Security by Design, Certification Readiness, and Long-Term Resilience

The Cyber Resilience Act (CRA) represents a fundamental shift in how cybersecurity is regulated across the European Union. For manufacturers of digital products— specifically in railway, space, agriculture, industrial IOT and consumer connected devices —the CRA introduces binding requirements for security by design, vulnerability handling, transparency, and lifecycle support.

While other sectors such as automotive, avionics, defense and medical already operate under strict security and safety standards, the CRA now establishes a horizontal baseline that raises expectations across many embedded markets. CRA therefore does not apply to those.

Against this backdrop, SYSGO’s PikeOS, a separation-kernel real-time operating system (RTOS) and hypervisor, provides a robust and proven foundation to help customers build CRA-ready products. PikeOS is a security-focused toolbox to support CRA-compliant product development to support manufacturers in meeting CRA obligations efficiently and sustainably.

The Cyber Resilience Act: Security across the entire Product Lifecycle

The CRA mandates that cybersecurity is no longer an afterthought: It is an integral part of a product’s entire lifecycle—from architecture and development to deployment, maintenance, and end-of-life. 

Core CRA principles include:

• Security by design and by default
• Risk-based security measures
• Vulnerability management and disclosure
• Secure updates over the product lifetime
• Transparency in third-party components

Meeting these requirements demands more than isolated security features—it requires a system architecture and development process designed for assurance.

PikeOS: Security by Design at the architectural Level

PikeOS was designed and is developed with security in mind throughout its entire software development lifecycle. At its core lies a separation-kernel architecture, which enforces strong spatial and temporal isolation between software components.

Reduced Attack Surface through strong domain Separation and Isolation

Critical functions can be strictly separated from non-critical ones—for example, control logic isolated from connectivity or user-facing components. This architectural separation directly supports CRA’s security-by-design mandate by:

• Minimizing the impact of vulnerabilities
• Preventing fault propagation between partitions
• Enabling independent security analysis of components

The PikeOS product itself consists of a minimal software kernel and system software, deliberately keeping the code base small to reduce complexity and attack surface—an essential aspect of reliable and high-assurance systems.

A strong Assurance Baseline: Common Criteria EAL 5+

PikeOS is Common Criteria (CC) certified to EAL 5+, representing a high level of assurance based on:

• Formal verification of critical kernel components
• Independent penetration testing
• Comprehensive design and implementation documentation

This certification also provides an excellent starting point for future re-certification under the upcoming EUCC (European Cybersecurity Certification Scheme), which will replace the current CC framework. PikeOS’s existing EAL 5+ maturity is already a unique foundation for the transition.

We are also compatible with Industrial ISO 62443, Automotive ISO 21434, Avionic DO356-A standards.

Alignment with established Safety and Security Standards

PikeOS is already widely used in systems certified to major safety standards, including DO-178C (avionics), ISO 26262 (automotive), or IEC 61508 (industrial automation). These standards emphasize disciplined development processes, rigorous testing, traceability, and risk mitigation—principles that strongly overlap with CRA requirements. This makes PikeOS particularly attractive for industries where safety and security must coexist.

Secure Boot, Runtime Integrity, and controlled Updates

PikeOS supports:

• Secure boot mechanisms using cryptographic verification
• Runtime integrity protection to prevent unauthorized modifications

To support long-term system maintenance—a key CRA requirement—SYSGO can provide:

• Functional updates and security patches over the product lifetime
• Separation of functional changes and security fixes, delivered via independent update channels
• Security Updates per partition
• Detailed security change logs and patch descriptions accompanying each delivery

This clear separation helps customers maintain system stability while reacting quickly to emerging threats.

Vulnerability Handling and Product Security Organization

Security does not end at delivery. SYSGO has established comprehensive vulnerability handling and security processes, certified under ISO 27001 (Information Security Management).

To further streamline customer interaction, SYSGO operates a dedicated Product Security Incident Response Team (PSIRT) framework.

This ensures efficient handling of security reports, coordinated responses, and transparent communication—key elements of CRA compliance.

Additionally, PikeOS can be delivered with a periodic security bulletin, keeping customers informed about relevant security topics throughout the system’s lifetime.

Transparency and Supply-Chain Control

The CRA places strong emphasis on transparency in the use of third-party components. PikeOS’s modular architecture allows:

• Controlled integration of middleware and third-party software
• Clear traceability of system components
• Targeted security risk analysis for each delivered product
• Software Bill of Material (sBOM) that helps customers localize the source of a vulnerability

SYSGO conducts security risk analyses on every product release, supporting customers in fulfilling their CRA risk management obligations.

The Toolbox for CRA-ready Products

PikeOS is offered as an off-the-shelf product, including the RTOS and hypervisor, complemented by tailor-made customer services such as:

• Board Support Packages (BSPs)
• System configuration and hardening
• Security consulting and architecture reviews
• Security certification kits
• In depth security bulletins

This flexibility is essential, as CRA compliance always depends on the specific end product and its intended use. PikeOS enables customers to build solutions adapted to their market needs and regulatory environment.

Looking ahead, SYSGO’s business model will continue to evolve towards even stronger alignment with specific market demands.

Integrated Security Platforms: Beyond the RTOS

Security platforms combining PikeOS and our ELinOS Embedded Linux are already available, such as:

• SACoP (Secure Automotive Communication Platform)
• SYSGO’s Edge Computing Platform

These solutions demonstrate how PikeOS can be embedded into broader system architectures supporting connectivity, update mechanisms, and long-term security maintenance.

PikeOS for MPU: Consistent Security Measures across Architectures

PikeOS is available for both MMU-based and MPU-based hardware platforms. PikeOS for MPU maintains the same security standards as its MMU counterpart by sharing 80% of its codebase. This ensures that even resource-constrained hardware benefits from high-level, "CRA-ready" security.

The key shared benefits are the identical "security-by-design" principles and minimal kernel architecture, shared vulnerability handling, patching, and long-term support and the proven development practices applied across all hardware architectures.

By leveraging a common foundation, PikeOS for MPU allows for robust security on smaller devices without the typical overhead of a full Memory Management Unit.

European Sovereignty and Future-Proof Embedded Systems

Developed in Europe, PikeOS supports the EU’s goals of digital sovereignty and supply-chain resilience, reducing dependency on external vendors while maintaining high assurance levels.

Its strong isolation mechanisms also help future-proof systems against emerging threats, including:

• Secure integration of AI/ML workloads, isolated from safety-critical control logic
• Support for open standards such as POSIX, enabling interoperability
• No export restriction (ITAR free)

Conclusion: A practical Path toward CRA Readiness

The Cyber Resilience Act marks a decisive move toward embedding cybersecurity into every stage of product development. With its security-by-design architecture, Common Criteria EAL 5+ certification, mature vulnerability handling, and long-term support model, PikeOS provides a solid foundation for building CRA-ready embedded systems.

By leveraging PikeOS as a security-focused toolbox, customers can reduce risk, accelerate certification efforts, and position their products for long-term compliance—while remaining flexible in a rapidly evolving regulatory landscape.

We help you bridge towards being CRA-compliant. For further details, please reach out to SYSGO’s sales team or security experts for tailored guidance on making your embedded systems future-proof.