Platform · CRA compliance
Munic certifies the device. You own only what you add.
The EU Cyber Resilience Act (CRA) becomes mandatory on 11 December 2027. Munic builds the hardware and the operating system and carries the device through conformity — assessment, technical file, CE marking, vulnerability handling, and the security-update commitment. Whatever you run on top, the box arrives certified; you document only the layer you add.
Already shipping
We don't start the CRA in 2027 — much of it ships today.
Munic devices are CE RED certified — the Radio Equipment Directive's cybersecurity requirements are part of the CE mark, not a separate badge. Mandatory since 1 August 2025, Munic meets them under the harmonised standards EN 18031-1:2024 (network protection) and EN 18031-2:2024 (personal-data and privacy protection), and has shipped them in product since. These overlap much of the CRA's essential requirements, so the gap to full CRA conformity is incremental, not a rebuild.
CE RED certified
Current devices carry CE marking under the Radio Equipment Directive, demonstrated against EN 18031-1:2024 (network protection) and EN 18031-2:2024 (personal-data and privacy protection) — mandatory since August 2025. The RED Declaration of Conformity is available on request.
RED cyber overlaps the CRA
The RED cyber controls map directly onto the CRA's product-security requirements — so much of the CRA is already built, tested, and in the field.
Ahead of the deadline
The gap to full CRA conformity is incremental, not a rebuild — and Munic carries it, well before 11 December 2027.
The 2027 deadline
When you can self-certify — and when a lab is mandated.
The CRA classifies the device, not the operating system. Most devices self-certify, and Munic performs it. An audit and a lab are only mandated when the device carries a regulated security function.
Pure tracking
No lab — self-certify
A default product. Location and cellular only — no regulated security function.
- Cellular / GNSS — No lab
- No camera — No impact
- Standard software — Fully ours
Telematics + vision
No lab — self-certify
Cameras and WiFi/BLE do not add a CRA security function. Privacy is handled by on-device anonymisation; radio is already covered under our CE RED certification (EN 18031-1/-2).
- Vision — No lab — anonymised on device
- WiFi / BLE — No lab — CE RED radio
- Your containers — Your layer — no device lab
Robotic / autonomous
Lab — assessed per programme
Safety-critical or secure-element functions can require a notified body, and the device sits in a wider stack. Munic carries the assessment and the lab.
- Safety-critical functions — May need a lab
- Secure element — Lab required
- Wider stack — Machinery + AI Act
11 Sep 2026
Reporting obligations begin — actively-exploited vulnerabilities and severe incidents. Munic runs the platform reporting pipeline.
11 Dec 2027
Full obligations apply — conformity assessment, CE marking, technical file, support period. The deadline everyone means by "CRA 2027".
The harmonised standards that unlock self-assessment for regulated-function devices are not yet published. Until they are, that class uses a notified-body route — and Munic carries it either way, switching to self-assessment the moment the standard lands. Tracking and standard telematics devices self-certify today regardless.
Aftermarket or factory-fit
Same device — the governing regime can change with the host.
Munic ships both as standalone aftermarket products and as factory-fit units. What rules the device depends on where it lands: on its own, or inside a regulated host.
Aftermarket / retrofit
CRA applies
Sold as a standalone product, the device is a product with digital elements in its own right. The CRA applies — and Munic certifies it.
Factory-fit — on-road vehicle
Automotive regime
Integrated into a type-approved vehicle, the unit falls under vehicle type-approval and its automotive cybersecurity management (UNECE R155/R156) — the CRA steps aside. Munic supplies the cybersecurity evidence the vehicle maker folds into its management system.
Factory-fit — off-road / machinery
CRA + Machinery
No vehicle type-approval exclusion here: the CRA still governs cyber, alongside the Machinery Regulation for safety. Munic carries the cyber layer.
The exact line — especially for a unit shipped to a vehicle maker as a type-approval input versus sold on its own — is a product-by-product determination. We scope it per programme.
Who does what
Munic certifies the device. Three things decide the rest.
Hardware, operating system, and the device conformity are always ours. What you take on depends on three choices — and in most configurations the answer is nothing.
Software in the box
- Munic standard Nothing — fully ours.
- Munic + your configuration Nothing — configuration is not a modification.
