Introduction
The Cyber Resilience Act (CRA) is the most significant shift in European product regulation since the GDPR. It moves away from voluntary guidelines and establishes a mandatory legal framework for the cybersecurity of hardware and software products.
In this article, we examine what the CRA is, why it was introduced, and how it affects the IoT hardware market in practice. We'll cover what businesses need to do to prepare, and explain how Grinn supports customers in navigating CRA requirements.
What Is the EU Cyber Resilience Act?
The Cyber Resilience Act is a regulation introduced by the European Union to address the growing number of cybersecurity incidents linked to insecure hardware and software products. IoT devices, industrial controllers, consumer electronics, and connected infrastructure have become widespread, and vulnerabilities in these products pose major risks, including to critical infrastructure.
Before the CRA, cybersecurity requirements in the EU were fragmented. Some sectors were regulated, but others relied on voluntary standards, and many products reached the market with minimal security features. The CRA introduces a single legal framework that applies across industries.
The Main Goals of the CRA
The regulation is built around several core objectives:
Raising the level of cybersecurity across all products with digital elements sold in the EU
Embedding security throughout the product lifecycle, from initial design to end-of-life
Reducing the number and severity of vulnerabilities in connected products
Clarifying responsibility and making manufacturers accountable for the cybersecurity of their products
Improving transparency for users and business customers regarding security features and update policies
The CRA integrates cybersecurity into the EU product safety framework, aligning it with other essential product requirements such as electrical safety or electromagnetic compatibility (EMC).
The Timeline of the Cyber Resilience Act
While the Cyber Resilience Act has already entered into force, its obligations are introduced gradually to give manufacturers time to adapt their processes and product portfolios.
Here is the detailed rollout schedule:
20 November 2024: The CRA was formally adopted by the European Union.
11 December 2024: The CRA entered into force.
11 September 2026: Reporting obligations apply.
From this date, manufacturers are legally required to report any "actively exploited vulnerability" to the Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA). They must submit an early warning within 24 hours, a detailed notification within 72 hours, and a final report within 14 days (vulnerabilities) or one month (incidents).
11 December 2027: Full compliance required.
All products placed on the EU market must meet the technical requirements, possess full technical documentation, and bear the CE marking, demonstrating conformity with the Cyber Resilience Act and any other applicable EU product legislation.
Products already placed on the market before this date may continue to be made available, but any new products or new production batches introduced after this deadline must comply fully with the CRA.
CRA Obligations on Businesses
The Cyber Resilience Act fundamentally shifts responsibility for cybersecurity from end users to manufacturers. It requires product manufacturers to align with a number of technical, as well as procedural obligations.
Technical Obligations
Technical obligations define how the product itself must behave from a cybersecurity standpoint. These requirements must be fulfilled at the time the product is placed on the EU market and verified through design, implementation, and testing.
Key requirements relevant to IoT and embedded devices include:
| Requirement | Explanation |
| Eliminate Known Vulnerabilities |
You cannot launch a product with security issues that are already known and patchable.
CRA Annex I, Part I, (2)(a) |
| Secure Default Settings | Products must be secure out of the box. Users shouldn't have to be experts to stay safe, and they must be able to reset the device easily.
CRA Annex I, Part I, (2)(b) |
| Enable Automatic Updates | You must provide security updates. These should ideally be automatic and on by default, though users can opt-out.
CRA Annex I, Part I, (2)(c) |
| Control Product Access | Use strong authentication (passwords, keys, etc.) and identity management to prevent unauthorized people from getting in.
CRA Annex I, Part I, (2)(d)
|
| Protect Stored Data | Any data the device handles must be kept private, usually through encryption, whether it’s stored on the device or being transmitted.
CRA Annex I, Part I, (2)(e - f)
|
| Practice Data Minimization | The product must only process data that is strictly necessary for its intended functions.
CRA Annex I, Part I, (2)(g)
|
| Reduce Attack Surface | Design the product to have as few "entry points" (like open ports or external interfaces) as possible to limit where hackers can strike.
CRA Annex I, Part I, (2)(j)
|
| Maintain SBOM Records | Create a Software Bill of Materials (SBOM) - a list of every software component and third-party library used in your product.
CRA Annex I, Part II, (1)
|
| Secure Data Wipe | Create a Software Bill of Materials (SBOM) - a list of every software component and third-party library used in your product.
