ANALYZED WITH AXIVION

Kontron

CRA Compliance With Axivion

100%

CRA Compliance

>1.5 million

lines of code checked

>15,000

source code files included

About Kontron Europe GmbH

Kontron is a global leader in smart IoT Solutions. From automated industrial operations and smarter, safer transport to advanced communications, connectivity, medical, solar, and renewable solutions, Kontron develops and delivers technologies and products — from hardware and software to electronics manufacturing services — that add value for customers. Kontron offers a comprehensive portfolio of high-quality, long-term available and competitive motherboards - designed in Germany and made in Europe. The comprehensive line-up, ranging from compact Mini-STX to full-sized ATX form factors, fulfils a wide range of requirements for various applications across diverse vertical markets such as industrial automation, POS/POI, kiosks, digital signage, medical, casino gaming, video surveillance, and transportation. Kontron motherboards support the latest processors and chipset platforms and utilize advanced technology components.

Axivion not only allows us to comply with cybersecurity regulations. After just a few weeks we already noticed the quality of our code improving. It is easier to understand and maintain, leading to better accessibility of the flow of the software.

Nikolas Schütz, Software Development Engineer, Kontron Europe GmbH

Why Kontron chose Axivion

Axivion helps ensure compliance with Cyber Resilience Act and IEC 62443

It is a highly customizable tool that also allows checking the Tianocore EDK2 rule set

An on-site solution was required

“Made in EU” with outstanding local support

How to Ensure Compliance With IEC 62443 and the Cyber Resilience Act (CRA)?

Like many companies around the world, the project team at Kontron Europe GmbH asked this question. While compliance with cybersecurity standards and regulations triggered the search for a suitable static code analysis tool, the team was not willing to compromise on its own high-quality standards - standards their customers have relied on for years. It was not just about finding a static code analysis tool - it was about finding the right one.

Besides fulfilling the requirements set by IEC 62443 and the CRA, the must-haves included:

No cloud-based solution, but an on-premises tool to honor third-party agreements
The possibility to also check the Tianocore EDK2 rule set
As one of the founding members of ITE (“IT aus Europa”), an association supporting the use of IT made in Europe, the ideal static code analysis tool needed to be “Made in EU”

After extensive research and comparison with other tools, Axivion was the only solution which met all requirements.

Project Setup

FW-Projects (UEFI-BIOS) based on Tianocore EDK2 (AMI AptioV) for Industrial x86 Motherboards.

A team of 5 BIOS developers
OS: Windows 10
Compiler: MSVC 2015/2019
IDE: AMI VisualeBios (Eclipse) and Visual Studio Code

IEC 62443 vs. EU Cyber Resilience Act (CRA)

IEC 62443 and the EU Cyber Resilience Act (CRA) are connected through their shared goal of improving the cybersecurity of digital and connected products, but they differ in scope, depth, and legal nature.

IEC 62443

IEC 62443 is an international standard series focused on industrial automation and control systems. It provides detailed, technical cybersecurity requirements across the full product and system lifecycle. It explicitly addresses secure coding practices and supports techniques such as static code analysis as part of vulnerability identification and secure product development, particularly within supplier-focused requirements.

Cyber Resilience Act

The CRA is a mandatory EU regulation applicable to a broad range of products with digital elements placed on the EU market. It defines essential cybersecurity requirements such as secure-by-design development, vulnerability management, and timely security updates, but does not prescribe specific technical methods.

The two are complementary. IEC 62443 offers detailed technical guidance and concrete practices, including static code analysis, that can help manufacturers demonstrate compliance with the higher-level, legally binding obligations of the CRA.

Customization as Key to Success

Introducing a new tool always requires some initial work to set up, especially when dealing with a complex solution such as Axivion. However, it was this complexity that allowed the team at Kontron to achieve exactly what they needed without compromise.

The entire rollout was supported by Axivion experts, who spent two days on site at their offices in Augsburg to train the developers and help with the setup. After just one and a half days, the basic integration into Kontron’s development environment was completed, and the team could move on to customizing the rule set. During this phase in particular, the support from the experts was highly appreciated.

The high-quality support and fast response time of the experts were impressive. In particular when it came to implementing and developing the EDK2 rule set to be analyzed with Axivion, we greatly appreciated the collaboration with Qt Group.

Christian Stock, Software Development Engineer, Kontron Europe GmbH

Beyond CRA Compliance: Clean, Maintainable Code Through Extensive Coding Guideline Checks

Once Axivion had been integrated into Kontron’s workflows and processes, the main goal – compliance with IEC 62443 and the CRA – was achieved. But the developers quickly noticed other benefits as well. Thanks to the in-depth analysis, coding guidelines were enforced more consistently, and the overall look and structure of the code began to align.

This not only improved the readability and structure of the software, but identifying McCabe complexity errors (included in Axivion’s standard rule sets) also made the code easier to understand. Kontron now uses Axivion to ensure compliance with the EDK2 rules (style guide and security checks, which partially follow MISRA guidelines) and applies it to new projects as well as the maintenance of its own code. The automated weekly builds (GitLab CI/CD) are used to track progress.

Encouraged by the positive results, Kontron plans to expand the use of Axivion across further departments.

Need more information?

Ready to be CRA compliant and improve your software quality like Kontron?

Request a meeting with one of our experts to find out how Axivion can help you ensure the high quality of your code.

Learn More About Axivion

Static Code Analysis and Architecture Verification

Go to product page

Cyber Resilience Act

Read how Qt Group helps you navigate the EU CRA.

Proof of Value

Experience Axivion in your development environment before you commit

Proof of Value Workshop

Oh, there's more

Success Story Kontron | Axivion

Thanks to Axivion Kontron now is not only CRA compliant, but also has improved the quality of their code.

Success Story Heartland.Data | Axivion

A leading software development company replaced its static analysis tools with Axivion Suite to reduce setup and maintenance time resulting in an high...