Secure Update Systems for OTA (Over-the-Air) Deployment

EU Cyber Resilience Act (CRA) Core Security Requirements (Annex I)
1

When you ship connected products, secure OTA updates are not optional: they’re a legal requirement under the CRA. But what exactly does the regulation say, and how should you implement it?

What the CRA Requires

The CRA mandates that products with digital elements must:

  • Be updatable to fix vulnerabilities (Annex I, Part I, point (2)(c)).
  • Include mechanisms to securely distribute those updates (Annex I, Part II, point (7)).
  • Push automatic security updates by default, with an easy opt-out (Annex I, Part I, point (2)(c)).
  • Ensure updates are available for at least 10 years or the full support period (Article 13(9)).

Updates should be security-only if possible, separated from functionality ones. Advisory messages must explain the patch and any required user actions.

Options for OTA Update Systems

1. Traditional monolithic OTA

  • Replace the whole system image.
  • Simple for single-purpose devices.
  • Harder to manage incrementally and securely.

2. Delta updates

  • Only differences from previous versions are downloaded.
  • Saves bandwidth and speeds up delivery.
  • Requires careful update validation and rollback strategies.

3. Package-based systems

  • Use OS package managers (e.g. APT, RPM).
  • Suitable for Linux-based devices with complex dependencies.
  • Vulnerable if dependencies are not tightly controlled.

The Container-Based Approach

Using containers (like Docker or OCI images) for OTA brings specific advantages:

  • Isolation: Containerized services can be updated independently from the base system.
  • Rollback: Easy version control and rollback by tagging images.
  • Reproducibility: Builds are immutable and testable.
  • Security: Scanning tools (e.g. Trivy, Snyk) can flag known vulnerabilities pre-deployment.
  • Reduced surface: Only update what’s needed, no full system rewrite.

The CRA doesn’t require containers, but they make compliance easier and cleaner, especially when separating functionality and security updates, or providing support for long-lived devices.

Have questions about how to implement secure OTA in your system—or want feedback on your current setup? Share your stack and let’s discuss.