Valtteri Kinnunen
Back to blog
10 min read

How the EU Cyber Resilience Act Affects IoT Manufacturers: A Technical Guide

Table of Contents

Remember the good old days when you could slap together some barely functional IoT hardware, flash a half-baked firmware image written in an afternoon, and ship it to the unsuspecting consumer market? Those days of glorious, zero-accountability cowboy coding are officially dead. The European Union has decided to ruin our fun with the EU Cyber Resilience Act (CRA). No more shipping devices with admin:admin credentials, unencrypted filesystems, or leaving orphan smart-toasters to join botnets.

The CRA is the EU’s way of treating us like adults. If you want to sell anything with digital elements in Europe, you are now legally responsible for keeping it secure. If your code is a house of cards—built on a shaky foundation of copy-pasted StackOverflow snippets and assumptions that it’s “production-ready” because it compiles on your local machine—prepare for product recalls and compliance audits that will make your CFO cry.

Let’s skip the corporate fluff and look at what we actually have to refactor under the hood to stay out of regulatory jail.

The Risk Categories and Conformity Assessment Paths

Before we touch the code, we must navigate the bureaucratic theater. Under Article 32, the EU has divided devices into four buckets of varying pain, and your compliance path depends on how critical your device is:

  1. Default (General) IoT Products: Connected toys, smart dog feeders, and other consumer junk destined for a landfill. If your device is here, you get to do a self-assessment (Internal Control / Module A / A8.P1.1). You basically grade your own homework, write some technical docs, sign a declaration of conformity, and hope no one looks too closely.
  2. Class I Important Products (Article 32.2): Smart locks, home security cameras, and network interfaces. Things get worse here. You might still scrape by with self-assessment, or you’ll be forced into the hands of third-party auditors using Module B + C (EU-Type Examination and Conformity to Type) or Module H (Full Quality Assurance).
  3. Class II Important Products (Article 32.3): Operating systems, hypervisors, and container runtimes. Yes, this includes the genius setup where you run a Kubernetes (K8s) cluster on an embedded device because some resume-driven developer thought running microservices on a smart fridge was a good idea. No self-assessment for you. You’re legally required to pay third-party auditors to tear your architecture apart via Module B + C or Module H.
  4. CE Marking & Notified Bodies (Article 30): Once you convince the bureaucrats you aren’t selling a fire hazard, you must stamp the CE mark on the device chassis (Article 30.1). If you had to use a Notified Body (Module H), their ID number goes right next to it (Article 30.3).

No matter which bucket your device falls into, you must run a formal Cybersecurity Risk Assessment (Article 13.2), document it (Article 13.3), and keep those files for 10 years or the duration of your support period—whichever is longer (Article 13.9 / Article 13.13). Welcome to the endless paperwork and audit theater of government regulations like the CRA and NIS2. It makes you wonder if anyone in Brussels has actually ever written a single line of C, but at least it keeps the auditors employed.

Firmware Architecture: Implementing Annex I Part I (Security-by-Design)

To meet the core security-by-design requirements in Annex I, Part I, you actually have to design security. You cannot just wrap your HTTP endpoints in a broken Nginx reverse proxy and call it a day. Here is the minimum architecture required to keep your devices from becoming active members of a DDoS botnet:

Secure Element / TPM

SPI Flash Memory

Host MCU / Processor

Reads & Verifies

Fallback if Verification Fails

Reads Key for TLS

Checks Signatures

Reboots on Boot Hang

Wipes user data on reset

Application Code

Secure Bootloader

(Verifies Signatures)

Hardware Watchdog

Firmware Slot A

(Active System)

Firmware Slot B

(Rollback / Update Slot)

User Configuration & Data

Unique Device Private Key

Public Verification Key

1. No Default Credentials (A1.P1.2d)

Raise your hand if you’ve shipped a device with admin:admin or root:default hardcoded in a shell script. Put your hand down, we know you did. Under A1.P1.2d, this laziness is illegal:

  • You must generate unique, random passwords at factory flashing and print them on a physical sticker on each device chassis.
  • Cleartext protocols like Telnet and HTTP must die. Switch to SSH and HTTPS, and deal with the self-signed certificate headaches or local PKI integration yourself.

2. Resilient, Automatic OTA Security Updates (A1.P1.2c)

Under the CRA, updates must install automatically by default (A1.P1.2c), though you must provide a UI toggle for users who prefer their devices unpatched (Annex II, Point 8(e)). This means building a setup that won’t brick the device when the customer’s Wi-Fi drops:

  • Cryptographic Signatures (A1.P1.2f): The bootloader must reject any firmware not signed by your private key. Store the public verification key in a read-only hardware secure element, not a plaintext file on the flash partition.
  • Dual-Slot Boot Partitioning (A/B Layout): Do not write directly to the active system partition. Use an A/B layout where updates write to Slot B while running from Slot A. If the update fails to boot, let the hardware watchdog timer reboot the MCU back into the known-good partition. Getting a support call about a bricked device after a mid-update power failure is almost as painful as dealing with a Lustre split-brain or a metadata crash on your storage cluster when the network switches drop a packet.

