Let’s Talk Technical with Analog Devices, STMicroelectronics, NXP, & Microchip: Embedded Security and the Cyber Resilience Act | DigiKey

In this DigiKey roundtable, industry experts from STMicroelectronics, NXP, Microchip, and Analog Devices dive deep into the evolving landscape of embedded security and its critical role in today’s connected world. The discussion, moderated by Shawn Luke from DigiKey, highlights how securing embedded devices differs from traditional data center security. While data centers operate in controlled environments with physical safeguards, embedded systems found in vehicles, home appliances, and medical devices exist “in the wild” and require robust, decentralized protection strategies.

The conversation opens with a focus on the EU Cyber Resilience Act (CRA), a major piece of regulation impacting global markets. Carlos from NXP explains how the CRA shifts responsibility to manufacturers, requiring them to assess risk, implement countermeasures, and report vulnerabilities across hardware and software products. This ensures every layer of the value chain, from microcontrollers to finished goods, meets new security expectations. Doug from Analog Devices adds that regulations such as NIST, PSA, IEC 62443, and ISO 21434 are shaping development workflows across industries. He emphasizes that companies must now integrate cryptographic primitives, isolation mechanisms, and secure identity management into their engineering processes. To help developers manage these growing requirements, chipmakers are providing turnkey tools, SDKs, and lifecycle monitoring solutions that simplify compliance and reduce the risk of implementation errors. Xavier from Microchip expands on the concept of threat modeling, which defines the risk landscape for each device and application. He explains that modern development must include post-production lifecycle management, ensuring that devices remain secure even after deployment through regular updates, monitoring, and incident response.

Mena from STMicroelectronics underscores that strong security starts early. From the first design phase, developers must conduct risk assessments, follow secure coding practices, implement secure boot, and maintain documentation to support regulatory compliance. He also notes the importance of a secure supply chain and the use of zero-trust programming to protect private keys, IP, and firmware from tampering during manufacturing. The panel then turns to Zero Trust architectures, with Doug explaining how hyperconnected devices must continuously verify trust before data exchange. As AI and machine learning move to the edge, ensuring that data remains authentic and reliable becomes even more vital.

The experts also explore Secure Enclave technologies, isolated hardware environments designed to safeguard critical keys and processes. NXP, Microchip, and STMicroelectronics each implement this concept differently through terms like Crypto Authentication, Trusted Execution Environments (TEE), and TrustZone. These solutions physically and logically isolate sensitive operations from general processing, reducing the attack surface and ensuring hardware-based root of trust.

Wrapping up, Xavier emphasizes the legal and operational consequences of noncompliance. Security is no longer optional, it's a legal requirement and a core business responsibility. Organizations that fail to design security into their products risk not only breaches but also potential litigation under new global standards. This in-depth discussion hosted by DigiKey delivers actionable insights for embedded developers, system architects, and product managers seeking to design secure, compliant, and future-proof electronic systems. It underscores a unified industry goal: building trust at every layer of connectivity, from the silicon to the cloud.