- Munic + your containers Your container code — your application layer.
Cloud
- Munic cloud Nothing — covered in the device posture.
- Munic + your cloud Your cloud services.
- Your cloud (we are not connected) Your remote data processing.
Branding
- Munic brand Nothing.
- Your brand Your name as the named manufacturer — on our conformity work.
- Final-customer rebrand The rebrand relationship — structured so our conformity still backs the product.
The only part that ever sits with you is the layer you build — your containers, your cloud, your brand name on our conformity work. Everything beneath is certified and documented by Munic.
How we help
A multi-year compliance project, reduced to a documentation merge.
-
A certified device — we run the conformity assessment and CE-mark the hardware we build.
-
A pre-hardened OS that meets the product-security requirements out of the box.
-
A per-release SBOM you fold straight into your technical file.
-
Continuous CVE and licence gating — issues caught at merge, not at audit.
-
A signed update channel that underwrites the multi-year security-update duty.
-
A managed PSIRT and an incident-reporting pipeline for the platform layer.
-
A technical-documentation pack for the device, ready for your file.
Built in, not bolted on
Compliance is a runtime property.
CRA obligations are enforced at the OS layer — not via process or audit afterwards.
-
Hardened kernel + immutable rootfs
Read-only OS image. No shipping packages at runtime.
-
Secure Boot + hardware-anchored key store
Signed-image verification at every boot. Keys stored in a TEE (Trusted Execution Environment) on supported hardware.
-
Sandboxed container per micro service
Least-privilege by construction. Container-isolated per micro service.
-
Cryptographic update verification
Signed OTA (Over-the-Air) delivery. Anti-rollback enforced.
-
Tamper detection + firmware integrity
Boot-time integrity check; failed checks block startup.
CI security gates
One shared template. 52 micro services.
All micro services inherit CVE advisory scanning, licence gating, unsafe-code analysis, SBOM generation, and SAST (Static Application Security Testing) from one versioned shared CI template. A security fix ships to every consumer in a single version bump — no per-micro service pipeline maintenance.
| Control | Scope | Fail condition |
|---|---|---|
| Bill of materials (SBOM) | Machine-readable, every dependency, per release | Informational — not a blocking gate |
| Known-vulnerability scan | Advisory database, every dependency | Critical advisory blocks the build |
| Licence-policy gate | Every open-source dependency | Disallowed licence blocks the merge |
| Unsafe-code analysis | Memory-safety surface | Policy violation blocks the build |
| Static analysis (SAST) | Security anti-patterns in source | High-severity finding blocks the build |
The vulnerability and licence gates block on violation. SBOM publication is currently informational — the control is in place; the enforcement level is under review.
OSS hygiene
Open-source dependencies — scanned, tested, and licence-gated.
Every micro service in the catalog ships with an explicit open-source software (OSS) hygiene posture — not just a version pin.
-
We scan OSS for CVE
CVE advisory scanning runs in CI on every micro service and blocks on critical advisories — no merge until the advisory is resolved or explicitly acknowledged.
-
We test OSS dependencies
Transitive dependency behaviour is exercised through the same platform CI test suites that gate every release. OSS surface is not assumed-safe by version pin alone.
-
We prevent contaminating licences
The allow list is permissive-only — MIT, Apache-2.0, BSD-2/3-Clause, ISC, MPL-2.0, and equivalent. Example: LGPLv3 is blocked because it requires source disclosure of the linked binary, which is incompatible with shipping a proprietary firmware image to the customer's device.
OSS hygiene is one reason compliance teams choose MOS4. The compliance-posture context is at why-mos4 → compliance posture. The full micro service catalog — each entry compliance-flagged — is at /components. Compliance briefs and allow-list rationale are available at /resources/whitepapers.
CRA mapping
The obligations — and what MOS4 provides.
