Blackfort TechnologyBlackfort Technology

Cyber Resilience Act for IoT, Embedded & Smart Products

Blackfort Technology · Cyber Resilience Act by industry

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

Connected products with digital elements – from smart locks and routers to wearables and industrial controllers – fall, as a rule, within the scope of the Cyber Resilience Act (Regulation (EU) 2024/2847). The trigger is a direct or indirect logical or physical data connection to a device or network (Art. 2(1), Art. 3(1)). For makers of IoT and embedded products this means: cybersecurity becomes a prerequisite for CE marking and therefore for market access in the EEA. This page offers technical-organisational orientation – not legal advice.

The decisive point: RED Delegated Regulation (EU) 2022/30 → CRA

For radio/wireless equipment there is a transition window that many IoT makers overlook. The Delegated Regulation (EU) 2022/30 activates the cybersecurity requirements of the Radio Equipment Directive (RED). It applies from 1 August 2025 and is repealed on 11 December 2027, when the CRA becomes generally applicable.

This creates an interim window from 1 August 2025 to 11 December 2027: during that period the RED cybersecurity requirements apply to radio equipment, after which the CRA supersedes them horizontally. Our recommendation for new development: build to the CRA now – the requirements overlap heavily, and anyone doing only the RED minimum today risks a second migration in 2027. A single, CRA-compliant design avoids duplicated effort.

Are your products affected?

A “product with digital elements” (PDE) is any software or hardware product together with its remote data processing solutions (Art. 3(1)). A cloud/back-end component whose absence would stop a product function, provided by the manufacturer, also counts as an integral part of the PDE (Art. 3(2)). Excluded are, among others, medical devices (MDR/IVDR), motor vehicles and products under equivalent Union rules (Art. 2). A purely standalone SaaS/cloud application generally does not fall under the CRA but under NIS2 – though the boundary is not always clear-cut at the edges.

Check your basic applicability with our CRA applicability check.

Product classes: how strictly is conformity assessed?

The CRA has four tiers (Art. 32, Annexes III/IV). The classification determines the conformity route. It is typically to be understood as follows – when in doubt, classify conservatively and have it reviewed:

Default (unclassified)

The rule for most products: self-assessment (Module A). No notified body required.

Important – Class I (Annex III)

Many connected consumer and industrial products can land here, e.g. smart-home assistants, smart locks/cameras/alarms, connected toys, health wearables, routers/modems/switches, microcontrollers with security functions. Self-assessment only if harmonised standards are fully applied – otherwise third-party assessment (Module B+C or H).

Important – Class II (Annex III)

E.g. firewalls, IDS/IPS and tamper-resistant micro-processors/-controllers. Here a third-party assessment by a notified body is always required – no self-assessment.

Critical (Annex IV)

E.g. secure elements, smart-meter gateways, HSMs. Often a European certification scheme (at least “substantial”).

Important: a notified body is mandatory only for Class II and critical products – not “all products need a notified body”. Details on classification are available under CRA product classes. The technical category descriptions are set out in Commission Implementing Regulation (EU) 2025/2392.

Core duties & action areas for IoT makers

From Annex I and the manufacturer duties (Art. 13/14), the following action areas are particularly relevant for connected products:

  • Secure default configuration: ship with secure defaults (security-by-default), no hard-wired default passwords, minimised attack surface.
  • Secure, free updates: provide security updates without delay and free of charge; separate security from feature updates where feasible; secure update distribution.
  • Support period: as a rule at least 5 years (or the shorter expected use). For long-lived embedded devices, plan this early into roadmap and BOM.
  • Vulnerability handling incl. SBOM: identify and document vulnerabilities and components – including an SBOM in a commonly used, machine-readable format, at least for top-level dependencies. The Regulation mandates no specific format (CycloneDX, SPDX etc. satisfy this as recognised formats).
  • CVD policy: a mandatory coordinated-vulnerability-disclosure policy including a contact address for reporting.
  • Technical documentation (Annex VII) & CE: architecture, SBOM, CVD policy, update distribution, risk assessment mapped to Annex I; EU Declaration of Conformity (Art. 28), CE marking (Art. 30). Retention at least 10 years (or the support period).
  • Reporting duties (Art. 14): report actively exploited vulnerabilities and severe incidents to the CSIRT/ENISA – early warning within 24 h, notification within 72 h, final report within 14 days after a fix is available (vulnerabilities) or within one month (incidents).

Timeline: these deadlines apply

DateWhat applies
10 December 2024CRA enters into force (no enforceable product duties yet).
1 August 2025RED Delegated Regulation (EU) 2022/30 applies – cybersecurity for radio equipment (interim window begins).
11 June 2026Notified-body provisions (Chapter IV) apply.
11 September 2026Manufacturer reporting duties (Art. 14) – also for products already on the market.
11 December 2027General application: Annex I requirements, conformity assessment, CE marking – RED 2022/30 is repealed at the same time.

Recommended roadmap: (1) classify the product portfolio and clarify applicability; (2) gap analysis against Annex I; (3) set up an SBOM pipeline and CVD policy; (4) establish update and support processes for ≥5 years; (5) prepare technical documentation and the conformity route. Anyone designing radio equipment to be CRA-compliant today also covers the RED interim and avoids the 2027 migration.

Background and overview: Cyber Resilience Act.

Frequently asked questions

Do my IoT devices really fall under the CRA?
As a rule yes: once a product has a direct or indirect data connection to a device or network, it is typically a product with digital elements (Art. 2(1), 3(1)). Exceptions exist for medical devices, motor vehicles and products under equivalent Union rules, among others. A reliable classification is not replaced by this general information.
What does RED Regulation (EU) 2022/30 mean for me?
For radio/wireless equipment, Delegated Regulation (EU) 2022/30 activates RED cybersecurity requirements from 1 August 2025. It is repealed on 11 December 2027 when the CRA becomes generally applicable. In this interim window it can be worthwhile to develop to CRA level straight away to avoid a second migration.
Do I need a notified body for my smart product?
Usually not. Most products are self-assessed (Module A). Important Class I products can self-assess if harmonised standards are fully applied. A notified body is typically mandatory only for important Class II (e.g. firewalls, IDS/IPS) and critical products.
Which SBOM format does the CRA mandate?
The CRA requires an SBOM in a commonly used, machine-readable format covering at least top-level dependencies (Annex I Part II). No specific format is mandated by statute; recognised formats such as CycloneDX or SPDX satisfy the requirement. The SBOM is disclosed to authorities on reasoned request, not necessarily published.
From when must I be compliant and what happens on breach?
The CRA entered into force on 10 December 2024; reporting duties (Art. 14) apply from 11 September 2026 and general application with CE marking from 11 December 2027. Depending on the breach, fines can reach up to EUR 15 million or 2.5% of worldwide annual turnover (Art. 64) – not to be confused with the GDPR framework.

Let's talk about your CRA readiness

Have your IoT portfolio assessed for CRA and RED applicability – we build a prioritised roadmap to 2027 with you.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.