CADABLE
LoginBook a demo
Blog

Preparing for the Cyber Resilience Act

Practical guides to the EU Cyber Resilience Act for connected-product teams. How to prepare, the deadlines that matter, and what to expect, from the people building the tooling.

Compliance · Jun 30, 2026 · 3 min readCRA conformity assessment, self-assessment or notified bodyHow CRA conformity assessment works. The three product classes, when you can self-assess, when you need a notified body, and what the assessment actually checks before your product reaches the EU market.Compliance · Jun 30, 2026 · 3 min readThe EU CRA timeline, what to expect and whenThe EU Cyber Resilience Act timeline in plain terms. The two dates that decide your roadmap, what changes on each, and what to expect in the months between now and the deadlines.Compliance · Jun 30, 2026 · 4 min readHow to prepare for the EU Cyber Resilience ActA practical readiness checklist for the EU Cyber Resilience Act. The two deadlines that matter, the artifacts an auditor will ask for, and the work to start now if you sell connected products in the EU.Compliance · May 14, 2026 · 7 min readGenerating an SBOM from your ESP-IDF build, and what esp-idf-sbom does not tell youEspressif ships an official SBOM tool for ESP-IDF. It works. It also has gaps that matter the moment you have more than one device. A walkthrough plus the layer that goes on top.Compliance · May 12, 2026 · 7 min readWhat the EU CRA actually requires from your ESP32 product, and the ship list before September 2026Two dates, twelve months, and a concrete list of artifacts every connected-product team needs to produce on demand. With ESP-IDF specifics, a worked patch-rollout example, and the auditor checklist you will eventually be asked for.Architecture · May 11, 2026 · 8 min readFrom CVE alert to deployed patch, the missing pipeline between OSV.dev and your gateway fleetYou have an OTA pipe. You do not have CVE management. Five steps connect a feed entry to a deployed remediation, and most teams skip three of them. A walkthrough plus the data shapes that make the join cheap.Compliance · May 10, 2026 · 6 min readCycloneDX or SPDX for embedded firmware, a decision matrix for ESP-IDF, Yocto, and custom Rust gatewaysMost embedded teams end up generating SBOMs in both formats. The question is which one to emit at build time and how to normalize for everything downstream. With per-stack recommendations and a normalization-layer sketch.