Platanor Technologies

Security-first embedded systems for IoT and connected devices.

We help companies build secure embedded and IoT devices - from security architecture to production deployment.

This includes provisioning, attestation, authentication, and secure communication.

Built to meet modern cybersecurity requirements such as the Cyber Resilience Act (CRA).

For device manufacturers, IoT companies, and hardware startups building connected products.

Production hardware experience • security-focused architecture • senior embedded engineers

WHAT WE DO

01

Security Architecture

We design and implement embedded security architecture for connected and IoT devices - including device identity, device provisioning, authentication, and secure communication.

02

Prototype to Production

From first prototype to production deployment.

03

CRA Readiness

Security & Compliance Challenges addressed: Gap between regulatory requirements (CRA) and actual system design.

When Clients Typically Contact Us

Companies typically engage us when:

  • A new connected device needs security architecture from the start
  • Security must be added to an existing embedded system
  • A secure provisioning process is required for manufacturing
  • Backend systems must reliably verify device authenticity

This usually occurs between early prototyping and preparation for manufacturing.

Where our clients start

New product in development
Preparing for manufacturing
Already on the EU market

CRA requirements apply at every stage

HOW WE BUILD IT

Security in layers. Each one verified.

SECURITY LAYERS

Secure Boot

Every boot sequence is cryptographically verified against a root of trust burned into OTP memory at manufacturing. The device rejects unsigned firmware before the application runs — even if an attacker can rewrite the flash.

# Secure boot chain [ROM] Bootloader key hash vs eFuse: OK [BOOT] Checking image signature... [BOOT] ECDSA-P256 verification: OK [BOOT] Anti-rollback counter: 3 >= 3 OK [BOOT] Jumping to application at 0x00010000
→ CRA Annex I Part I §(2)(f): verified

Why Platanor

Security must be designed into the system from the beginning - it cannot be reliably added later.

Security-first architecture

Security is designed as a core system property - not added later. We design device identity, provisioning, authentication, and secure communication as fundamental architectural elements.

Deep embedded expertise

Our work happens close to the hardware: firmware, RTOS-based systems, communication protocols, and device-level security mechanisms.

Full-stack

From firmware and tools to companion apps and backend servers. Hardware, firmware, device software, and backend integration are designed together. This avoids the common problem of fragmented development across multiple vendors.

Production-ready mindset

We design systems for the entire lifecycle of a device - from development and manufacturing to provisioning, deployment, and long-term operation.

Regulatory-driven reality

Modern regulations such as the Cyber Resilience Act (CRA) require manufacturers to implement proper device security. We translate these requirements into concrete engineering decisions and production-ready systems.

Listed on

TechBehemoths logoGoodFirms logoCrunchbase logo

Frequently Asked Questions

Practical answers about the Cyber Resilience Act and how we work. If your question is not here, ask us directly.

Does the CRA apply to our product?

If your product connects to a network or another device - directly or indirectly - and is sold in the EU, the CRA almost certainly applies. This covers consumer IoT, industrial sensors, smart home appliances, and most hardware products with digital elements. A few categories are excluded because they are already covered by other EU regulation, such as medical devices and vehicles.

Our device is not a “security product”. Does this still apply to us?

Yes. Even seemingly simple connected devices such as smart home appliances can introduce serious risks if security is not designed properly - they connect to networks, store credentials, and interact with cloud services. The CRA was introduced in response to these real risks. Security is not optional - it is a fundamental requirement for any connected device.

What are the actual deadlines?

Two dates matter. From September 11, 2026, manufacturers must report actively exploited vulnerabilities and serious incidents. From December 11, 2027, the full CRA requirements apply to every product placed on the EU market on or after that date.

What happens if we do nothing?

Non-conforming products can face fines of up to €15 million or 2.5% of global annual turnover, whichever is higher, and can be withdrawn from the EU market. In practice the bigger cost is usually the forced redesign: security retrofitted after production is far more expensive than security designed in from the start.

When is the right time to bring you in?

The earlier, the easier - architectural decisions such as device identity, secure boot, key storage, and provisioning are cheapest to get right before production. Products already on the EU market are not off the hook either: vulnerability reporting applies to them from September 2026, and the full requirements land once you substantially modify them. We work with both: designing security into new products and closing gaps in existing ones.

How do we find out where we stand today?

Run our free CRA Readiness Check: 56 questions across 9 security domains, instant results, no signup. It takes 20-35 minutes and gives you a domain-by-domain breakdown of the gaps.

Start the free check

CRA Compliance Deadline: December 11, 2027

If you build connected devices for the EU market, CRA compliance is not optional - and the deadline is closer than you think. We help device manufacturers become compliant before it's too late.