30/09/2025 Blog - #compliance #cybersecurity #machinery #regulations Preparing for a New Era of Compliance The embedded software community is at a turning point. For years, functional safety standards such as IEC 61508, ISO 26262, and DO-178C have required disciplined coding practices, static analysis, and traceability. These standards made software verification not just an engineering best practice, but a contractual and regulatory necessity. Now, cybersecurity regulation is catching up. Two initiatives in particular will have broad consequences: The EU Cyber Resilience Act (CRA) requires manufacturers of “products with digital elements” to ensure cybersecurity throughout the entire lifecycle. This means secure development, vulnerability management, patching, and above all, evidence of compliance. Failure to comply can lead to product recalls, heavy fines, and reputational damage. The U.S. Cyber Trust Mark aims to give IoT products a recognizable security label. To qualify, devices must follow secure coding and lifecycle practices. Even if voluntary at first, the label will likely become a de facto requirement, as consumers and integrators favor products that can demonstrate security by design. What This Means in Practice First, compliance is no longer negotiable. Just as safety standards made MISRA C/C++ and static analysis part of everyday development in automotive and aerospace, cybersecurity regulations will make secure coding practices mandatory across all sectors, including consumer devices. Also, quality must be demonstrated, not assumed. It is not enough to say your software is “secure” or “tested.” You must show evidence: coding standard compliance reports, traceability of requirements, qualification of tools and libraries, documented deviation justifications, and systematic vulnerability management. For embedded software teams, these regulations translate into very concrete requirements. The good news is that the practices required are the very same ones that improve productivity, reduce defects, and lower long-term costs. The challenge is building them into development processes early, consistently, and cost-effectively. Let’s look at a few examples: Static analysis for secure development and due diligence The CRA requires manufacturers to minimize vulnerabilities from the start. Static analysis tools, when integrated into CI pipelines, can automatically enforce secure coding standards (e.g., MISRA C, MISRA C++) and detect dangerous constructs such as buffer overflows, use of uninitialized variables, or recursion in safety- and/or security-critical contexts. Reports generated by these tools can be included directly as compliance evidence for audits. Traceability for vulnerability management Both the CRA and functional safety standards demand traceability. For example, every requirement — “the device shall use encrypted communication” — must be linked to the design elements, source code, and tests that fulfill it. Tools like StrictDoc, combined with analyzers that parse requirement IDs in source code, can produce coverage reports that auditors will expect to see. Toolchain qualification Under the CRA, you must prove that the entire toolchain does not introduce vulnerabilities. This echoes safety standards, which already require the qualification of verification tools, compilers and libraries. Qualification reports, supported by automated test suites, provide the necessary confidence that tools behave predictably and securely. Managing legacy code Many companies rely on large codebases developed long before today’s cybersecurity obligations. The CRA doesn’t exempt legacy software: vulnerabilities must be addressed, and compliance must be demonstrated. Here, static analysis helps by highlighting non-compliant constructs and supporting systematic deviation reports, so teams can prioritize fixes without rewriting entire systems. Maintenance of verification toolsUnder the CRA, due diligence extends to every digital element in the development chain. Static analyzers, compilers, and other verification tools must be maintained so that vulnerabilities can be identified and patched. Letting maintenance lapse, and therefore missing security updates, would break the obligation to handle vulnerabilities “effectively and in a timely manner.” Maintenance is therefore no longer optional; it is part of compliance. Training as a compliance measure The CRA explicitly points to secure development practices. A well-trained team is part of compliance. Documented training programs and evidence that engineers are educated in secure coding practices can make the difference in passing an audit. Organizations that start preparing today — by adopting static analysis in CI/CD, enforcing MISRA or equivalent coding standards, managing requirements traceability, and qualifying their toolchains — will be ready to meet these obligations smoothly. Those who wait until regulations are enforced may face massive rework, spiraling costs, and delays in getting their products to market. Still at level 0 with CI? Our team can set it up for your projects as part of the ECLAIR Guided Pilot service. Take a look at Xen CI/CD pipeline with ECLAIR to get a sense of what static analysis in CI looks like. You can click on “Browse current reports” to navigate results. Discover ECLAIR Guided Pilot Machinery Regulation 2027: Another Piece of the Puzzle Beyond cybersecurity laws, embedded developers should also prepare for the new EU Machinery Regulation (2023/1230), which will apply from January 2027. Unlike a Directive, this Regulation will be binding across all EU Member States without national transposition. The Regulation explicitly covers software, digital components, and AI-driven functionality, and it requires manufacturers to conduct safety and cybersecurity risk assessments as part of conformity. For certain high-risk categories (see Annex I list of high-risk machinery products), assessment by a notified body will be mandatory. This means that qualification of compilers, libraries, static analyzers, and other verification tools is no longer optional, it becomes an essential element of demonstrating compliance. Once again, the message is clear: organizations must integrate quality, verification, and security practices into their development workflows from the very beginning. A New Webinar Series: Software Verification Done Right To help software professionals navigate this landscape, BUGSENG is launching a new webinar series inspired by our recent publication Software Verification Done Right: Introduction to Static Analysis. The series will unfold across several sessions, each dedicated to a key aspect of software verification: from coding standards and metrics, to requirements traceability, to the qualification of tools, compilers and libraries. The series will combine expert insights with practical guidance, and bring in guest speakers from across the industry to share their experiences and insights. The Opening Webinar — October 24, 2025 The series begins with an introductory session on October 24, 5:00 PM CEST. In this first session, we will: Look at why code quality is no longer optional — with examples of real-world failures that underline its importance. Explore the role of static analysis as a foundation for reliability, safety, and cybersecurity. Introduce the broader themes of the series: MISRA standards, coding style and metrics, requirements management, architectural constraints, qualification of tools, compilers, libraries, and legacy software, the role of training, and more. Think of this as a guided tour: a first map of the territory, before we zoom into each topic in depth in the following weeks. Register now Take-homes from the Series By following the whole series, participants will come away with: A roadmap for compliance: practical strategies for aligning coding, verification, and documentation practices with both safety and cybersecurity obligations. Confidence in applying standards: how MISRA C/C++, coding style guides, and quality metrics can be systematically enforced using static analysis. Methods to tame complexity: from managing requirements traceability to enforcing architectural constraints and measuring software quality. Qualification and integration of development tools: insight into the qualification of tools, compilers, and libraries, as well as approaches for bringing legacy code into compliance. Awareness of the human factor: how organizational culture, training, and knowledge transfer support long-term quality. Code quality is not just about avoiding defects: it is about building software that is trustworthy, sustainable, and future-proof. This series is our contribution to making that vision a reality and we look forward to sharing it with our community.