What the EU Cyber Resilience Act means for IoT

Enterprise
Mobile communications
Cybersecurity

Type Insight
Published 20 Apr 2026

The EU Cyber Resilience Act (CRA) marks a decisive shift in how IoT products are designed, maintained and trusted. Security is no longer an optional feature or a post‑market fix - it is becoming a condition for placing products on the EU market.

While previous regulations focused primarily on IT infrastructure, the CRA directly targets products with digital elements, including IoT devices and software. Beyond compliance, the act also reinforces the importance of trust, accountability, and stronger security practices across the product lifecycle.

Find out more about how Thales can help address IoT security at scale here.

Alongside software like operating systems, on-premises and desktop applications, any hardware with digital components, like IoT, smart devices and network controllers, also falls under the CRA’s scope. Anyone who wants to sell a product with digital elements into the EU, whether they are a manufacturer, developer, reseller or distributor, must meet the requirements.

The CRA is an example of how the Internet of Things (IoT) is shifting from a technological frontier, towards more of a regulated domain. Passed at the end of 2024, the CRA gives IoT manufacturers 36 months to comply, with the main obligations coming into force in December 2027.

Manufacturers must take steps to improve the cyber resilience of their products – from the integrity of the communications they’re sending and receiving, through to the confidentiality of the data and regular reviews, penetration testing and tool-based approaches to security testing. With penalties of up to €15m or 2.5% of global turnover for infringements, the stakes are high for manufacturers and service providers.

Security by design

The legislation requires navigation of an array of comprehensive steps and considerations, but at a broad level vendors should start with conducting a risk assessment to determine which products fall under the CRA, as well as what category. There are 13 essential cybersecurity requirements, with elements to fulfil depending on the level of risk identified in the initial assessment. This includes actions around building security into the development process, examining the Software Development Life Cycle (SDLC) to ensure security is closely integrated.

Maintaining an SBOM – Software Bill of Materials – and capitalising wherever possible on proven architectures for operations like authentication and data storage – is also crucial.

When vulnerabilities emerge, there should be plans in place to react quickly and provide updates to customers. The eight vulnerability handling requirements aim to build coordinated responses to incidents, including any vulnerabilities found in integrated components. By industrialising and automating the delivery pipeline between code production and shipping it out to devices, they can improve response times.

Beyond basic compliance

Compliance with the Cyber Resilience Act begins with ensuring products are shipped without known vulnerabilities and that manufacturers are able to deliver security updates when issues arise.

More advanced security practices go further, reducing the number of vulnerabilities discovered once products are deployed and shortening the time required to detect, fix, and roll out patches when issues do occur.

This distinction highlights how stronger security practices can limit operational impact and reinforce trust throughout the product lifecycle.

Building device integrity

The IoT devices themselves must have secure device identity and lifecycle protection built-in, to ensure that device IDs can’t be cloned or tampered with. If this is compromised, threat actors may be able to capture sensitive data.

The Cyber Resilience Act elevates lifecycle security from a technical requirement to a core product obligation. Manufacturers must ensure vulnerabilities can be detected, reported , and patched through authenticated firmware updates over the lifetime of a product; — for at least five years, or for its expected operational lifespan.

As many IoT devices remain deployed for years or even decades, the act places strong emphasis on secure update mechanisms, device identity protection, and the ability to respond quickly when vulnerabilities are discovered, in order to limit their impact on customer operations.

The power of expert consultancy

There’s a lot to consider, and the complexities involved may mean vendors find it helpful to work with experts in cybersecurity, legal and regulatory compliance to ensure security is fully prioritised throughout the product lifecycle.

Thales’ Build, Run, Protect framework aims to ensure security and compliance across the full lifecycle of a device, allowing IoT deployments to stay compliant and resilient. From in-factory provisioning at the build stage, to adaptive connectivity during device operations and ongoing updates and protection through Firmware-Over-the-Air (FOTA) updates, the approach ensures cybersecurity remains an ongoing discipline.

The Cyber Resilience Act establishes a new baseline for IoT security in Europe. While compliance is mandatory, manufacturers that go beyond minimum requirements can reduce vulnerabilities in the field, shorten response times when issues arise, and limit the impact on end‑customer operations.

In a market where trust is becoming increasingly important, CRA readiness supports differentiation by demonstrating stronger security practices, improved lifecycle management, and clear accountability across the product lifecycle.