The EU Cyber Resilience Act Explained for IoT

CRA regulation timeline and key facts  

The Cyber Resilience Act was adopted by the European Commission on 20 November 2024 and came into force on 11 December 2024.

Key points of the CRA encompass: 

• Mandatory risk assessments 

• Implementation of technical security requirements

• Reporting requirements for vulnerability handling 

• Free security updates over 5 years or the expected product lifetime 

• In case of violation: Fines of up to €15 Mio., or 2,5% of the global turnover

As the CRA was passed at the end of 2024, manufacturers of IoT products will have 36 months to comply, with the main obligations coming into force on 11 December 2027. However, the reporting requirements will become enforceable 21 months after the CRA comes into force, and the technical requirements will become enforceable after a further 15 months.

This timespan should be taken very seriously by manufacturers, as non-compliance results in penalties of up to €15 Mio., or 2,5% of the global turnover. Furthermore, product recalls and the denial of CE certification can be additional consequences.  

The CRA will affect all manufacturers and producers of IoT products, such as charging stations, industrial IoT devices / sensors, medical devices (if not subject to the regulation on medical devices (EU) 2017/745 or the regulation on in vitro diagnostic medical devices (EU) 2017/746) as well as consumer products like smart watches or smart toothbrushes (the exact categorization of the different IoT products will be explained later in the blogpost).

What manufacturers and developers of digital products need to do  

The CRA affects companies placing products on the market with the following criteria and properties: "products with digital elements whose intended, or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network". A product with digital elements is defined as "any software or hardware product and its remote data processing solutions, including software or hardware components intended to be marketed separately." Notably, the ability to communicate with other products or components (either wirelessly or via cable) indicates that a product falls under the CRA. This regulation also applies to software and hardware components available on the market that are meant to be used by being integrated into a product, rather than being used directly by end users. In order to know if your products are affected by the CRA you can try the "CRA Self Check" from our CRA Knowledge Hub.

In order to comply with the CRA manufacturers of IoT products are forced to fulfill different requirements for the following topics:  

• Risk assessments 

• Implementation of cybersecurity requirements 

• Product documentation 

• Vulnerability handling and reporting

Cybersecurity assessment

As a starting point for compliance with the CRA, manufacturers shall conduct a cybersecurity risk assessment. The cybersecurity risk assessment should include an analysis of cybersecurity risks based on the intended use of the IoT product. Additionally, it should indicate how the manufacturer aims to apply the technical security requirements. 

Implementation of technical security requirements

The 13 essential cybersecurity requirements cover different properties that products with digital elements need to fulfil according to the level of risk identified in the cybersecurity risk assessment. To give some examples, those requirements encompass how data integrity & confidentiality needs to be protected, how to record & provide security related information to fulfill the reporting obligations of the CRA, and how updates should be enabled to address new vulnerabilities over the lifetime of a product.  

Especially, the “post-market” duties present a major change for manufacturers of IoT products, as this requires manufacturers to enable over the air updates for security vulnerabilities over a period of 5 years or the expected lifetime of a product. 

The full list of technical security requirements can be found below.

Product documentation

Manufacturers of IoT products must fulfil the following mandatory documentation requirements. All documentations must be retained for 10 years or for the duration of the support period, whichever is longer, after the product is released to the market: 

• Technical Documentation: This includes relevant cybersecurity details such as identified vulnerabilities, third-party information, and updates to the risk assessment.  

• EU Declaration of Conformity: This document demonstrates compliance with essential requirements.  

• User Information & Instructions: These guides on safe installation, operation, and use must be clear and easy to understand for users and authorities. 

Vulnerability handling and reporting

Manufacturers must handle and report any identified risks, vulnerabilities, and incidents associated with their products that fall under the CRA regulation. The 8 vulnerability handling requirements aim to enhance cybersecurity measures and enable coordinated responses to vulnerabilities and incidents. 

• Inform CSIRT of any vulnerabilities in their products within 24 hours, including details of the vulnerability and corrective actions taken. 

• Notify CSIRT within 24 hours of any incidents affecting product security, including information on severity, impact, and any suspected unlawful acts. The market surveillance authority should also be informed. 

• Promptly inform users about incidents and provide mitigation measures. 

• Report vulnerabilities in integrated components to the respective maintainers.

Which products are affected  

The Cyber Resilience Act covers products with digital elements, which includes IoT products. Products with digital elements are categorized in 4 main categories by the Cyber Resilience Act, depending on the intended use and type of product. The categorization in the CRA is very similar to the one of the NIS2 directive. The categories within the CRA are:

• Default category

• Important products Class 1

• Important products Class 2

• Critical products

90% of all IoT products will be classified as “non-important products”. Examples would be smart watches, smart toothbrushes, or smart toys. To give organizations a better idea about the classification of “important products” and “critical products” the EU provides a list of examples.

