Skip to main content
πŸŽ“ Claude Code Masterclass Learn AI-assisted development on Udemy β€” plus the companion book on Leanpub & Amazon. Start Learning
CRA Requirements for Operating Systems and Boot Managers (EN 304 623, 626)
DevOps

CRA for Operating Systems and Boot Managers

Operating systems and boot managers are Important Products Class I. Security requirements for OS vendors, Linux distributions, and firmware developers.

LB
Luca Berton
Β· 1 min read

OS and Boot Managers Under the CRA (EN 304 623, 626)

Operating systems and boot managers are classified as Important Products Class I. Given their foundational role in every computing device, the CRA imposes specific security requirements.

Operating Systems (EN 304 626)

Key Requirements

  • Secure defaults β€” firewall enabled, unnecessary services disabled
  • Mandatory access control β€” SELinux/AppArmor enabled by default
  • Encrypted storage β€” full disk encryption support out of the box
  • Automatic security updates β€” enabled by default
  • User separation β€” proper privilege isolation
  • Audit logging β€” security-relevant events logged by default

Impact on Linux Distributions

  • Red Hat, SUSE, Canonical, and other commercial distributors are manufacturers
  • Community distributions (Fedora, Debian) are generally exempt as non-commercial
  • Enterprise Linux customers should verify vendor CRA compliance

Impact on Embedded OS

  • RTOS vendors must comply
  • Custom Linux-based firmware is covered if commercially distributed
  • Android OEMs are manufacturers for their modified Android distributions

Boot Managers (EN 304 623)

Key Requirements

  • Secure Boot β€” verify firmware and bootloader integrity
  • Measured Boot β€” create attestation of boot chain
  • Rollback Protection β€” prevent downgrade to vulnerable versions
  • Signed Updates β€” cryptographic verification of boot component updates
  • Recovery β€” secure recovery mechanism for failed updates

Affected Products

  • GRUB, systemd-boot (when bundled commercially)
  • UEFI firmware
  • U-Boot (embedded systems)
  • Proprietary bootloaders

Key Takeaway

If you ship an operating system or bootloader as part of a commercial product, CRA applies. Start with secure defaults, implement SBOM generation, and plan for 5+ years of security updates.


Building OS or firmware products for the EU market? I help organizations prepare for CRA compliance. Get in touch.

Free 30-min AI & Cloud consultation

Book Now