CRA Compliance Checklist for IoT Devices

Margaret Ellis

Welcome back to Come Reflect Act! I’m Margaret Ellis, joined today, as always, by my co-host David Evans. Whether you’re new here or catching up after our last episode decoding the nitty-gritty of the Cyber Resilience Act for IoT—you’re in the right place for actionable guidance on compliance. Now, complying with the CRA ensures that products are robust against cyber threats, equally helping to protect consumers and organizations.

Margaret Ellis

But where should IoT vendors start with their compliance? Tributech has made a practical checklist that'll provide a clear path to understand and implement the key requirements.

David Evans

Very practical indeed. Margaret, I gotta say, after last episode's topic being about understanding how the CRA affects IoT, today we’re breaking it down step by step: what exactly manufacturers need to do—and by when—to actually comply with this thing.

Margaret Ellis

Absolutely. And deadlines are looming. There are two dates nobody in IoT can afford to miss. First: by 11th September 2026, you’re obliged to start reporting actively exploited vulnerabilities and severe security incidents. That’s not, like, “Oh, we’ll get around to it.” That is set in stone. Then, come December 11th, 2027, the full weight of the CRA comes into force: all requirements, across security, vulnerability handling, documentation, the works.

David Evans

And if you think December 2027’s far away—well, I always say, two-and-a-half years vanishes in product development land! Manufacturers, you need a plan well before then. So, let’s dive into the key milestones. We have seven solid steps on our checklist that shape the heart of CRA compliance for IoT. First up is product classification, right?

Margaret Ellis

That’s correct. Product categorization: default, important class one or class two, and critical. Now—here’s where folks trip up. I was working with a startup in London—lovely folks, but they thought being ‘default’ meant they could basically opt out of half the CRA. Not so! I had to clarify: classification decides how your product is assessed—internal, external, or certified.

Margaret Ellis

But every product, from your budget smart plug to industrial gateways, needs to meet the core security and vulnerability handling rules. No exceptions.

David Evans

Yup, and that’s a point I see missed over and over. Classification just determines what kind of conformity assessment you’re on the hook for. But all those essential requirements—13 in total—and the 8 for vulnerability handling? They’re baseline, full stop.

Margaret Ellis

And keeping security “by design and by default”—that’s more than a catchy phrase now. The next milestone is the cybersecurity risk assessment. Do it early, do it properly. You have to identify potential threats before launch, but these need to be revisited regularly, as threats and the context for your product are always changing.

David Evans

Totally. I mean, risk assessment isn’t a box-ticking exercise you do once and file away. Regulators expect it to be a living document, updated whenever something significant changes, like a new firmware or a major feature update. And then—starting September 2026—it’s about having that reporting infrastructure ready. If you find an actively exploited vulnerability or a major incident, you’ve gotta report it. Fast.

Margaret Ellis

Which is both a regulatory and reputational thing, let’s be honest. Consumers want to know you’re on top of threats. So, those are your opening moves: know your product’s category, embed risk assessment into your process, and build the muscle for mandatory reporting. The rest of the checklist flows from there—should we move to what those essential requirements actually look like?

David Evans

Definitely. We’ll do a deep dive into each of the 13 essential cybersecurity requirements in a future episode, but let’s call out a few of the big ones that folks should have on their radar right now. First is secure-by-default configuration—your product has to ship with the safest possible settings enabled from the start. No more default admin passwords that are “password 1 2 3.”

Margaret Ellis

Yes please. I can’t tell you how often default credentials have come up in data breaches. Another is the requirement for regular security updates. Not just supporting updates, but making sure they go out promptly and that users are actually told what’s being fixed, and how.

David Evans

Good point—clear communication is key, otherwise even the best update is only half effective. And then there’s data minimization, which gets overlooked so often. Collect only what you truly need, process only what serves your product’s core function—toss the rest. It’s not just about compliance, it’s a sensible risk reduction strategy.

Margaret Ellis

And resilience! The product has to keep running safely even after an incident. Plus, you’ve got to guard against unauthorized access—think strong authentication, access controls. Same goes with encryption; both for data in motion and at rest. It’s a menu, but you can’t skip the vegetables, so to speak.

David Evans

Love the analogy! It’s a lot, and folks sometimes feel overwhelmed. But the CRA spells these out with the aim to drive consistency and baseline resilience across the whole EU market. Now, pairing that are the 8 mandatory vulnerability handling requirements. I won’t rattle off the full list, because—Margaret, should we tease the deep dive we’ve got cooking for a later episode?

Margaret Ellis

Absolutely, David. But a few highlights: manufacturers have to identify and document vulnerabilities with a Software Bill of Materials. They need transparent, coordinated vulnerability disclosure processes. And updates must be provided fast, securely, and—critically—free of charge. Not just a “nice to have” anymore.

David Evans

That’s right. And if you’re not testing for vulnerabilities throughout the product’s life—well, you’re definitely not compliant. We’ll break down each of these later on. For now, let’s talk about how manufacturers actually prove compliance—including that all-important documentation.

Margaret Ellis

Yes, let’s talk documentation. I always say: your technical measures are only as good as your paperwork, especially when an auditor comes knocking. CRA is firm on this—manufacturers need to retain a robust technical file. That spans the risk assessment, details of how the 13 and the 8 requirements are met, and your vulnerability handling policies. Plus, there’s the EU Declaration of Conformity. That’s your legal statement that you’ve ticked all the right boxes and followed the correct conformity assessment route.

David Evans

And don’t forget user communications. You’ve gotta tell people, either in paper or digital form, how to install and use the product securely, how to report vulnerabilities, understand the update policy—all of it. The support period too. If it’s not documented and communicated, regulators will treat it like it doesn’t exist.

Margaret Ellis

Spot on. And as for the conformity assessment itself: for basic, ‘default’ category products you can usually self-assess, but as risk and classification level go up—think important or critical—you’re generally looking at third-party or even EU-level certification. And, honestly, we’re seeing more buyers in procurement insisting on third-party assurance regardless, even when it’s not strictly required! They don’t want to gamble their brand or operations on a manufacturer’s word alone.

David Evans

Yeah, and there’s a big upside for manufacturers here. If you use CRA to drive better security, you can turn it into a differentiator—secure products, trustworthy processes, documentation that actually helps rather than hinders. The market’s moving that way anyway, right?

Margaret Ellis

Exactly. The CRA is a challenge and an opportunity. If you embrace it, you’re not just avoiding penalties—you’re building a reputation for cybersecurity leadership. And for those who want to get ahead, there are technology partners, like Tributech, who can help simplify your CRA journey.

David Evans

Couldn’t agree more. We’ll be back soon with a full walkthrough of the essential and vulnerability handling requirements. Until then, you can read the full compliance checklist from Tributech's blog, or check out the Tributech CRA Knowledge Hub from our website. You can also always send your questions to hello at tributech dot io so we can tackle them in future episodes. Margaret, as always, a pleasure.

Margaret Ellis

Likewise, David. Thanks for joining us on “Come Reflect Act.” Stay secure, stay compliant, and we’ll talk soon.