The EU Cybersecurity Resilience Act is keeping OEMs awake at night. How do you use free and open-source software whilst complying with new obligations around vulnerability management, supply chain transparency, and continuous support? In this episode, Pierre Gal (Head of Product) from Witekio and Michael Röder (Senior Manager, Software and Services EMEA) from Avnet Silica tackle the urgent questions facing manufacturers: Who counts as a manufacturer under the CRA? What documentation must you maintain? And how do you manage vulnerabilities in components you didn't create? Pierre explains how Witekio's Embedded Kit provides off-the-shelf solutions based on open-source software like Yocto Linux, helping customers navigate composition, integration, and compliance. Michael shares what he's hearing from customers struggling to interpret regulatory requirements and implement risk-based approaches. From SBOM (Software Bill of Materials) to supply chain attacks, from secure by default to continuous vulnerability management, we explore the practical realities of making compliance work. The conversation cuts through the confusion to deliver actionable advice: understand your responsibilities, think in terms of composition, and don't wait for a magic bullet. Tune in to learn how to leverage the power of open-source software whilst meeting your CRA obligations – because "free as in freedom" doesn't mean free from responsibility. #CRA #cybersecurity #opensource #FOSS #compliance #IoT #wetalkiot   Summary of this week's episode: 04:14 Key Dates and Obligations of the CRA 05:27 Challenges Faced by Manufacturers 10:10 The Role of Open Source in CRA Compliance 19:58 The Concept of Software Bill of Materials (SBOM) 22:14 Real-World Example: Casino Attack Case Study 23:28 Documentation and Configuration Issues 24:04 Cybersecurity Layers and CRA Methodology 24:25 Secure by Default and Advanced Concepts 26:50 Implementation and Standard Processes 29:45 Quality, Testing, and Automation 31:53 Vulnerability Management Methodology 37:18 Critical Mistakes to Avoid with CRA 39:36 Supply Chain Attacks   Show notes: Pierre Gal (Witekio): https://www.linkedin.com/in/pierre-gal/ Michael Röder (Avnet Silica): https://www.linkedin.com/in/roednix/ Securing the Future: Understanding the Cyber Resilience Act - We talk IoT #55: https://www.podbean.eu/ew/pb-8kkkd-d4ddfc   EU Cybersecurity Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act National Vulnerability Database (NVD): https://nvd.nist.gov/   OWASP Top 10: https://owasp.org/www-project-top-ten/   Listen to the "We Talk IoT" Soundtrack on: Spotify: https://open.spotify.com/playlist/05MOV4OV2MH2in2txsAGtG?si=ad08112cb8d443f4 YouTube: https://www.youtube.com/watch?v=D-NvQ6VJYtE&list=PLLqgVFfZhDRVYmpEqbgajzDvGL4kACRDp   About Avnet Silica: This podcast is brought to you by Avnet Silica—the Engineers of Evolution. Subscribe to our newsletters here: https://my.avnet.com/silica/resources/newsletter/   You can connect with us on LinkedIn: https://www.linkedin.com/company/silica-an-avnet-company/. Or find us at www.avnet-silica.com.