IoT: The Broadest CRA Impact
IoT devices are arguably the primary target of the CRA. Smart home devices, wearables, industrial sensors, and connected appliances have historically shipped with minimal security. The CRA changes that fundamentally.
Whatβs Covered
Smart Home (EN 304 631, 632)
- Voice assistants and smart speakers
- Smart thermostats and lighting
- Connected cameras and doorbells
- Smart locks and security systems
- Products with security functionalities (Class I)
Wearables (EN 304 634)
- Smartwatches and fitness trackers
- Medical wearables (may also fall under MDR)
- Connected safety equipment
Industrial IoT
- Sensors and actuators
- PLCs and industrial controllers
- Edge computing devices
- Connected machinery
Connected Toys (EN 304 633)
- Internet-connected toys
- Educational devices
- Gaming peripherals with connectivity
Essential Security Requirements for IoT
# CRA IoT Security Checklist
security_by_default:
- No default passwords
- Encrypted communications (TLS 1.3 minimum)
- Secure boot chain
- Minimal attack surface (only necessary ports/services)
data_protection:
- Data minimization (collect only what's needed)
- Encrypted storage for sensitive data
- Secure credential storage (hardware-backed when possible)
- Privacy by design
update_mechanism:
- Secure OTA update capability
- Signed firmware updates
- Rollback protection
- Update availability for product lifetime (min 5 years)
vulnerability_handling:
- Coordinated disclosure process
- security.txt on any web interface
- SBOM for all firmware components
- 24-hour ENISA reporting for exploited vulnerabilitiesThe 5-Year Update Challenge
The CRA requires security updates for the expected product lifetime, with a minimum of 5 years. For IoT manufacturers, this is transformative:
Traditional IoT Model:
Ship β Forget β New Product
CRA IoT Model:
Ship β Monitor β Patch β Monitor β Patch β ... (5+ years)
βββ Budget for ongoing security engineering
βββ Maintain build infrastructure for legacy products
βββ Track vulnerabilities in all dependenciesCost Impact
Based on industry assessments:
- Per-product compliance cost: β¬50K-500K (depending on complexity)
- Ongoing annual cost: β¬30K-100K per product line (security updates, monitoring)
- SBOM tooling: β¬5K-50K/year
- Third-party assessment (if required): β¬20K-100K per product
Action Items for IoT Manufacturers
- Eliminate default passwords β this alone will be a common compliance failure
- Implement secure OTA updates β many IoT devices canβt update at all today
- Generate SBOMs for firmware β including all embedded libraries and RTOS components
- Plan for 5-year support β budget, staffing, and build infrastructure
- Test, test, test β penetration testing, fuzzing, and compliance verification
The CRA will raise the quality bar for IoT. Manufacturers who prepare early will have a competitive advantage.
Manufacturing IoT products for the EU market? I help organizations prepare for CRA compliance. Get in touch.