Understanding the Cyber Resilience Act for IoT

Margaret Ellis

Welcome back to Come Reflect Act by Tributech. I’m Margaret Ellis, and as always, I’m joined by David Evans. Last time we introduced the basics of the Cyber Resilience Act or as most know it, the CRA.

Margaret Ellis

And today, we’re diving into what the CRA means for internet of things or in short IoT. David, I think it’s fair to say this regulation is, well, a bit of a game-changer for anyone building or selling connected devices in Europe.

David Evans

Absolutely, Margaret. The CRA is really setting a new bar for cybersecurity in the IoT space. Just to get everyone on the same page, the main obligations kick in December 11th, 2027. But, and this is important, some requirements like incident reporting actually start earlier, in September 11th of 2026.

Margaret Ellis

That’s right. And the obligations are, frankly, quite robust. Manufacturers of IoT products are now required to conduct cyber risk assessments, implement technical security requirements, and—this is a big one—report security incidents. And if you don’t comply, the penalties are steep. We’re talking fines up to 15 million euros, or 2.5% of global turnover. Not to mention, you could face product recalls or even lose your CE certification.

David Evans

Yeah, and I think it’s worth emphasizing, this isn’t just for the big players. The CRA covers all manufacturers and producers of IoT products—so whether you’re making industrial sensors, smart watches, or even smart toothbrushes, you might be in scope. And, as we touched on in our last episode, the goal here is to harmonize cybersecurity standards across the EU, so there’s no more patchwork of requirements. It’s about raising the bar for everyone.

Margaret Ellis

Exactly. And it’s not just about compliance for compliance’s sake. The Act is really about building trust—ensuring that users, whether they’re individuals or organizations, can rely on their connected devices to be secure by design and by default. That’s a huge shift from the old days of “ship it now, patch it later.”

David Evans

And, you know, Margaret, I think a lot of folks are still wrapping their heads around just how comprehensive this is. It’s not just about putting a firewall on your device and calling it a day. The CRA is asking for a lifecycle approach—risk assessments, technical controls, ongoing updates, and, crucially, transparency with users about risks and incidents. It’s a lot to take in, but it’s the direction the industry needs to go.

Margaret Ellis

So, let’s break down what compliance actually looks like in practice. First step: every manufacturer needs to conduct a cybersecurity risk assessment. That means analyzing the risks based on how the product is intended to be used, and then mapping out how you’ll meet the technical security requirements. It’s not a one-and-done exercise, either—it needs to be updated as the product evolves.

David Evans

Right, and after that, you’ve got to think about the technical security requirements. These cover things like protecting data integrity and confidentiality, making sure you can record and provide security-related information for reporting, and enabling updates to address new vulnerabilities. And, Margaret, I always get tripped up on this—was it five years of free security updates, or is it the expected product lifetime if that’s longer?

Margaret Ellis

No, you’re spot on, David. It’s whichever is longer—five years or the expected lifetime of the product. And that’s a big deal, especially for products that might be in use for a decade or more. Manufacturers have to be ready to support those devices for the long haul, including over-the-air updates to patch vulnerabilities as they’re discovered.

David Evans

And then there’s documentation. You need to keep technical documentation, an EU Declaration of Conformity, and clear user instructions. All of that has to be retained for at least ten years, or as long as you’re supporting the product. That’s a lot of paperwork, but it’s essential for demonstrating compliance if you’re ever audited.

Margaret Ellis

Don’t forget vulnerability handling and reporting. If you find a vulnerability, you’ve got 24 hours to inform the CSIRT—Computer Security Incident Response Team—with details and corrective actions. Same goes for incidents that affect product security. And you have to notify users promptly, too, with mitigation steps. It’s a very proactive approach, not just ticking boxes.

David Evans

Now, let’s talk about product categories, because this is where things get a bit nuanced. The CRA splits products into four main categories: default, important class 1, important class 2, and critical. Most IoT products—about 90%—will fall into the default category. Think smart watches, smart toys, that sort of thing. For those, manufacturers can do a self-assessment for compliance.

Margaret Ellis

But if you’re making something like a security camera, or a VPN device, you’re likely in the “important” category. And for those, compliance has to be assessed by a third-party or notified body. That’s a significant step up in terms of scrutiny. And then you’ve got “critical” products—like smart meter gateways or secure crypto processors—where the bar is even higher.

David Evans

Yeah, and I think it’s easy to underestimate how big a shift that is. For a lot of companies, especially those used to self-certifying, having to go through third-party certification is a whole new world. Margaret, you’ve worked with clients on this—how do you see that playing out?

Margaret Ellis

It’s a real adjustment, David. Third-party certification means you need to have your house in order—documentation, processes, everything. But it also gives buyers and users more confidence that the product has been independently vetted. It’s a higher standard, but ultimately, it’s about building trust in the ecosystem. And for companies that get ahead of this, it can actually be a competitive advantage.

Margaret Ellis

And I think that is actually all we wanted to talk about today! If you want to dig deeper, check out Tributech’s CRA Knowledge Hub for more resources. Or our Youtube channel for our expert's explanation videos on the CRA. David, always a pleasure to chat through these topics with you.

David Evans

Likewise, Margaret. Thanks to everyone for listening. We’ll be back soon with more on building resilient, secure systems—by design and by default. Take care!

Margaret Ellis

Goodbye, everyone.