We wanted to share an update on our progress and our current position regarding the required Technical Documentation.
Right now, our team is looking into the nuances of the legislation and the ongoing EU standardization efforts that will shape compliance. Specifically, we are:
-
Reviewing the latest draft vertical standard from ETSI, which covers cybersecurity requirements for operating systems.
-
Actively awaiting the horizontal standards from CEN/CENELEC. The draft expected by the end of November’25 and is crucial, as it will define key areas like:
-
The methodology for cybersecurity risk assessments.
-
Requirements for “secure-by-default” products.
-
Rules for remote data processing (relevant for balenaCloud).
-
Until these key standards are published and we can adopt them, we are not able to assemble a final Technical Documentation that includes a fully conforming cybersecurity risk assessment. It’s essential that our risk assessments and design decisions are properly aligned with these official standards from the start.
For those of you already planning your CRA cybersecurity risk assessments, which approach or framework are you considering? Are you looking at established standards like ISO 27005:2022, something more OT-focused like IEC 62443-3-2:2020, or another framework entirely?