Don't Sleep on the Kernel: Why Linux Kernel Choice is Critical for CRA Compliance

The Cyber Resilience Act (CRA) is poised to significantly impact how companies develop and sell products within the European Union. While security best practices across all aspects of development are crucial, the choice of Linux kernel plays a surprisingly critical role in achieving and maintaining compliance.

Here’s why:

  1. Unsupported Kernels are Off Limits: CRA certification is impossible for products utilizing kernels no longer receiving official support. This means relying on outdated kernels automatically disqualifies your product from compliance.
  1. Nearing EOL? Tread Carefully: Even for kernels with support nearing its end (EOL), the path to certification is significantly narrower. These kernels may only be acceptable for products with a limited lifespan – and even then, clear product labeling highlighting this short life cycle becomes mandatory.
  1. Long-Supported Kernels are the Way to Go: For long-term products, selecting a kernel version with extended support is the optimal solution. This not only ensures immediate compliance but also facilitates future upgrades as needed, ultimately extending your product’s lifespan while maintaining compliance.
  1. Outdated Kernels? Lose Your Certification: If your product relies on an outdated kernel that loses its support, your CRA certification automatically expires. This not only presents legal risks but also undermines customer trust and can potentially disrupt your business operations.
  1. SBOM: More Than Just a List: This crucial point also highlights the immense importance of accurate and updated information within your Software Bill of Materials (SBOM). An accurate SBOM not only lists the kernel version but also clearly depicts its support status, allowing regulators and customers to easily assess your product’s compliance and potential risks.

By recognizing the critical role of the selected Linux kernel in achieving and maintaining CRA compliance, companies can make informed decisions during the development process. Choosing a long-supported kernel and ensuring regular updates is not just a technical consideration, but also a strategic decision to ensure your product’s continued success within the European market. 

Let’s not underestimate the power of the kernel!