3 key standards for achieving CRA compliance in consumer devices
There’s a lot of confusion around the Cyber Resilience Act (CRA). But, for consumer IoT devices, a few key standards contain everything you need to meet compliance.
Cybersecurity regulations in the EU are becoming more rigorous—and for good reason. Connected technology underpins everything from household devices to critical infrastructure, and as cyberattacks grow more frequent and sophisticated, the need for stronger protections has never been greater.
The Cyber Resilience Act is at the forefront of this effort, introducing new requirements to ensure IoT devices are secure throughout their lifecycle. From design and production to updates and vulnerability management, compliance with the CRA will soon be mandatory for most connected devices sold in the EU.
However, with pages of dense regulatory text to decipher and the challenge of identifying the right standards to follow, many businesses find it unclear how they should proceed. And NIS 2 is only adding to the confusion.
The good news? For manufacturers of consumer IoT devices: a few regulations are all you need to become CRA compliant.
First, a quick guide to CRA
The Cyber Resilience Act introduces rigorous standards for the entire lifecycle of connected devices—including their design, development, production, and maintenance. These requirements apply to any product connected, either directly or indirectly, to another device or network. This includes everything from TVs and toys to security lights and smart fridges. The only exceptions to this are products that fall under existing cybersecurity rules, such as cars, medical devices, and aerospace products.
CRA carries the following key requirements:
Secure design: Security must be embedded in every stage of the product design process, ensuring it’s a foundational element rather than an afterthought.
Vulnerability management: Manufacturers are required to continuously monitor for vulnerabilities, assessing and addressing risks throughout the product’s lifecycle.
Commitment to updates: Devices must receive regular security updates for at least five years, ensuring ongoing protection against emerging threats.
Software Bill of Materials (SBOM): A detailed SBOM must be maintained, listing all software components within a device. This transparency helps identify and manage vulnerabilities effectively.
Data control: Personal data is used with transparency and consent (GDPR). It is easily deleted.
The Act is due to come into force on 10 December 2024. Device manufacturers then have three years to comply, withdraw non-compliant products from European markets, or risk a hefty fine. From December 2027, digital devices will bear the Conformité Européenne—better known as the CE mark—to show their compliance.
How to be a secure supplier of NIS 2 customers
The Network and Information Security Directive 2 (NIS 2) concerns organisations providing critical national infrastructure – hospitals, banks, energy, water, etc. You can read more about what it means for device manufacturers in our previous blog post.
While most consumer device manufacturers are not expected to comply with NIS 2, there’s a good chance some of their customers are. And these customers are obligated to ensure that the connected devices they use—from security lights to printers—are secure.
Unfortunately, there seems to be some confusion about how to go about this. Some NIS 2 companies are even asking their suppliers to comply with ISO 27000 series, but that’s for applications handling lots of personal data; it’s not appropriate for most IoT devices.
So what’s the answer? The most straight-forward approach is to make sure devices carry the CE mark, proving they comply with the Cyber Resilience Act.
How to comply with CRA and achieve your CE mark
A supporting document for CRA lists no fewer than 34 cybersecurity standards considered relevant to compliance. But rather than getting lost in the weeds of requirements and standards, consumer IoT devices really require just a few of these documents: EN 303 645, ISO 29147, and ISO 30111. These three standards work together to cover the main aspects of CRA compliance.
EN 303 645 aims to enhance the security of consumer IoT devices. It provides practical guidelines to help manufacturers embed robust security into their products from the outset.
Key elements of EN 303 645 include:
- Devices must not use universal default passwords, such as “admin” or “password.” Instead, each device should have unique credentials or have users create their own secure password when they set up the device.
- Updates must be delivered securely, using methods such as encryption and digital signing to prevent tampering or the installation of malicious software.
- Manufacturers must safeguard stored and transmitted data, ensuring that sensitive information cannot be accessed or altered by unauthorised parties.
- Devices should be designed to withstand common cyber threats, such as denial-of-service (DoS) attacks and exploitation of software vulnerabilities.
