A revolution in IoT standards - what does the Cyber Resilience Act bring?

As the Internet of Things continues to expand rapidly, the need for robust security measures becomes increasingly critical. The European Cyber Resilience Act (CRA), which took effect on December 10, 2024, establishes a comprehensive legal framework governing digital devices and software in the EU market. Four months since this legislation came into force, it's worth examining how the CRA is reshaping the IoT industry and what its long-term impact will be on digital products.

What is the Cyber Resilience Act?

The CRA represents the European Union's strategic response to two pressing challenges: the dangerously inadequate cybersecurity levels in many digital products and consumers' limited access to essential security information. At its core, the regulation requires manufacturers to embrace the "security by design and by default" principle, ensuring protection throughout a product's entire lifecycle.

Previous EU and national initiatives addressed security concerns in a piecemeal fashion, resulting in a fragmented regulatory landscape. In contrast, the CRA harmonizes requirements across the EU, firmly placing the responsibility for security on the shoulders of manufacturers.

Scope of application

The CRA casts an exceptionally wide net, covering virtually all products with direct or indirect connections to other devices or networks. This comprehensive scope includes:

• Hardware devices: laptops, smartphones, sensors, cameras, robots, smart cards

• Network infrastructure: routers, switches

• Industrial systems: control systems

• Software: firmware, operating systems, mobile applications

However, the regulation does provide specific exemptions for certain products, such as medical devices and automobiles, which fall under separate regulatory frameworks.

Risk-based categorization

One of the CRA's key innovations is its risk-based classification system for digital products:

• Default category - encompasses roughly 90% of market products, subject to self-assessment procedures (e.g., photo editing software, games)

• Critical class I - covers higher-risk products requiring more stringent assessment protocols (e.g., password managers, network firewalls)

• Critical class II - includes the highest-risk products demanding external certification (e.g., operating systems, industrial firewalls)

This tiered approach reflects a proportional security strategy, concentrating the most rigorous requirements on products where security breaches would have the most severe consequences.

Manufacturer obligations

Under the CRA, manufacturers must fulfill several critical requirements:

1. Implement security-focused design - embedding "security by design" and "security by default" principles

2. Conduct regular security testing and product reviews

3. Maintain comprehensive vulnerability registries

4. Provide free security updates throughout the product lifecycle

5. Report actively exploited vulnerabilities within 72 hours (with preliminary alerts for serious incidents within 24 hours)

6. Complete appropriate conformity assessments based on the product's risk category

7. Apply CE marking to confirm CRA compliance

   
   

Detailed technical specifications for cybersecurity requirements and vulnerability management processes are outlined in Annex I of the regulation, Sections 1 and 2 respectively.

Implementation timeline

While the CRA officially entered into force in December 2024, most of its major provisions won't become mandatory until December 11, 2027. This nearly three-year transition period gives manufacturers adequate time to align their products and processes with the new requirements.

Notably, however, the incident and vulnerability reporting obligations will have a shortened transition period of just 21 months. This accelerated timeline for reporting mechanisms highlights the regulatory priority placed on rapid threat response.

Penalties for non-compliance

The CRA establishes substantial financial penalties for non-compliance – up to 15 million euros or 2.5% of a company's total annual turnover, whichever is higher. These significant sanctions serve as a powerful incentive for manufacturers to prioritize cybersecurity in their development processes.

The CRA within the broader EU regulatory landscape

The Cyber Resilience Act forms an integral component of the EU's comprehensive cybersecurity strategy. It works in concert with other pivotal regulatory frameworks:

• The NIS2 Directive - focusing on network and information system security

• The Cybersecurity Regulation - enhancing ENISA's role and establishing EU-wide certification frameworks

• The AI Act - governing artificial intelligence systems

• DORA - strengthening digital resilience in the financial sector

Compliance with the CRA is designed to facilitate adherence to these related regulations, particularly regarding supply chain security, creating a coherent cybersecurity regulatory ecosystem across the EU.

The driving forces behind the regulation

The statistics supporting the need for the CRA are compelling. The estimated global annual cost of cybercrime reached an astounding 5.5 trillion euros by 2021, with digital products serving as primary attack vectors. High-profile incidents like the Pegasus spyware, WannaCry ransomware, and the Kaseya VSA supply chain attack demonstrate both the scale of threats and the potentially devastating consequences of security vulnerabilities.

By establishing uniform cybersecurity standards across the EU, the CRA forces manufacturers to treat security as a fundamental component of product design and development rather than an optional afterthought.

Future outlook for IoT under the CRA

The Cyber Resilience Act fundamentally transforms the IoT security landscape. Looking ahead, we can anticipate several significant developments:

1. Substantially enhanced security in digital products across the EU market

2. Heightened consumer awareness regarding cybersecurity considerations

3. Convergence of industry security standards

4. Acceleration in security-focused innovation and technologies

5. Potential spillover effects extending to markets beyond the EU

   
   

These changes will be particularly significant for businesses operating in the European market, which must adapt their practices to meet the new regulatory requirements.

The CRA establishes a new paradigm in cybersecurity approaches, elevating security considerations to the forefront of digital product design and development. Although full implementation remains several years away, forward-thinking manufacturers are already beginning to adapt their products and processes to meet the forthcoming requirements.

In an era of increasing digitization and ever-evolving cyber threats, the CRA represents a crucial step toward ensuring a safer digital environment for everyone using connected products. This landmark regulation may ultimately prove to be one of the most significant factors in building consumer trust in digital technologies throughout the European single market.