EU CRA and UK PSTI Compliance
Automated by Microservice Store and iSM

Microservice Store is a cloud platform with API integration that operationalises security compliance from device to cloud. The integrated Security Manager (iSM), running on the device as part of the embedded Microservice Runtime, enforces security controls and produces structured security evidence. The platform then uses this evidence to automate obligations that are often handled manually, including vulnerability workflows, SBOM handling, update governance, and regulatory reporting.

​​

​​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

Key point: 

Where EU CRA and UK PSTI are commonly implemented as manufacturer-run manual processes, Microservice Store is designed to execute these processes within the platform, including device-to-cloud reporting, evidence capture, and regulator reporting workflows. Where permitted, Microservice Store can also publish SBOM information on behalf of the product vendor.

​​​​​

​

"embedded Microservices": A Foundational Technology to Enable True Auditable Compliance

In Embedded Systems, Traditional firmware and RTOS-based products are shipped as a single, monolithic image, where application logic, middleware, and third-party libraries & SDKs are merged into one artefact. In that model, it is difficult to isolate functions, assign independent identities and hashes, manage per-component versions, or perform targeted upgrades; updates typically require rebuilding and retesting the entire image, increasing regression risk and slowing remediation. To address these systemic limitations, we had to develop a foundational technology called "embedded Microservices", which allows every module to be individually versioned, hashed, and upgraded. By breaking the "single image" trap, this architecture ensures that a vulnerability in one area does not compromise the entire system, enabling the real-time vulnerability reporting and dynamic Software Bill of Materials (SBOM) that legacy RTOS environments simply cannot provide.

​

​

How EU CRA, UK PSTI Compliance Automation Works 

• Device Layer (iSM): integrated Security Manager (iSM), running on the field device, enforces secure boot, secure update with rollback protection, policy-based access control, isolation, secure storage, and attestation, and generates signed evidence, plus security event and violation reports.

​

• Cloud/Integration Layer (Microservice Store): Ingests device evidence and events via APIs, correlates them with SBOM and embedded Microservice metadata, triggers workflows (triage, remediation, notification), and generates compliance outputs (reports, audit trails, disclosures).

​

​

EU CRA, Automated Requirement Handling

​

​

​

​

​

​

​

​

​

​

​

​​​

​​

​​

​​

​

​

​​

​​​​​​​​

UK PSTI, Automated Requirement Handling

​

​

​

​

​

​

​

​

​

​

​

Conclusion

In summary, iSM and the Microservice Store platform are designed to operationalise EU CRA and UK PSTI requirements, not document-driven ones, by enforcing security controls on-device, collecting signed evidence, maintaining component-level identity and SBOM data, orchestrating updates, and automating vulnerability workflows and regulatory reporting through the cloud and APIs. By moving away from monolithic firmware towards embedded microservices with isolation, independent versioning, and targeted upgrades, the platform supports auditable compliance with measurable controls and traceable outcomes across the full device lifecycle.

This shifts compliance from a vendor-managed, manual burden to a platform capability, reducing the need for each product team to build and maintain bespoke security and compliance infrastructure, accelerating time-to-market, and lowering ongoing engineering and assurance costs. At the national and ecosystem levels, the same approach supports more consistent baseline security across connected products, faster remediation at scale, improved supply chain transparency, and greater confidence in the security posture of devices deployed in homes, enterprises, and critical environments.

​​​