3. Data Encryption & Confidentiality (A1.P1.2e)

Any personal or telemetry data must be encrypted during transit and storage. Use TLS 1.3 for network communication. For local configuration files, use hardware-accelerated AES-256-GCM, and keep the keys out of your source code. Use a physical Secure Element or ARM TrustZone. And if you’re running edge AI on expensive, marked-up NVIDIA silicon to predict when a dog is about to poop, those model weights need to be locked down too, lest you get locked out of your favorite cloud provider’s proprietary API.

4. Secure Data Removal (A1.P1.2m)

Under A1.P1.2m, a factory reset must actually delete user data. Simply clearing the filesystem index while leaving the raw flash sectors intact is a violation. You must write a routine that physically erases SPI flash sectors or performs cryptographic erasure by blowing away the master encryption keys.

Vulnerability Handling and the SBOM Burden (Annex I Part II)

Your responsibility doesn’t end when the factory ships the hardware. Under Annex I, Part II, you are now married to your code for years:

  • Software Bill of Materials - SBOM (A1.P2.1): You must generate a machine-readable list (SPDX or CycloneDX) of every dependency you’ve pulled into your build. That means Yocto or Buildroot needs to catalog every outdated, vulnerable OpenSSL version and random helper library you copy-pasted from StackOverflow.
  • Separation of Updates (A1.P2.2): You cannot bundle security patches with new features. If you need to patch a critical bug, you must ship the patch independently. If you built a monolithic firmware blob where the driver, the network stack, and the UI are single-threaded, you will have to refactor it so a simple security fix doesn’t break the entire user experience.
  • Coordinated Vulnerability Disclosure (A1.P2.5 & A1.P2.6): You must set up a vulnerability disclosure program (A1.P2.6), publish an actual contact address for security researchers, and publicly post the details of the bugs you patch (A1.P2.4).
  • Free Patches (A1.P2.8): Security patches must be provided entirely free of charge for the duration of the support period. No subscription paywalls for basic security.

The Support Period and the Documentation Burden

The days of shipping a device and abandoning the codebase six months later are officially over. Under Annex II / A2:

  • Support Period End-Date (Article 13.8 & A2.7): You must explicitly print the support end-date on the product page or packaging. No more setting a 1-year support window for a smart appliance. The support period must align with the expected lifetime of the product.
  • Integrator Documentation (A2.8(f)): If you build OEM modules or cellular modems, you must document your integration specifications. Downstream developers need this to prove their final assembly is compliant.
  • Risk Assessments and Testing Reports (A7.3 & A7.6): You must draft and retain technical files detailing your risk assessments and the testing reports proving your security actually works.

Mandatory Incident Reporting: The Clock Is Ticking (Article 14)

When your security architecture inevitably fails and someone finds a remote code execution exploit in your production firmware, Article 14 dictates your response timeline:

  • 24-Hour Early Warning (Article 14.2(a)): You must notify national CSIRTs and ENISA within 24 hours of detecting an active exploit or security incident.
  • 72-Hour Update (Article 14.2(b)): Within 72 hours, you must provide a detailed analysis of the exploit and your planned mitigations.
  • 14-Day Post-Mortem (Article 14.2(c)): Within 14 days of releasing the patch, you must submit a final report outlining the severity, impact, and technical details of the fix.

Actionable Compliance Checklist for IoT Teams

If you’re kicking off a new hardware project, here’s a checklist you should bring to your next planning session:

  1. Hardware Root of Trust: Drop in a physical secure element or TPM to store device cryptographic keys and handle Secure Boot validation.
  2. Dual-Slot OTA Partitioning: Set up your memory map for dual-slot (A/B) firmware updates with a hardware watchdog rollback.
  3. Firmware Decoupling: Keep application code isolated from driver and OS layers so you can patch software bugs without rebuilding the whole image.
  4. SBOM Automation: Add SPDX or CycloneDX generation right into your CI/CD pipeline for every firmware build.
  5. Manufacturing Key Injection: Write factory scripts to inject unique credentials per board, and make sure to lock down diagnostic ports (like JTAG or UART console shells) before they leave the factory floor.
  6. Support Timeline Contract: Lock in a realistic software support lifetime and align your hardware supply chain to match it.

Conclusion

The Cyber Resilience Act is forcing a massive shift in how we build connected devices. Hardware is no longer a “ship it and forget it” game. We have to treat security as a core design constraint from the first schematic drawing all the way to the end of the device’s life. It takes some extra effort up front, but putting in a hardware root of trust, clean A/B updates, and automated SBOM pipelines will save us from major regulatory headaches down the road.

The EU Cyber Resilience Act: What it Means for HPC
How NIS2 Affects the European Maritime Industry