Cyber Resilience Act for IoT, Embedded & Smart Products
Connected products with digital elements – from smart locks and routers to wearables and industrial controllers – fall, as a rule, within the scope of the Cyber Resilience Act (Regulation (EU) 2024/2847). The trigger is a direct or indirect logical or physical data connection to a device or network (Art. 2(1), Art. 3(1)). For makers of IoT and embedded products this means: cybersecurity becomes a prerequisite for CE marking and therefore for market access in the EEA. This page offers technical-organisational orientation – not legal advice.
The decisive point: RED Delegated Regulation (EU) 2022/30 → CRA
For radio/wireless equipment there is a transition window that many IoT makers overlook. The Delegated Regulation (EU) 2022/30 activates the cybersecurity requirements of the Radio Equipment Directive (RED). It applies from 1 August 2025 and is repealed on 11 December 2027, when the CRA becomes generally applicable.
This creates an interim window from 1 August 2025 to 11 December 2027: during that period the RED cybersecurity requirements apply to radio equipment, after which the CRA supersedes them horizontally. Our recommendation for new development: build to the CRA now – the requirements overlap heavily, and anyone doing only the RED minimum today risks a second migration in 2027. A single, CRA-compliant design avoids duplicated effort.
Are your products affected?
A “product with digital elements” (PDE) is any software or hardware product together with its remote data processing solutions (Art. 3(1)). A cloud/back-end component whose absence would stop a product function, provided by the manufacturer, also counts as an integral part of the PDE (Art. 3(2)). Excluded are, among others, medical devices (MDR/IVDR), motor vehicles and products under equivalent Union rules (Art. 2). A purely standalone SaaS/cloud application generally does not fall under the CRA but under NIS2 – though the boundary is not always clear-cut at the edges.
Check your basic applicability with our CRA applicability check.
Product classes: how strictly is conformity assessed?
The CRA has four tiers (Art. 32, Annexes III/IV). The classification determines the conformity route. It is typically to be understood as follows – when in doubt, classify conservatively and have it reviewed:
Default (unclassified)
The rule for most products: self-assessment (Module A). No notified body required.
Important – Class I (Annex III)
Many connected consumer and industrial products can land here, e.g. smart-home assistants, smart locks/cameras/alarms, connected toys, health wearables, routers/modems/switches, microcontrollers with security functions. Self-assessment only if harmonised standards are fully applied – otherwise third-party assessment (Module B+C or H).
Important – Class II (Annex III)
E.g. firewalls, IDS/IPS and tamper-resistant micro-processors/-controllers. Here a third-party assessment by a notified body is always required – no self-assessment.
Critical (Annex IV)
E.g. secure elements, smart-meter gateways, HSMs. Often a European certification scheme (at least “substantial”).
Important: a notified body is mandatory only for Class II and critical products – not “all products need a notified body”. Details on classification are available under CRA product classes. The technical category descriptions are set out in Commission Implementing Regulation (EU) 2025/2392.
Core duties & action areas for IoT makers
From Annex I and the manufacturer duties (Art. 13/14), the following action areas are particularly relevant for connected products:
- Secure default configuration: ship with secure defaults (security-by-default), no hard-wired default passwords, minimised attack surface.
- Secure, free updates: provide security updates without delay and free of charge; separate security from feature updates where feasible; secure update distribution.
- Support period: as a rule at least 5 years (or the shorter expected use). For long-lived embedded devices, plan this early into roadmap and BOM.
- Vulnerability handling incl. SBOM: identify and document vulnerabilities and components – including an SBOM in a commonly used, machine-readable format, at least for top-level dependencies. The Regulation mandates no specific format (CycloneDX, SPDX etc. satisfy this as recognised formats).
- CVD policy: a mandatory coordinated-vulnerability-disclosure policy including a contact address for reporting.
- Technical documentation (Annex VII) & CE: architecture, SBOM, CVD policy, update distribution, risk assessment mapped to Annex I; EU Declaration of Conformity (Art. 28), CE marking (Art. 30). Retention at least 10 years (or the support period).
- Reporting duties (Art. 14): report actively exploited vulnerabilities and severe incidents to the CSIRT/ENISA – early warning within 24 h, notification within 72 h, final report within 14 days after a fix is available (vulnerabilities) or within one month (incidents).
Timeline: these deadlines apply
| Date | What applies |
|---|---|
| 10 December 2024 | CRA enters into force (no enforceable product duties yet). |
| 1 August 2025 | RED Delegated Regulation (EU) 2022/30 applies – cybersecurity for radio equipment (interim window begins). |
| 11 June 2026 | Notified-body provisions (Chapter IV) apply. |
| 11 September 2026 | Manufacturer reporting duties (Art. 14) – also for products already on the market. |
| 11 December 2027 | General application: Annex I requirements, conformity assessment, CE marking – RED 2022/30 is repealed at the same time. |
Recommended roadmap: (1) classify the product portfolio and clarify applicability; (2) gap analysis against Annex I; (3) set up an SBOM pipeline and CVD policy; (4) establish update and support processes for ≥5 years; (5) prepare technical documentation and the conformity route. Anyone designing radio equipment to be CRA-compliant today also covers the RED interim and avoids the 2027 migration.
Background and overview: Cyber Resilience Act.
Frequently asked questions
Do my IoT devices really fall under the CRA?
What does RED Regulation (EU) 2022/30 mean for me?
Do I need a notified body for my smart product?
Which SBOM format does the CRA mandate?
From when must I be compliant and what happens on breach?
Let's talk about your CRA readiness
Have your IoT portfolio assessed for CRA and RED applicability – we build a prioritised roadmap to 2027 with you.
Request a first call Check eligibility