Steve Rogerson compares the upcoming Cyber Resilience Act (CRA) with the problems Formula One racing teams are having with their new regulations.

It was rather fitting that this year’s Embedded World was sandwiched between the first two Formula One grands prix of the season. As the top racing teams grappled with a host of new regulations, so too the technical experts in our community scratched their heads as they come to terms with the rules that Europe’s Cyber Resilience Act (CRA) will bring.

From this September – yes, it is that close – mandatory reporting of exploited vulnerabilities and incidents begins before full compliance towards the end of next year. And while the F1 races in Australia and China saw top teams such as Red Bull and McLaren fare badly as they tried to find the key to unlocking performance in a new era, so too the embedded engineers in Nuremberg searched for answers among the stands.

“We are seeing misinterpretation and procrastination,” Digi’s Bob Blumenscheid told me on the final day of the show. “We are three minutes to midnight. They have to start doing something.”

Michael Riegert, COO at German embedded computer firm Kontron, agreed. “We want to be CRA ready,” he said. “The time is ticking; it is getting closer.”

And the thing is this does not just apply to Europe. Bob said there were companies in North America who still hadn’t heard of the CRA yet themselves or their customers were shipping products to Europe.

“There is a lot of turmoil,” he said.

On the good side, it means many companies are now having to treat security in ways the experts in the industry have been advising them to do for years.

“This is driving a security conversation we have been trying to have,” said Bob. “It is the biggest challenge in our industry.” And he warned that is could see some companies going out of business.

Seriously? Well, yes, think about. There are companies selling and shipping products that were designed years ago and the developers have moved on. Or maybe the products were never designed to cope with this. Making some of these products compliant might just not be practical.

“There will be a lot of this,” said Bob. “Next year will be interesting.”

Dario Lobozzo from Finite State speaking at the show on a panel about the CRA organised by the IoT M2M Council (IMC) wondered whether the act was purely to improve job security in the cyber-security industry. However, he said the situation was a lot better now than it was two years ago, but he added there were still too many companies not doing anything. “They need to get started,” he said.

The IMC is working with Somos to build a compliance management tool that should help with the software bill-of-materials (SBoM) requirements of the act by creating a registry of compliant software, and this will be a big but necessary database.

So, back to motor racing. After just two races, Mercedes is leading the Formula One world championship closely followed by Ferrari, the two teams that have built cars successfully to deal with the new regulations, while reigning world champion McLaren retired both its cars before that start of the Chinese Grand Prix and Max Verstappen, arguably the best driver in F1 at the moment, was forced to park his Red Bull part way through the race as reliability problems hit.

The task facing IoT companies is not to be caught out in the same way, so get working on complying with the CRA, then, come September, you could be the Mercedes of the industry. Time to start racing.