- Manufacturers must maintain processes for monitoring, identifying, and addressing vulnerabilities throughout the device’s lifecycle.
Implementing this standard involves a structured process: reviewing key concepts and definitions, applying the provisions, completing a conformance statement, and preparing for assessment.
Complying with EN 303 645 means you’ve already covered 90% of the essential security measures required by the CRA. However, you’ll still need policies for handling vulnerabilities reported to you, as well as notifying your end-users of vulnerabilities and getting updates out to them. That’s where the ISOs come in…
ISO/IEC 29147 focuses on vulnerability disclosure, providing organisations with guidelines for managing reports of vulnerabilities in their products or services. It outlines the best practices for establishing a clear, structured process to receive, assess, and address vulnerability reports. This, in turn, allows for timely communication with affected stakeholders and regulatory bodies.
Key requirements include:
- Setting up clear, accessible channels for receiving vulnerability reports, such as dedicated email addresses, online forms, or bug bounty platforms.
- Developing and publishing a vulnerability disclosure policy that outlines how the organisation handles vulnerability reports.
- Acknowledging reports from security researchers promptly and maintaining open communication throughout the resolution process.
- Prioritising vulnerabilities based on factors like severity, exploitability, and potential impact on users.
- Coordinating with affected stakeholders to ensure timely updates and mitigate risks.
- Publishing security advisories that inform users of a vulnerability, the fix, and any required actions to secure their systems or devices.
ISO/IEC 30111 complements ISO/IEC 29147, providing guidelines for handling and remediating vulnerabilities once they have been identified. The standard details the processes required to analyse, prioritise, and mitigate vulnerabilities effectively, ensuring that organisations respond to potential threats in a timely and efficient manner.
Key elements include:
- Establishing a structured workflow for vulnerability remediation.
- Assigning responsibilities for assessing and resolving issues.
- Ensuring updates and fixes are securely deployed to affected devices or systems.
Following these standards, your business can self-certify to CRA and can put the CE mark on your products—provided you comply with the existing electrical requirements, of course.
But let’s be clear: while we’ve provided a simplified reading list to help you meet compliance, there’s still a lot to consider: How do you monitor vulnerabilities in third-party components? How can you be sure software is securely installed during production? Who is allowed to digitally sign software? What physical security is needed to protect private keys? Do staff need additional security training? And much more.
Selecting a software partner
The deadline for full compliance may be years away but, for device manufacturers, the clock is already ticking.
Beyond the risk of steep fines for failing to meet CRA requirements in time, the competitive landscape is shifting. NIS 2 organisations are actively prioritising suppliers who meet their cybersecurity standards. So, falling behind on compliance could mean losing out on critical opportunities.
Choosing the right software partner is essential for ensuring your product remains secure and compliant. Look for a partner who offers stability through ongoing support and updates, flexibility to adapt to evolving security threats, and foresight to future-proof your product. A quality-driven approach is key—prioritising expertise in compliance, rigorous testing to catch issues early, and robust automated testing to maintain reliability at scale.
At Bluefruit Software, we understand the complexities of building secure, compliant IoT products. With extensive experience writing exceptional code for a range of quality-critical devices, we offer a range of services to help you meet CRA compliance. Whether you require a compliance health check, consultancy or full lifecycle software development and support, get in touch; we’re here to help you navigate the process with confidence.
Are you looking to develop a new product or have an existing one?
Bluefruit Software has been providing high-quality embedded software engineering and testing services for more than 22 years. Our team of experienced engineers, testers and analysts has worked with a diverse range of clients and industries, including medical, scientific instruments, aerospace, automotive, consumer and more.
We can help you with software development at any project stage, ensuring quality, reliability, and security. Contact us today to discuss your software development needs.
Did you know that we have a monthly newsletter?
If you’d like insights into software development, Lean-Agile practices, advances in technology and more to your inbox once a month—sign up today!
Find out more