FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CRA questions and forum

debugging
Lead

‎2026-03-27 4:31 AM

 

Now that that the CRA dates are near, why is there isn't a forum for regulatory compliance and CRA specific questions ?

For example, which products STM offers now will not be CRA compliant ? This is important as those products would have to be revised or removed from the market.

For example an STM32F072 would still meet requirement 1. as the main controller of the product with our without an RF/network connection (via UART/I2C etc..)  or 2. as a peripheral  connected to the main MPU (indirect) which connects with LAN or WIFI to outside world

 

 

 

 

 

0 Kudos
2 REPLIES 2
Peter BENSCH
ST Employee

‎2026-03-27 4:39 AM

A thread for each individual device from ST or even just the groups would be a very large effort, which is why this generic thread Security:Q&A for CRA exists where many questions are answered.

Hope that helps?

Regards
/Peter

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
0 Kudos
debugging
Lead

‎2026-03-27 8:35 AM - edited ‎2026-03-27 9:06 AM

Thank you. As i mentioned in another thread, links in that Q&A are broken. I  am curious what is going to happen for non-compliant STM products.  A few questions:

1. Would for example an STM32F072 would still meet requirement 1. as the main controller of the product with our without an RF/network connection (via UART/I2C etc..) or 2. as a peripheral connected to the main MPU (indirect) which connects with LAN or WIFI to outside world ?

2.The classification of the device will be documented by ST and made publicly available. 

When ? if a device is not going to compliant for the class it has been used for in a current product, then it normally takes months if not a year to redesign and re-certify  (EMI, test, gerbers, firmware  etc..) and the time left is getting close to one year before CRA becomes in full effect. 

3. Other formats such us SPDX are not provided by ST but multiple commercial and open-source converters are publicly available. 

Are there any recommendations by ST that provide the best output ?

4. When a exploit is detected, the CRA requires to act as soon as possible as the product is required to be placed on the market without known vunerabilities (which is itself practically impossible). The Yocto ST Linux kernel and distribution is only updated between long period of time, Yocto stable version with specific kernels for example only change every few years, long behind the latest kernels, After that then the customer still needs to test and roll out the OTA,  How would slow updating be justified ? When would the party placing the product on the market become liable for non-"up to date" software/firmware ? 

5. Per my understanding, even if a device has components subjected to a certain class  (with for example ST-SAFE for Class III ) it does not mean the products itself  is secure and meets class requirements.  For example, the SE may not be used at all or not used correctly. Would there be (STMICRO) validation tests be made available to access the correct implementation of the security features of ST device (inside MCU or MPU or externally) to meet certain class requirements  ?

 

0 Kudos
Top