MOS4 covers the product-security obligations the CRA places at the OS layer. The mapping below is capability-level; the exact article references sit in the compliance brief we share under NDA.
| CRA obligation | What MOS4 provides |
|---|---|
| Secure by default | Sandboxed container per micro service. Least-privilege by construction. |
| Data minimisation | Live anonymisation in the frame plane. Configurable retention. |
| Integrity protection | Secure Boot + tamper detection + cryptographically verified OTA. |
| Vulnerability handling | PSIRT at security@munic.io, coordinated disclosure, internal patch targets, CVEs tracked per release. |
| Technical documentation | Per-release: SBOM, risk assessment, architecture description, change log, security testing evidence. |
| Reporting obligations | Incident-reporting workflow. EU CSIRT-ready. Customer notification template available. |
Patch targets
Internal targets — contractual SLAs per programme.
| Severity | Target | SLA basis |
|---|---|---|
| Critical | Internal target — 7 days | Contractual SLA per programme |
| High | Internal target — 30 days | Contractual SLA per programme |
| Medium | Internal target — 90 days | Contractual SLA per programme |
| Low | Next release | Contractual SLA per programme |
The CRA requires remediation "without undue delay" and a security-update support period of at least five years — it sets no numeric patch deadline. The targets above are Munic's own internal targets, stricter than the regulation's wording; contractual SLAs are agreed per programme and are not implicit commitments of this page.
PSIRT (Product Security Incident Response Team)
Responsible disclosure — and the CRA reporting clock.
Report a vulnerability to us
security@munic.io
Coordinated disclosure. We acknowledge an inbound report within 5 business days — then run the regulatory clock on the right.
What the CRA mandates — and Munic runs
- · Early warning to the authorities within 24 hours of an actively-exploited vulnerability.
- · Full notification within 72 hours.
- · Final report within 14 days of a fix being available.
- · Affected users informed without undue delay.
Responsibility split
What we carry. What you document.
OS layer — Munic carries
- · Kernel CVE patching and OS-layer security fixes.
- · OTA pipeline integrity — signed package delivery.
- · SBOM generation and publication per release.
- · Secure Boot + hardware-anchored key store (TEE) on supported hardware.
- · Sandboxed micro service runtime with enforced isolation per container.
- · CI-enforced CVE and licence gates across 52 micro services.
- · Egress firewall — available across supported hardware.
Application layer — Customer documents
- · Business-logic threat model.
- · Customer-data handling and retention policy.
- · Application-side test coverage and evidence.
- · Domain-specific risk register.
- · Application-layer disclosure surface.
Day-2 capabilities — observability, safety, OTA, remote control, lifecycle — are surfaced together at /platform/operations. Security policies that are config-driven rather than code-level are covered at /platform/no-code.
Data lifecycle
Erase personal data on command — and prove it.
A single typed data-reset event fans out across the OS: every micro service holding driver, vehicle, or diagnostic data clears its own state, and the action is recorded. One mechanism, three jobs your programme already has to handle.
Vehicle swap / driver handover
When a vehicle changes hands, wipe the previous driver's trips, locations, and diagnostic history before the next driver's first ignition — no field visit, no manual purge.
RMA & refurbishment
Before a device leaves the field for return or refurbishment, clear customer data on command so nothing personal travels with the hardware.
GDPR right-to-erasure
Fulfil a data-subject deletion request from the cloud — the device clears the matching state and returns an audit record you can hand to the requester.
The reset is triggered by configuration or a remote command and propagates through the platform's lifecycle hooks — diagnostics, vehicle data, and the persistent store all clear their own state, and the store rotates on a configurable retention policy on top. Every reset is logged like any other state change, so the erasure is provable after the fact.
Standards alignment
Where MOS4 controls map.
Radio Equipment Directive (RED)
Devices are CE RED certified — the directive's cybersecurity requirements are part of the CE mark. Demonstrated against EN 18031-1:2024 (network protection) and EN 18031-2:2024 (personal-data and privacy protection), mandatory since 1 August 2025. Declaration of Conformity available on request.
UNECE R155 / R156
Aligned with R155/R156 controls — formal assessment per programme.
FMCSA ELD
FMCSA-certified ELD via the hours-of-service micro service. HOS application
available June 2026 — ekkofleet.com.
GDPR
Live anonymisation in the frame plane (face and plate blur at boot-time policy). Configurable retention controls.
CRA (EU 2024/2847)
Munic carries the device through conformity and CE marking; you document only the layer you add.