Examples for “Important Products Class 1” are: 

• Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers 

• Products with digital elements with the function of virtual private network (VPN) 

• Security information and event management (SIEM) systems 

• Public key infrastructure and digital certificate issuance software 

• Operating systems 

• Routers, modems intended for the connection to the internet, and switches 

• Microprocessors with security-related functionalities 

• Microcontrollers with security-related functionalities 

• Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities 

• Smart home general purpose virtual assistants 

• Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems; 

Examples for “Important Products Class 2” are: 

• Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments 

• Firewalls, intrusion detection and prevention systems 

• Tamper-resistant microprocessors 

• Tamper-resistant microcontrollers

Examples for “Critical Products” are: 

• Hardware Devices with Security Boxes

• Smart meter gateways within smart metering systems as defined in Article 2(23) of Directive (EU) 2019/944 of the European Parliament and of the Council and other devices for advanced security purposes, including for secure crypto processing

• Smartcards or similar devices, including secure elements

For manufacturers of IoT products it’s very important to know how their products will be categorized. One major difference is that the compliance with the CRA for “important products” and “critical products” needs to be assessed by a third-party or notified body. In contrast to that, manufacturers of products classified in the “default category” can do a self assessment.

This content piece is one of many unpacking the CRA in detail, find the full overview in our CRA Guide.

How Tributech can help 

Tributech addresses several areas crucial for maintaining the security and integrity of IoT products throughout their lifecycle. Through its technical regulation consulting services, Tributech and its global partner ecosystem conducts gap analyses for regulatory frameworks such as the CRA, ESPR, Data Act, and AI Act, translating complex requirements into clear technical specifications and developing implementation roadmaps tailored to compliance needs. In the area of implementation support, Tributech helps organizations build and maintain scalable data platform services, supports embedded IoT development and integration, and enables the deployment of industrial IoT solutions across various domains.

Explore Tributech's CRA offerings. Additionally, Tributech provides a secure data integration technology that enables enterprises and IoT platform/product OEMs to secure their devices and comply with the EU Cyber Resilience Act through several key measures. The technology includes an innovative zero-trust approach by notarizing data (creating a cryptographic "fingerprint") directly at the source or sensor. This fingerprint is then anchored in an immutable security layer, establishing the root-of-trust. Once the data is secured, its integrity can be verified throughout its entire lifetime. With this unique approach, Tributech is the first vendor helping companies establish a zero-trust solution for securing critical IoT data used for automating processes and making data-driven decisions. The Tributech platform addresses several areas crucial for maintaining the security and integrity of IoT devices throughout their lifecycle:

• Data Integrity Verification: Tributech ensures the integrity and authenticity of data from the moment it is generated by the device and throughout its entire lifecycle. This continuous verification process helps in maintaining trust in the data collected from IoT devices, which is essential for making informed decisions and performing accurate analyses. 

• Secure Connections: Tributech facilitates the secure connection of IoT devices to central systems, including cloud-based data processing applications. This involves implementing robust security protocols to safeguard data during transmission, ensuring that sensitive information remains protected from unauthorized access and tampering. 

• Certificate Life Cycle Management: The platform includes comprehensive certificate life cycle management capabilities. This ensures that digital certificates, which are essential for authenticating devices and establishing secure communications, are properly managed. Tributech handles the issuance, renewal, and revocation of certificates, maintaining ongoing secure connections between devices and IoT backends. 

• Secure Over-the-Air Software Updates: Tributech supports the implementation of secure over-the-air (OTA) software updates, enabling manufacturers to deliver necessary security patches and updates seamlessly. This functionality ensures that devices can be updated to address emerging vulnerabilities and threats, maintaining a high level of security without requiring physical access to the devices. 

• Hardware Security Integration: Tributech integrates hardware security measures to provide an additional layer of protection. This includes the use of secure elements and trusted execution environments (TEEs) that safeguard sensitive operations and data within the device. By combining hardware and software security, Tributech enhances the overall resilience of IoT devices against various types of attacks. 

• Works with Any Edge and Embedded IoT Devices: Tributech's solutions are designed for compatibility with a wide range of edge and embedded IoT devices, ensuring broad applicability across various industries and use cases. Whether dealing with simple sensors or complex edge / embedded systems, Tributech's platform offers one technology to integrate any device, harmonizing the entire fleet of devices and 3rd party solutions. This flexibility means Tributech can secure and verify data across diverse sectors, such as industrial automation, healthcare, and smart cities. By supporting various communication protocols and data formats, Tributech ensures seamless integration, enhancing the security and efficiency of IoT deployments across different environments and vendors. 

By addressing these critical aspects, Tributech enables manufacturers to not only meet regulatory requirements but also enhance the overall security posture of their IoT products. This comprehensive approach ensures that IoT devices remain secure, reliable, and trustworthy throughout their operational life. 

To get more information about the CRA and the enforced requirements for IoT products download an extensive summary and explore our CRA Knowledge Hub here:

>> Get more insights into the CRA <<