How Not to Be Afraid of the CRA

It was first proposed in 2022, approved in 2024 and enacted in 2025. And beginning December 11, 2027, the EU Cyber Resilience Act will require that wireless and wired IOT equipment products must comply with strict cybersecurity requirements or else they cannot bear the CE mark or be sold in the EU marketplace.

Every product that can process digital data, wireless or wired (as in connected via ethernet) — that has IoT hardware and embedded software with cloud-based services, from refrigerators and baby monitors to smart watches — must meet the new requirements. And, for the first time, product manufacturers, their authorized representatives, product importers & distributors will all be held accountable to the stricter standards throughout the life of their products with the possibility of facing stiff penalties for non-compliance. As well, every commercially available software or hardware that makes digital data processing possible falls under the CRA. Cloud Base services as SAAS (Software as a Service) do not fall under the CRA.

You can imagine how the EU’s CRA was met by digital product brands worldwide. While “panic” may be too strong a term to describe their reaction, it has caused significant concern and a sense of urgency among manufacturers scrambling for the means to comply.

👉 If you missed my keynote “From Lost Luggage to Lost Control” about the CRA at The Things Conference 2025, you can watch the full talk here on YouTube: Watch the keynote

Parts of the CRA are already in effect. As of August 1, 2025 products need to meet the requirements of the delegated act 2022/30/EU. This is actually a start of a CRA for wireless equipment - a sort of "see how this goes” step. Since these are directives, every member state of the EU and EFTA can add their own rules it they like. So wireless products need to comply to this sort of test phase already.

The full weight of the CRA doesn’t become mandatory until 2027, so there is time for you to pivot from the standards of the Radio Equipment Directive (RED) to the new security accountability standards of the CRA. Whereas RED pertained to avoiding disruption or misuse, CRA raises the stakes, extending to all products with digital elements for their full lifecycle.

While at first glance, this may seem too broad and nearly insurmountable, assembling a plan that addresses the following steps can help you get there in time and wear your CE symbol proudly.

Under RED, security was mainly about radio equipment safety and interoperability. CRA demands more: products must be secure by design and default.

For IoT products, that means conducting threat modeling during each phase of the design process and building an inventory of components (hardware, firmware, open-source libraries) along the way. Manufacturers should also document risks with a formal risk assessment and address them fully before market placement.

Your CE compliance plan should integrate these steps to ensure that design evidence (architecture diagrams, test results, security requirements) is integrated into your technical documentation.

The CRA will prohibit products to ship with any known exploitable vulnerabilities. Manufacturers must have shown they can systematically identify, prioritize, and remediate any and all weaknesses.

That requires continuous vulnerability scanning across codebases and third-party components. And linking those scans directly to your Software Bill of Materials (SBOM) and Common Vulnerabilities and Exposures (CVEs). So once you generate your SBOM, you can check it against the CVE Databases.

This will tell you if any part of your software includes a published vulnerability, so you can patch or mitigate risks. And those risks need to be addressed by establishing a Product Security Incident Response Team (PSIRT) for triage and documentation and integration into post market surveillance within required timelines.

Under the CRA, you’ll need to provide secure, free updates for all IoT products throughout the duration of the declared support period. And these must be provided through secure, tamper-resistant and encrypted channels. But if your installations are not seamless and clear, you risk causing “update fatigue” among your product users.

Planning ahead for updates will require defining realistic support lifecycles for each and every device family. You’ll need to engage resources for update servers, cryptographic signing and rollback prevention that is secure

Many IoT devices process sensitive personal and operational data and the CRA requires stronger protections for confidentiality, integrity, and access control. Limiting data collection to only the necessary elements will help. End-to-end encryption should protect data while in transit. And implementing role-based or credential-based access controls for device management should be sufficient.

Once these protections are documented as part of your CRA technical file, you’ll ensure your device’s compliance with the CRA as well as harmonize with every country’s General Data Protection Regulations (GDPR) when it comes to personal data.

Reducing exposure to to cyberattacks is a fundamental principle of the CRA. One way to limit this kind of surface exposure is to disable or do away with unused ports and services while you debug all interfaces.

Hardcoding passwords and universal default credentials should both be avoided. You should also review your device’s exposure in a networked environment throughout each and every one of your risk assessments.

Demonstrating attack surface minimization is a minimum requirement for your CE conformity assessments. This is where a structured risk assessment—showing identified risks and mitigations—becomes critical.

Regular, clear and transparent communication with your product users is essential as the CRA emphasizes accountability. Help your users understand any risks, updates, and what kind of product support schedule they can expect.

Providing access to understandable, security documentation and info on support duration and update commitments at purchase is a good start. You should also publish a coordinated vulnerability disclosure policy and a public contact channel to make sure the information flows both ways. Should any incidents occur, you must issue timely advisories that outline workaround and patches used as solutions.

These steps build trust and demonstrate compliance during audits or market surveillance checks.

The Oxford English Dictionary defines resilience as toughness or the capacity

to withstand or recover quickly from difficulties. As resilience is the ability to continue delivering intended outcomes even when facing disruptions, such as cyberattacks, the CRA aims to build this capability into digital products for the benefit of product manufacturers and users throughout the European Union.

This perspective elevates product security from “best practice” to “passport control.” Manufacturers that treat it as an engineering program—embedded in roadmaps, CI/CD, supplier management, and incident response—will glide through CRA approval in 2027. Those who bolt it on at the last minute will face stalled launches, rushed patches, and regulator scrutiny.

You may have only a single chance at success with your digital product so why go it alone? Not only could you miss your window of opportunity to launch a vibrant, popular product but shoddy compliance with the CRA requirements can come with some stiff penalties: up to €15M or 2.5% of global turnover for essential requirement breaches. And up to €10M or 2% of turnover for other violations. Market authorities can also deny your use of the CE mark and block sales EU-wide.

When you compare the price of failure with the cost of success, it makes sense to engage an experienced compliance partner to guide your efforts and help ensure success. IoT Consulting Partners is here to help. Contact us for a free consultation to begin the conversation.