CRA Annex I, Part I, (2)(m)
|
Business and Procedural Obligations
In addition to product‑level requirements, the CRA imposes organisational obligations on manufacturers.
| Requirement | Explanation |
| Continuous Risk Assessment |
You must analyze security risks during planning, design, and production, and update this assessment throughout the product's life.
CRA Article 13(2 - 3), 13(11) |
| Third-Party Due Diligence | If you use code or parts from others (including open-source), you are responsible for ensuring they don’t break your security.
CRA Article 13(4) |
Five-Year Support Minimum
| You must provide security support for at least 5 years (or the product's expected life) and state the end date clearly.
CRA Article 13(8) |
Conformity & CE Marking
| You must prove the product is safe through a formal assessment, sign a Declaration of Conformity, and put the CE mark on the device.
CRA Article 13(12), Article 28, Article 30
|
Product & Brand ID
| The device, packaging, or manual must clearly show the serial/batch number and your company’s contact info (name, address, email).
CRA Article 13(15 - 17)
|
Clear User Instructions
| Provide a manual (digital or paper) that explains how to set up and use the device securely. This must be easy to read and in a language users understand.
CRA Article 13(18), Annex II
|
Rapid Incident Reporting
| If a vulnerability is being exploited by hackers, you must notify authorities (ENISA/CSIRT) within 24 hours for an early warning and 72 hours for details.
CRA Article 14(1 - 4), 14(7)
|
User Notifications
| If your product has a major security flaw or incident, you must tell your users what happened and how they can fix it.
CRA Article 14(8)
|
10-Year Record Keeping
| Keep all technical documentation and your Declaration of Conformity for 10 years after the product is sold, even if you stop making it.
CRA Article 13(18)
|
Cooperate With Authorities
| If a market regulator asks for proof of security or needs help fixing a risk, you are legally required to provide the data and cooperate.
CRA Article 13(22)
|
Voluntary Reporting
| You are encouraged to report "near misses" or potential threats that haven't caused an incident yet.
CRA Article 15
|
Together, these business and procedural obligations mean that cybersecurity under the CRA is a continuous responsibility that spans development, production, deployment, maintenance, and end-of-life of the product.
Impact on IoT Product Design and Manufacturing
The Cyber Resilience Act makes cybersecurity a hard engineering constraint. Security requirements now influence fundamental design decisions. Platforms that lack secure boot, hardware root of trust, or long-term software support may no longer be suitable for products placed on the EU market.
Beyond design, the CRA extends cybersecurity responsibility into manufacturing and lifecycle planning. Devices must leave the factory in a secure-by-default state, with appropriate mechanisms to support updates and vulnerability remediation. Manufacturers must also plan for long‑term maintenance and organisational readiness to meet their ongoing obligations.
In practice, the CRA drives several concrete changes across IoT development:
Earlier integration of security into hardware and software architecture.
Greater need for pre-validated secure platforms and modules.
Secure production and provisioning processes becoming mandatory.
How Grinn Can Help
Meeting the requirements of the Cyber Resilience Act requires a security-by-design approach and and extensive technical expertise. This is where we at Grinn are ready to support our customers. As a company focused on IoT and embedded solutions, we help you address both technical requirements and procedural obligations. Here’s how:
Turnkey Approach
When designing electronic products for our clients, we take a turnkey approach. We oversee the entire process from concept to production management, including full responsibility for CRA compliance. By the time the finished product lands on your desk, it carries all the necessary certifications and is ready to go to market.
Advanced Security Integration (OPTIGA™ Trust M)
To ensure unique device identity and secure key storage, we integrate the Infineon OPTIGA™ Trust M security controller into our custom designs and single-board computers like the GenioBoard. This certified security chip provides a protected vault for storing credentials, helping your device meet CRA requirements for preventing unauthorized access.
In-House Testing Lab
CRA requires a formal conformity assessment and the application of the CE marking. Sending a product for official certification only to have it fail can cost months of delays and thousands of euros. At Grinn, we maintain an in-house laboratory for pre-compliance testing. We perform rigorous EMC testing, signal integrity analysis, and environmental stress tests. Thanks to this approach, the final certification process becomes a formality.
Conclusions
The Cyber Resilience Act fundamentally changes how IoT products are designed and maintained for the EU market, making cybersecurity a mandatory product requirement. Manufacturers that embed security early and plan for long-term support will be best positioned to meet compliance obligations and guarantee themselves market access. If you are a late adopter, you risk costly redesigns or delays.
Paweł Horbanowicz
