The EU Cyber Resilience Act — entered into force December 2024, with main obligations effective December 2027. Covers products with digital elements placed on the EU market. VAOS is architected around the CRA core: security by design, vulnerability handling, and continued security support.
Validation envelope, sensor-aware perception, structured Scene Contracts — security is the architecture, not a wrapper around it. See the eight commitments →
Reference threat model, attack-surface map, and runtime-failure modes documented per release. Distributable as part of the OEM evidence pack.
Coordinated disclosure, CVE-style IDs, advisory feed (RSS + JSON), 72-hour active-exploit notification to ENISA when applicable.
Published support window per release. Updates signed, deltas verified at boot. Failure-safe rollback if integrity check fails.
Each VAOS release publishes a CycloneDX SBOM. Provenance attestations for binary artifacts. OEMs inherit and extend.
Technical documentation pack — architecture, risk assessment, security policy, update support window — ready to bundle into integrator filings.
The CRA distinguishes default-class products from "important" and "critical" classes — which face stricter conformity routes. VAOS-powered devices fall into different classes depending on use:
| Class | Conformity route | VAOS scenario |
|---|---|---|
| Default | Self-assessment | Hobby / dev kits |
| Important class I | Self or harmonised standards | Smart cameras, doorbell-class |
| Important class II | Third-party assessment | Industrial / safety |
| Critical | Mandatory third-party | Healthcare / critical infra |
Architectural alignment is the same. The filing route varies by integrator product class.
SBOM, advisory feed, signed updates, support window — the evidence integrators need.