed well but also implemented well. The standard therefore includes a section on conformity assessment, describing what a test lab should do to verify correctness.

The release of this new draft standard underlines that CRA is not only about software, but also about hardware and firmware. As a result, many more chips will need to include a Boot Manager / Root of Trust, and developers will be expected to demonstrate that these security functions are implemented correctly and can withstand realistic threat scenarios.

Keysight supports its customers throughout every stage of CRA product security evaluation. From interpreting CRA requirements and emerging harmonized standards, to security evaluation and test execution, and ultimately evidence generation for conformity assessment, we work with your team to manage the complete security lifecycle of your product. Learn more about Keysight CRA services on [this page](https://www.keysight.com/us/en/products/services/device-vulnerability-analysis-services/security-certifications/eu-cyber-resilience-act-security-evaluation.html).

*Want more stories like this? Subscribe to the* [*Keysight Device Security Bulletin*](https://riscure.ac-page.com/device-security-newsletter) *for monthly highlights on device security trends and practical insights — brought to you by the Keysight device security team.*



 

 

 

 

 

 

 

 [![Keysight logo](/sites/default/files/Clients/home-page-img.png)](/profiles/keysight-technologies)

 



 

### More from Keysight Technologies

###### [The True Cost of CMMC Non-Compliance](/news/true-cost-cmmc-non-compliance)

 Apr 3, 2026 9:45 AM ET

  



###### [Testing the Future of Healthcare Wearables](/news/testing-future-healthcare-wearables)

 Mar 26, 2026 10:30 AM ET

  



###### [Keysight Enables Enterprise-Scale AI Adoption in Semiconductor Design with SOS Enterprise](/news/keysight-enables-enterprise-scale-ai-adoption-semiconductor-design-sos-enterprise)

 Mar 16, 2026 10:00 AM ET

  



###### [Keysight and Point2 Technology Collaborate To Advance Next-Generation AI Scale-Up Interconnects](/news/keysight-and-point2-technology-collaborate-advance-next-generation-ai-scale-interconnects)

 Mar 12, 2026 10:30 AM ET

  



###### [Keysight Collaborates on Airbus UpNext SpaceRAN Demonstrator to Advance 5G NTN Innovation](/news/keysight-collaborates-airbus-upnext-spaceran-demonstrator-advance-5g-ntn-innovation)

 Mar 4, 2026 10:15 AM ET

  



###### [Minimizing Driver’s Range Anxiety With System Level Simulation of Electric Vehicles](/news/minimizing-drivers-range-anxiety-system-level-simulation-electric-vehicles)

 Feb 24, 2026 9:35 AM ET

  



###### [From Outages to Resilience: Why Grid Modernization Needs To Speed Up](/news/outages-resilience-why-grid-modernization-needs-speed)

 Feb 16, 2026 9:35 AM ET

  



###### [Virtual Process Chains: Building Digital Workflows for Smarter Joining & Assembly in Automotive BIW](/news/virtual-process-chains-building-digital-workflows-smarter-joining-assembly-automotive-biw)

 Feb 10, 2026 9:45 AM ET