Free as in Freedom: How OEMs Can Navigate EU Cybersecurity Rules Whilst Using Open Source - We Talk IoT #79

The EU Cybersecurity Resilience Act is keeping OEMs awake at night. How do you use free and open-source software whilst complying with new obligations around vulnerability management, supply chain transparency, and continuous support?

In this episode, Pierre Gal (Head of Product) from Witekio and Michael Röder (Senior Manager, Software and Services EMEA) from Avnet Silica tackle the urgent questions facing manufacturers: Who counts as a manufacturer under the CRA? What documentation must you maintain? And how do you manage vulnerabilities in components you didn't create?

Pierre explains how Witekio's Embedded Kit provides off-the-shelf solutions based on open-source software like Yocto Linux, helping customers navigate composition, integration, and compliance. Michael shares what he's hearing from customers struggling to interpret regulatory requirements and implement risk-based approaches.

From SBOM (Software Bill of Materials) to supply chain attacks, from secure by default to continuous vulnerability management, we explore the practical realities of making compliance work. The conversation cuts through the confusion to deliver actionable advice: understand your responsibilities, think in terms of composition, and don't wait for a magic bullet.

Tune in to learn how to leverage the power of open-source software whilst meeting your CRA obligations – because "free as in freedom" doesn't mean free from responsibility.

#CRA #cybersecurity #opensource #FOSS #compliance #IoT #wetalkiot

 

Summary of this week's episode:

04:14 Key Dates and Obligations of the CRA

05:27 Challenges Faced by Manufacturers

10:10 The Role of Open Source in CRA Compliance

19:58 The Concept of Software Bill of Materials (SBOM)

22:14 Real-World Example: Casino Attack Case Study

23:28 Documentation and Configuration Issues

24:04 Cybersecurity Layers and CRA Methodology

24:25 Secure by Default and Advanced Concepts

26:50 Implementation and Standard Processes

29:45 Quality, Testing, and Automation

31:53 Vulnerability Management Methodology

37:18 Critical Mistakes to Avoid with CRA

39:36 Supply Chain Attacks

 

Show notes:

Pierre Gal (Witekio): https://www.linkedin.com/in/pierre-gal/

Michael Röder (Avnet Silica): https://www.linkedin.com/in/roednix/

Securing the Future: Understanding the Cyber Resilience Act - We talk IoT #55: https://www.podbean.eu/ew/pb-8kkkd-d4ddfc

 

EU Cybersecurity Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

National Vulnerability Database (NVD): https://nvd.nist.gov/

 

OWASP Top 10: https://owasp.org/www-project-top-ten/

 

Listen to the "We Talk IoT" Soundtrack on:

Spotify: https://open.spotify.com/playlist/05MOV4OV2MH2in2txsAGtG?si=ad08112cb8d443f4

YouTube: https://www.youtube.com/watch?v=D-NvQ6VJYtE&list=PLLqgVFfZhDRVYmpEqbgajzDvGL4kACRDp

 

About Avnet Silica:

This podcast is brought to you by Avnet Silica—the Engineers of Evolution.

Subscribe to our newsletters here: https://my.avnet.com/silica/resources/newsletter/

 

You can connect with us on LinkedIn: https://www.linkedin.com/company/silica-an-avnet-company/. Or find us at www.avnet-silica.com.