From 2025, the Cyber Resilience Act (CRA) will bring major changes to cybersecurity rules for IoT devices and software sold in the EU. The CRA is the first EU law that requires all connected products to be designed with security in mind, so it will set tough rules for manufacturers, developers, and distributors.
The article looks into:
✔ Important CRA guidelines for IoT & software
✔ What changes need to be made in security practices
✔ Challenges with compliance & how to solve them
✔ Cybersecurity’s impact over a long period
The CRA is Focusing on IoT & Software
Because many connected devices are not well protected against cyber threats, the EU created the CRA as a response. Look at these disturbing trends:
About 60% of IoT devices are found to have critical vulnerabilities (ENISA).
The number of supply chain attacks has risen by 300% since 2020 (EU Agency for Cybersecurity).
Many ransomware attacks happen because the software is not up to date.
The CRA works to ensure security at every stage of a product’s life which helps both businesses and consumers.
Certain CRA rules are shaping the development of IoT and software.
1. Security-by-Design & Default (Article 6)
From the beginning of developing a product, cybersecurity should be a priority for manufacturers.
Data protection and access controls should be the top priorities in default configurations.
Smart cameras should always be shipped with powerful passwords and encrypted data storage.
2. Article 10 focuses on Vulnerability Handling & Patch Management.
Businesses are required to watch for and address vulnerabilities for at least the expected lifespan of their products.
Any critical flaws found should be reported to ENISA within the first 24 hours.
A smart thermostat maker should update their firmware when bugs are found.
3. Article 7 discusses Transparency & User Documentation.
Every product should have easy-to-understand security instructions for users.
Software should make it clear how long it will be supported.
A SaaS provider should specify the length of time security updates will be provided.
4. Default Passwords Are Not Allowed (Annex I)
You should not use common passwords (such as “admin/admin”) for your IoT devices.
For example, Wi-Fi routers should only be used with unique passwords when they are first set up.
5. Third-Party Compliance Verification is covered in Article 24.
Products that are considered high-risk, including industrial IoT, must be checked by EU-approved laboratories.
For lower-risk products, you can perform self-assessment, but you must keep a record of it.
The Ways IoT & Software Companies Need to Evolve
For those who make IoT devices
✔ Secure your hardware by using secure boot, TPM chips and storage that is encrypted.
✔ Firmware Updates: Support automatic updates from the cloud.
✔ Check Third-Party Items: Review third-party products for possible vulnerabilities.
For those who are Software Developers
✔ Use frameworks such as Microsoft SDL or OWASP SAMM for secure development.
SBOMs (Software Bill of Materials): Keep track of open-source software to avoid Log4j-type risks.
✔ Use DAST/SAST tools (for example, SonarQube and Burp Suite) to spot errors in the early stages.
For Providers of Cloud and SaaS
✔ Set clear update policies and specify the time for notifying customers when a breach happens.
✔ Data Sovereignty: Follow the EU Cloud Certification Scheme (EUCS).
Getting Ready for CRA Enforcement Starting in 2025
Begin by comparing your organization to the requirements outlined in CRA Annex I.
In step 2, you should set up automated scanning for firmware and software vulnerabilities.
Step 4: Teach developers how to code securely (for example, by using the OWASP Top 10).
Step 4: Have high-risk products pre-certified by bodies approved by the EU.
Conclusion
The Cyber Resilience Act will require IoT and software companies to focus on security in new ways. While making sure you comply with rules might take time, the end results—less cyber trouble, more trust from customers and no fines—make it a must for businesses.
It’s best to start preparing now, as the new rules will surprise any firm that doesn’t move quickly enough.