Robotics & autonomy
For mobile and autonomous machines, CRA is the cyber baseline inside a wider stack — the Radio Equipment Directive, the Machinery Regulation, and the EU AI Act. Munic carries the cyber layer and aligns with the rest.
FAQ
Frequently asked questions
-
Are Munic devices certified for cybersecurity today?
Yes. Munic devices are CE RED certified — the Radio Equipment Directive's cybersecurity requirements are part of the CE mark, not a separate badge. Conformity is demonstrated against the harmonised standards EN 18031-1:2024 (network protection) and EN 18031-2:2024 (personal-data and privacy protection), mandatory since 1 August 2025. These requirements overlap much of the CRA's essential requirements, so most of the CRA work is already built and in the field. The RED Declaration of Conformity is available on request.
-
Do I need a notified-body audit by 2027, or can I self-certify?
It depends on the device, not the software. Tracking and standard telematics devices self-certify — and Munic performs it — available today. Devices with a regulated security function (network, identity, VPN-class) self-certify only once a harmonised standard is published; until then they use a notified-body route. Security-critical devices always need a lab. Munic carries the route in every case.
-
If I put my own brand, containers, or cloud on the device, what becomes my responsibility?
Munic always certifies the device — hardware, OS, conformity, CE marking, and the security-update commitment. You take on only what you add: the compliance of your own container code, your own cloud if you run it, and your name as the named manufacturer if you brand or rebrand the product, on top of our conformity work.
-
What CI gates run on every micro service pipeline?
Known-vulnerability scan (blocking on critical), licence-policy gate (blocks merge on disallowed licences), unsafe-code analysis, static analysis (SAST), and machine-readable SBOM generation (informational). All 52 micro services inherit these from one shared CI template.
-
What ships in the per-release SBOM?
A machine-readable SBOM covering every open-source dependency in the micro service. SBOM publication is informational; the vulnerability and licence gates are the blocking controls.
-
What are the patch response targets?
Internal targets: Critical 7 days, High 30 days, Medium 90 days, Low next release. These are internal targets — contractual SLAs are agreed per programme.
-
How do I report a vulnerability?
Responsible disclosure via security@munic.io. Acknowledgement within 5 business days.
-
Is OTA signing available?
Yes. Signed package OTA — key chain rooted at Munic. A/B partition scheme keeps the previous known-good image available for automatic rollback.
-
What is the status of UNECE R155/R156 alignment?
MOS4 controls are self-aligned with R155/R156. Formal assessment is conducted per programme — not a blanket certification.
-
What does Munic carry vs what does the customer document?
Munic carries kernel CVE patching, OTA integrity, SBOM publication, Secure Boot, sandboxed runtime, and CI-enforced security gates. Customer documents business-logic threats, data handling policy, app-side test coverage, and domain-specific risk register.
AI Act
EU AI Act posture.
MOS4 AI Language provides structured evidence inputs for the EU AI Act — audit manifest records for §10 data-governance obligations, quantified threat-model gates for §13 transparency, and silicon-agnostic hardware lifecycle decoupling.
Audit manifest as §10/§13 evidence
Every answer from the AI Language platform publishes a full provenance record: chunk IDs, document paths, model version, similarity scores, and refusal reason. Six-month rolling retention. This record is structured as evidence input for EU AI Act §10 (data governance) and §13 (transparency) obligations.
Threat-model T1–T5 with quantified gates
The AI Language platform ships with five threat categories, each with an acceptance-criterion gate: RAG (Retrieval-Augmented Generation) confidence thresholds (T1), prompt-injection deflection rate ≥ 95% on 20-prompt red-team (T2), STT (Speech-to-Text) noise floor WER (Word Error Rate) ≤ 15% at 70–75 dB (T3), audit record completeness (T4), and MCP (Model Context Protocol) tool escalation prevention (T5). All gates are testable and machine-verifiable.
Hardware lifecycle and transparency
The AI Language platform is silicon-agnostic above the 1 GB RAM floor. Software and hardware lifecycles are decoupled: a silicon generation change does not require a model change or an application code change. The SBOM covers the full AI stack including model provenance. See the hardware page for silicon-tier detail.
Bring your security questionnaire.
Engineering will fill it from the existing compliance evidence — no bespoke audit engagement needed for the OS layer.