Whisper · Docs
Embedded

Embedded compliance: the CRA, 62443, EN 303 645 & 802.1AR

The EU Cyber Resilience Act, IEC 62443, ETSI EN 303 645 / the UK PSTI Act, FDA §524B and IEEE 802.1AR all ask one thing of a connected-device program: which device is this, is it authorised, and can you prove it and shut it off?

This page maps Whisper's shipped evidence onto those frameworks. The honest disclaimers first: Whisper is not a certification, not a notified body, and not a compliance-automation product. It is a network primitive whose by-products (a per-device identity register, DANE pins, per-/128 egress logs, a publicly checkable revoke trail, signed attribution findings) happen to be exactly the artifacts these frameworks keep asking for. You file the evidence; we make it real.

What every framework is really asking

Strip the clause numbers and the frameworks converge on four questions: identity (can you name each device, from a hardware root of trust, without shipped shared secrets?), control (can you constrain and observe what it talks to?), response (when one is compromised, can you cut it off, quickly and provably?), and evidence (can you show all of the above to someone who doesn't trust you?). The address-is-identity primitive answers all four with the same object: the device's /128, its DANE pin, its logs, and its revoke record.

The map, at a glance

FrameworkWhat it demands (the relevant slice)The Whisper artifact
EU Cyber Resilience Act (in force 10 Dec 2024; main obligations from 11 Dec 2027) Products with digital elements: secure by default, no known exploitable vulns at release, security updates for the support period, vulnerability handling & incident reporting Per-device identity with no shipped shared secret · publicly checkable revoke (the update/end-of-support kill-path) · per-/128 monitoring logs · signed attribution findings for the reporting duty
ETSI EN 303 645 & the UK PSTI Act (PSTI in force 29 Apr 2024) No universal default passwords; unique per-device credentials; a vulnerability-disclosure route The credential is structurally per-device (one leaf key, one /128) and no password exists to default. Met by construction, evidenced by the identity register
IEC 62443-4-2 / -3-3 Component & system identification and authentication control; least-privilege network flows DANE-EE-pinned device identity (the component authenticates itself cryptographically) · default-deny egress policy per /128
IEEE 802.1AR Secure device identity: an IDevID bound to the device in hardware The IDevID key is the derivation input; Whisper is the public, routable projection of the 802.1AR identity you already provisioned
BRSKI / RFC 8995 Bootstrapping the IDevID into an owner relationship Complementary: BRSKI establishes ownership at onboarding; the /128 + RDAP object is the public record of the owned identity thereafter
FDA §524B (cyber devices; premarket since Oct 2023) For medical-adjacent device makers: a cybersecurity plan, postmarket monitoring, SBOM Attributable per-device telemetry and egress logs (the postmarket monitoring record) · revoke as the documented compromise response. The SBOM itself is your build system's job, not ours
NIST IR 8259A IoT device core baseline: device identification, configuration, data protection, interface access control The /128 as the logical identifier bound to hardware · default-deny interface policy · per-identity audit trail

The EU CRA, in a little more depth

The CRA is the one with a countdown attached: hardware being specced now will still be on sale when the main obligations bite on 11 December 2027. Three of its demands land directly on this platform's shipped surface:

The evidence: real and shipped

Every row above is backed by a live artifact you can generate today, not a screenshot:

# the identity register, per device: public, DNSSEC-signed, third-party checkable
dig -x 2a04:2a01:e5a7:41c9:04d0:c85f:3a1b:77e2 +short
dig +short TLSA _443._tcp.04d0c85f3a1b77e2.<tenant>.agents.whisper.online
curl -s https://whisper.online/ip/2a04:2a01:e5a7:41c9:04d0:c85f:3a1b:77e2 | jq

# the monitoring record, per device: every query and connection, keyed to the /128
CALL whisper.agents({op:'logs', args:{agent:'<the device /128>', kind:'conn', from:'-30d'}})

# the response record: revoke, provable by its absence
CALL whisper.agents({op:'revoke', args:{agent:'<the device /128>'}})
curl -s https://whisper.online/verify-identity/<the device /128>   # -> {"is_whisper_agent": false}

SIEM & threat-intel export

Compliance evidence is only useful where your program already lives. The Splunk, Microsoft Sentinel and OpenCTI connectors ship today; findings arrive as signed, replayable JSON mapped to CEF and ECS fields. STIX 2.1 over TAXII export is on the roadmap, labelled as such, not yet available. A Splunk CIM mapping and a sample Sentinel analytics rule ship with the connectors.

What this is (and is not)

Next