Skip to main content
COMPLIANCE FRAMEWORKS

One platform. Six frameworks. Always audit-ready.

FDIE maps every firmware analysis to EU CRA, ETSI EN 303 645, OWASP FSTM, NIST SP 800-193, NIST IR 8259A, and IEC 62443-4-2 - producing an A-F grade per framework from the same 40+-point test suite.

Last updated: June 15, 2026

SUPPORTED FRAMEWORKS

Six frameworks, one consistent scoring model.

Every framework below is fully mapped against FDIE’s 40+-point test suite - no separate scans, no extra configuration.

FrameworkScopeStatusFDIE Coverage
EU Cyber Resilience Act (CRA)EU, all digital productsMandatory from Dec 2027Full mapping, Article 14 alerts
ETSI EN 303 645EU/UK, consumer IoTLegally enforcedFull mapping
OWASP FSTMGlobal, all firmwareVoluntary / industry standardFull mapping
NIST SP 800-193US, platform/BIOS firmwareFederal requiredFull mapping
NIST IR 8259AUS, IoT devicesFederal procurement requiredFull mapping
IEC 62443-4-2Global, industrial/OT firmwareContractual / industry standardFull mapping
UNDER THE HOOD

40+ test cases across 7 categories.

Every framework grade is derived from the same 40+ deterministic test cases, grouped into 7 categories that map onto the requirements every framework above shares.

Credential Security

Hardcoded passwords, default credentials, and weak or reused secrets baked into firmware.

Firmware Update

Update mechanisms, signature verification, and rollback protection for over-the-air upgrades.

Cryptography

Weak ciphers, deprecated algorithms, hardcoded keys, and insecure key storage or generation.

Binary Hardening

Compiler-level protections - stack canaries, ASLR/PIE, RELRO, NX, and stripped symbols.

Attack Surface

Open ports, exposed services, debug interfaces, and unnecessary binaries that widen exposure.

Known Vulnerabilities

CVE matching against 355,000+ records with CPE version-range filtering, EPSS scoring, and CISA KEV flagging.

Secure Boot

Boot chain verification, signed bootloaders, and trusted-execution configuration.

EU CYBER RESILIENCE ACT (CRA)

What the EU CRA requires - and how FDIE maps to it.

From December 2027, the EU Cyber Resilience Act becomes mandatory for virtually every product with digital elements sold in the EU. Manufacturers must produce an SBOM, run a vulnerability handling process, complete a conformity assessment, and report actively exploited vulnerabilities to ENISA within 24 hours (Article 14).

Last updated: June 15, 2026

Article 14-ready alert tracking

CVE matches correlated with CISA KEV and EPSS, so actively-exploited vulnerabilities are flagged with the urgency Article 14 requires.

Auto-generated SBOM & VEX

CycloneDX and SPDX SBOMs plus VEX documents are produced automatically from every analysis - the documentation core to CRA conformity.

Compliance grade mapped to CRA annexes

FDIE’s A-F grade traces directly back to the essential requirements in the EU CRA’s annexes, so the grade is an audit artifact, not a marketing score.

FAQ

Frequently asked questions

The EU Cyber Resilience Act (CRA) is an EU regulation that sets mandatory cybersecurity requirements for virtually all products with digital elements sold in the EU, covering secure-by-design development, vulnerability handling, and reporting. Its core obligations become mandatory from December 2027, and FDIE maps every analysis directly to CRA requirements so you can track readiness ahead of the deadline.

Article 14 of the EU CRA requires manufacturers to notify ENISA of any actively exploited vulnerability or severe incident affecting a product within 24 hours of becoming aware of it, followed by more detailed reports. FDIE's CVE matching is correlated with CISA KEV and EPSS data so actively-exploited findings are flagged immediately, giving you an Article 14-ready alert trail.

ETSI EN 303 645 is a European baseline security standard for consumer IoT devices, covering areas like no universal default passwords, secure update mechanisms, and secure storage of credentials. It applies to most consumer-facing connected products sold in the EU and UK, and FDIE's 40+-point test suite maps directly to its provisions with an A-F compliance grade.

NIST SP 800-193 (Platform Firmware Resiliency Guidelines) defines requirements for protecting, detecting, and recovering platform firmware from corruption, and is required for many US federal procurement contexts. FDIE checks for the secure-boot, update-authentication, and recovery mechanisms this standard expects and reports coverage as part of its compliance scoring.

IEC 62443-4-2 defines technical security requirements for components used in industrial automation and control systems (IACS), and is widely required contractually for industrial and operational-technology (OT) firmware. FDIE evaluates binary hardening, credential handling, and cryptography against IEC 62443-4-2's component-level requirements as one of its 6 supported frameworks.

FDIE's 40+ deterministic test cases are grouped into 7 categories - credential security, firmware update, cryptography, binary hardening, attack surface, known vulnerabilities, and secure boot - each mapped to the corresponding essential requirements in the EU CRA's annexes, alongside ETSI EN 303 645, OWASP FSTM, NIST SP 800-193, NIST IR 8259A, and IEC 62443-4-2, producing a single A-F grade per framework.

Get your EU CRA readiness assessment.

Book a 30-minute walkthrough with our team - bring your own firmware image or use one of ours.

or see Delta Intelligence →