The Cyber Resilience Act (CRA) is a forthcoming regulatory framework from the European Union aimed at enhancing the cybersecurity of connected products, including Internet of Things (IoT) devices. The CRA sets out requirements to ensure these products are secure throughout their lifecycle.

Scope of the Cyber Resilience Act

The CRA applies to a broad range of connected devices and software available in the EU market, including:

• Consumer IoT devices such as smart home systems, wearables, and connected appliances

• Industrial IoT devices in sectors like healthcare, energy, and transportation

• Software integral to the operation of connected devices which includes digital elements like mobile application and cloud services.

Products; like automotive, civil aviation and medical devices; already covered by other specific cyber security regulations will be exempt.

Key Obligations for Manufacturers

Manufacturers must adhere to several key obligations under the CRA:

1. Secure Design and Development: Devices must be designed with robust cybersecurity measures from the outset.

2. Vulnerability Management: Manufacturers need processes to identify and address vulnerabilities throughout the product lifecycle.

3. Incident Reporting: Implement mechanisms for detecting and reporting cybersecurity incidents to authorities.

4. Transparency and Information: Provide users with clear information on the product’s cybersecurity features and how to manage security risks.

Compliance Steps for Manufacturers

To comply with the CRA, manufacturers should:

1. Conduct Security Assessments: Regularly assess and mitigate security risks.

2. Adopt Secure Development Practices: Use secure coding and conduct regular security testing during development.

3. Establish a Cybersecurity Management System: Manage cybersecurity risks, including updating and patching products.

4. Engage with Regulatory Bodies: Stay informed on regulatory updates and collaborate with notified bodies for assessments.

IoT Device Users will also be affected

Apart from device manufacturers, any company utilizing IoT devices in its operations within the EU will also be impacted by the Cyber Resilience Act (CRA). All IoT devices in use must comply with CRA standards. To avoid disruptions to your business, it is crucial to be aware of these requirements and select your suppliers accordingly.

Implementation Timeline

The CRA will take effect after 2027. Early preparation is key to ensuring compliance when the act is enforced. It will be a significant step in securing connected devices in the EU. By understanding the scope and obligations, IoT device manufacturers can take proactive measures to meet the stringent cybersecurity standards, protect consumers, and maintain market access.

Some Challenges

CRA will ask for continous security monitoring of IoT device during the whole lifecycle of the product, at least 5 year security support, 10 year security documentation archive, periodical IoT penetration tests.

How CyberWhiz can help you?

We, as CyberWhiz, can help IoT device manufacturers for their any cyber security need. Firstly, our Purple Team regulation consultant experts, who know the regulaton requirements very well, can make a gap analysis and clarify what you should change and how you should improve your security infrastructure in your designs. Secondly, our Red Team can make a vulnerability analysis and make a IoT penetration test to your existing product. And finally, our Blue Team Embedded Security experts can apply the required design changes in your embedded design. Also our Blue Team Mobile and Cloud Secuirty experts can advice you to create an holistic and optimum solution to be 100% compliance to the regulation.

And finally, with the help of our CyberWhiz Defence Center we will be able to monitor your IoT devices’ cyber Security state continuously and manage your whole vulnerability disclosure policy and incident response processes.

We are One Stop Shop for IoT Cyber Security.