Cyber Resilience Act and IoT hardware

How new EU regulations shape device selection and security requirements? The Cyber Resilience Act (CRA) represents a significant regulatory step by the European Union towards enhancing cybersecurity for internet-connected devices (IoT devices). This legislation fundamentally changes the way manufacturers design and certify their products and introduces new requirements for transparency and security throughout the entire product lifecycle.

The CRA is a European Union regulation that sets uniform security requirements for all digital products, especially IoT devices. Its goal is to ensure devices are designed securely from inception and remain protected against cybersecurity threats throughout their lifecycle. For manufacturers, the CRA mandates obtaining security certifications, implementing regular security updates, and clearly communicating vulnerabilities and update processes to users.

CRA is critical not only for manufacturers but also for users of IoT devices, enhancing the protection of their data and infrastructure against cyber threats, thus contributing to overall trust in technology and the digital economy.

How does CRA affect hardware requirements?

CRA imposes specific hardware requirements for IoT devices, including:

Security certification

Each device must pass certification to confirm compliance with security standards. This includes protection of data stored on the device, secure communication between devices, and resilience against cyberattacks.

Update mechanisms

Hardware must facilitate easy and secure software updates to promptly respond to newlydiscovered security threats.

Transparency

Manufacturers must provide detailed information about the security features of the devices and clear instructions on safe usage and management.

Interoperability

CRA promotes interoperability of security solutions, meaning selected hardware should seamlessly integrate with other certified devices and systems.

Practical considerations for hardware selection: hidden risks and the role of updates

When selecting IoT devices, such as smart metering converters or heterogeneous communication elements (LoRa, NB-IoT), it is essential to:

• Verify if the device has appropriate security certification according to CRA.
• Check how the manufacturer handles security updates and whether it provides transparent information about security measures.
• Ensure the device is compatible with other system components regarding security and interoperability.

Special attention should also be given to data that might initially seem less sensitive. For example, water consumption data might not appear as information needing protection. However, if someone accesses data from a smart water meter without sufficient security, they can easily determine whether a household is currently occupied or not – such as during holidays or prolonged absences. Such information could be exploited in ways ordinary users might not anticipate. Hence, CRA requires even these devices to maintain an appropriate security level.

Firmware Update Over The Air (FUOTA)

Another crucial factor is a device’s capability to receive remote updates, known as Firmware Update Over The Air (FUOTA). Devices lacking this capability require physical service by a technician, which can be logistically challenging and costly – often more expensive than the device itself. From a security perspective, FUOTA is practical and increasingly essential. It allows immediate response to newly identified vulnerabilities and enhances overall system sustainability and security without physical interventions.

‍

Careful device selection compliant with CRA not only increases overall system security but also mitigates risks of sanctions and restrictions from non-compliance with legislative requirements.

‍

Cyber Resilience Act FAQs

How does the CRA differ from existing cyber security regulations in the EU?

The CRA is unique in its scope – it focuses specifically on cybersecurity requirements for all connected digital products, including IoT devices, throughout their entire lifecycle. Unlike directives like the NIS2, which target organisational resilience, the CRA applies directly to product design, manufacturing, and post-sale responsibilities.

Which types of IoT devices are affected by the CRA?

The CRA applies to a broad range of digital products with data-processing capabilities connected directly or indirectly to other devices or networks. This includes smart meters, sensors, industrial control systems, consumer electronics, and embedded systems – even in sectors not traditionally regulated.

When does the Cyber Resilience Act take effect?

The CRA was adopted in 2024 and includes a 36-month transition period. That means compliance will be mandatory by 2027, although manufacturers are encouraged to prepare earlier to avoid market disruption or legal risk.

Do all IoT devices require certification under CRA?

Yes, all IoT devices sold in the EU must meet the certification requirements set by the Cyber Resilience Act.

Can existing products be grandfathered in under CRA rules?

No. The CRA applies to all products placed on the EU market after the regulation comes into effect. Legacy products must also meet requirements if they receive significant updates or remain on the market.

What documentation must manufacturers provide under the CRA?

Manufacturers must prepare a technical documentation file including risk assessments, compliance evidence, vulnerability handling procedures, and secure update mechanisms. This file is essential for certification and market approval.

How frequently must updates be carried out according to CRA?

Updates should be executed whenever a new security threat is identified. However, there is no minimum frequency set – it depends on the specific device type and threats.

What to do if a manufacturer does not provide transparent security information?

It is recommended to exclude such manufacturers and instead choose alternative solutions from certified suppliers with clear and transparent cybersecurity policies.