Preparing for Automated Regulatory Compliance with RISC-V

/ Application Development, DevSecOps, Open Source, Open Source Summit 2025
Preparing for Automated Regulatory Compliance with RISC-V

What Was Announced

At Open Source Summit North America 2025, the Yocto Project unveiled a series of strategic developments aimed at advancing embedded Linux adoption and regulatory readiness. Most notably, RISC-V International has upgraded to Platinum Member status through a partnership with the RISE Project, formalizing Yocto’s support for all RISC-V profiles. In addition, Ericsson and Schneider Electric joined as Gold Members, signaling strong adoption across telecommunications and industrial automation sectors. The project also released new guidance to help members align with the European Union’s Cyber Resilience Act (CRA), in collaboration with Linux Foundation Research, OpenSSF, and SPDX. These announcements show Yocto’s growing influence at the intersection of open hardware, embedded Linux, and software supply chain security.

Analyst Take

The Yocto Project has long served as an essential part of embedded Linux development, offering modular, architecture-agnostic tooling to streamline custom OS builds. The formalization of support for RISC-V is a significant milestone. RISC-V adoption is accelerating across edge, IoT, and low-power compute sectors, where hardware customization and cost control are critical. As theCUBE Research has noted, “The future of compute is heterogeneous, and that future is being written in open source.” By elevating RISC-V to a first-class citizen in Yocto’s test infrastructure, the project is removing friction for developers who need predictable, production-grade support across hardware platforms.

This move also speaks to broader trends in the application development and modernization landscape. Developers are increasingly operating in cross-architecture environments, balancing x86, ARM, and now RISC-V for performance, energy efficiency, or regional compliance. With RISC-V entering the mainstream, having a consistent and tested Linux base layer is essential for scaling real-world workloads. The Yocto Project’s test matrix improvements and enhanced documentation should support a smoother onboarding process, shortening time to value for embedded developers and system integrators.

The addition of Ericsson and Schneider Electric as Gold Members signals Yocto’s importance beyond traditional embedded systems into large-scale industrial and telecom deployments. These industries demand long lifecycle support, high reliability, and compliance with evolving regulatory frameworks. Yocto’s metadata-driven approach allows these companies to manage reproducibility, customization, and traceability, features that are increasingly critical for DevSecOps across connected devices and real-time applications.

Perhaps most strategically, Yocto’s proactive engagement with the Cyber Resilience Act (CRA) reveals how open source foundations are adapting to regulatory mandates. The CRA has far-reaching implications for firmware and embedded systems, requiring transparent software bill of materials (SBOMs), vulnerability management, and secure update practices. Yocto’s collaboration with OpenSSF and SPDX demonstrates that compliance and innovation aren’t mutually exclusive. Developers now have a trusted ecosystem with pre-integrated tools to help meet security requirements without duplicating effort or disrupting workflows.

Looking Ahead

The next phase for the Yocto Project will likely focus on deepening integrations with SBOM and software supply chain tooling, making regulatory compliance not just possible but automated. We expect new community releases to further refine reproducibility, source traceability, and vulnerability scanning pipelines, helping developers confidently align with CRA, NIST SP 800-218, and other emerging standards. This positioning will be especially important for industries deploying software at the edge, where regulatory scrutiny is rising.

Even further ahead, Yocto’s alignment with open hardware like RISC-V positions it well for next-generation embedded Linux deployments. Whether supporting cloud-connected devices, industrial gateways, or telecom infrastructure, Yocto continues to evolve as both a technical and strategic foundation for modern embedded systems development.

Authors

  • Paul Nashawaty

    Paul Nashawaty, Practice Leader and Lead Principal Analyst, specializes in application modernization across build, release and operations. With a wealth of expertise in digital transformation initiatives spanning front-end and back-end systems, he also possesses comprehensive knowledge of the underlying infrastructure ecosystem crucial for supporting modernization endeavors. With over 25 years of experience, Paul has a proven track record in implementing effective go-to-market strategies, including the identification of new market channels, the growth and cultivation of partner ecosystems, and the successful execution of strategic plans resulting in positive business outcomes for his clients.

    View all posts

  • With over 15 years of hands-on experience in operations roles across legal, financial, and technology sectors, Sam Weston brings deep expertise in the systems that power modern enterprises such as ERP, CRM, HCM, CX, and beyond. Her career has spanned the full spectrum of enterprise applications, from optimizing business processes and managing platforms to leading digital transformation initiatives.

    Sam has transitioned her expertise into the analyst arena, focusing on enterprise applications and the evolving role they play in business productivity and transformation. She provides independent insights that bridge technology capabilities with business outcomes, helping organizations and vendors alike navigate a changing enterprise software landscape.

    View all posts