Deep Dive: CRA Requirement (m) – Secure Deletion and Data Transfer

Data stored in connected products can outlive their useful life if not removed properly. Leftover information on reused or resold devices is a serious security and privacy risk, which is why the CRA introduces explicit obligations for handling it. Requirement (m), one of the 13 essential requirements of the Cyber Resilience Act, states:

“provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.”

This requirement ensures that when a device is reset, resold, or decommissioned, data is either permanently erased or, if continuity is needed, transferred securely without risk of exposure or manipulation.

What This Requirement Means

Think of returning a leased company car. You wouldn’t hand it back with your phone contacts, navigation history, or personal documents still stored in the infotainment system. The same principle applies to IoT and OT products: when a user resets or retires a device, their data and configuration must be permanently erased or securely transferred.

For users, this requirement ensures trust. They can hand over or repurpose a device without worrying that old data will be exposed. When continuity is required, manufacturers must implement dependable and user-friendly mechanisms to reset devices, wipe stored information, and enable secure migration.

From a security perspective, the risks of failing here are significant. Attackers can mine leftover data from abandoned devices and often resell or repurpose them. Similarly, insecure transfer mechanisms can expose sensitive configurations or operational data when migrating to new systems.

Relevant Standards and Guidelines

There are existing standards and frameworks that provide guidance on secure deletion and transfer:

• ISO/IEC 27040 (storage security): Covers the secure erasure and sanitisation of data at rest.

• ISO/IEC 27018 (cloud services): Includes principles for secure deletion and data portability.

• ETSI EN 303 645 (consumer IoT): Requires devices to support secure deletion and factory reset.

• EN IEC 62443-4-2 (industrial components): Defines technical controls for secure data handling, including deletion of sensitive information.

While these standards cover deletion and portability in general IT and consumer contexts, they provide limited guidance for embedded IoT and OT systems, where constraints on storage, processing, and user interfaces complicate implementation. CRA harmonised standards will need to define practical approaches for devices with limited capabilities and where configuration data may need to be migrated across vendor ecosystems.

How to Approach Implementation

Meeting requirement (m) involves building secure and user-friendly reset and migration functions into products.

Key capabilities to consider include:

• A clear and simple factory reset process that permanently removes all user data and settings

• Secure erasure methods that go beyond logical deletion (e.g., overwriting or cryptographic erasure)

• Mechanisms to verify that data has been wiped successfully

• Secure transfer options that use encryption and integrity checks to protect data during transfer

• Clear documentation for users on how to reset or transfer data safely

Many cloud service providers already offer features for secure data erasure, but manufacturers must not assume that every “delete” operation equals a secure erase. A detailed analysis is needed to confirm that deletion functions meet CRA expectations and that no residual data remains accessible.

In industrial IoT and OT systems, secure deletion is often complicated by the need to preserve operational continuity. While we assume that the main driver for this CRA requirement is consumer IoT products, industrial systems can also contain user-related data — for example, operator accounts or personal identifiers linked to system access. A clear separation between user-related data and configuration or operational data needed for critical processes can help prevent disruptions. This separation also makes it easier to securely manage and move different types of data, making sure that sensitive user data is deleted while important operational data stays accessible for ongoing use. Compatibility and interoperability remain key considerations when designing such approaches.

For embedded IoT devices, constraints make secure deletion challenging. Flash memory, for example, may not easily support overwriting. In such cases, cryptographic erasure, where encryption keys are destroyed to make data unreadable, is a practical alternative. Another option to simplify compliance is to avoid storing sensitive user data locally on the device at all, instead keeping it in the cloud where secure deletion can be more easily performed. Even low-resource devices must still provide a reliable reset that wipes any configuration data they do hold.

Critical considerations include designing deletion and transfer features to be accessible to all users, not hidden behind complex procedures. Products should also prevent partial resets that leave sensitive information behind, and secure transfer must protect against man-in-the-middle attacks or data tampering.

Compliance and Strategic Considerations

From a compliance perspective, Annex VII requires that the technical documentation describes how secure deletion and transfer are implemented. Annex II requires that the user guide explains how users can reset devices, what data is removed, and how transfers should be performed securely.

When deciding between vendor solutions and in-house development, consider that some secure deletion mechanisms (e.g., cryptographic erasure) may be available as part of storage or OS platforms, while migration paths often need to be designed product-specific. Vendor solutions rarely cover all use cases, so manufacturers must ensure gaps are addressed internally.

Requirement (m) addresses a long-standing trust issue in connected products: the persistence of data after devices are reused or decommissioned. By making secure deletion and transfer mandatory, the CRA raises the baseline for user protection and data hygiene. Companies that implement clear, reliable, and user-friendly reset and migration functions will not only meet compliance but also gain a competitive advantage by strengthening customer trust.

This completes our series on the 13 essential requirements of the Cyber Resilience Act. Together, these requirements set a new baseline for security in IoT and OT products, shaping both compliance strategies and product design for years to come.