The Cyber Resilience Act (CRA) is a topic critical for anyone designing, developing, or manufacturing connected devices (AKA “Internet of Things” or “IoT” or “the stuff Golioth developers create”). If you haven’t heard about it yet, or are just starting to grasp its implications, you’re not alone. Companies and the engineers working at those companies are just now realizing the impact this new EU regulation will have on the industry.
The EU isn’t simply suggesting better cybersecurity practices; they are mandating a rigorous, lifecycle-long commitment to the security of products with digital elements, including your IoT devices. This legal framework aims to set the foundational conditions for creating secure digital products, ensuring they come to market with fewer vulnerabilities, and that manufacturers treat security as a continuous priority throughout a product’s entire lifespan. It also seeks to improve user awareness and access to information, enabling them to make more informed choices about secure products.
Personally, I had no idea about what is coming, so I did what I normally do: Ask an expert! I spoke with Kate Stewart from The Zephyr Project about how the open source ecosystem is planning to deal with these regulations and what engineers should do to prepare. Utilizing the open source Real Time Operating System (RTOS) and Ecosystem means manufacturers can take advantage of additional tools and reporting capabilities they might not otherwise have. That video is below, as well as additional information in this post that manufacturers might need.
You Need to Pay Attention. The CRA Has Teeth!
The Cyber Resilience Act (Regulation (EU) 2024/2847) is a uniform legal framework designed to strengthen the EU’s cybersecurity posture and enhance the internal market by ensuring that hardware and software products are placed on the market with a higher level of security. This legislation has significant enforcement provisions. Manufacturers are paying close attention because non-compliance can lead to administrative fines of up to €15,000,000 or 2.5% of the total worldwide annual turnover for the preceding financial year, whichever is higher. This substantial penalty is a primary driver for its rapid adoption across the industry, similar to how EU regulations historically influenced global markets, such as the widespread adoption of USB-C and GDPR.
The CRA addresses critical issues like the low level of cybersecurity in digital products, the prevalence of vulnerabilities, and inconsistent provision of security updates. The regulation officially entered into force in December of last year, starting the clock for compliance. While governments need to establish certain procedures by June 2026, manufacturers must begin adhering to reporting obligations just three months later, by September 11, 2026. The entire regulation will be fully applicable by December 11, 2027.
The term “manufacturer” under the CRA encompasses anyone with a commercial interest in a product with “digital” elements, which includes both software and hardware. This broad definition means it’s a catch-all for products not already covered by existing specific industry regulations.
The CRA applies primarily to “economic operators” who make products with digital elements available on the market in the course of a commercial activity. Most notably, this includes manufacturers, defined as “any natural or legal person who develops, manufactures, or markets products with digital elements under their name or trademark, whether for payment, monetisation, or free of charge.”
Key Requirements for Manufacturers and How Golioth Can Help
The CRA mandates several crucial obligations for manufacturers to ensure cyber resilience throughout a product’s lifecycle:
- Vulnerability Handling and Support Period – Manufacturers must ensure vulnerabilities are handled effectively for a “support period,” which must be at least five years, or the product’s expected use time if shorter.
- Reporting Obligations – This is where the rubber meets the road, as Kate mentioned (around 0:03:10).
- Actively exploited vulnerabilities must be notified without undue delay, within 24 hours of awareness to the designated Computer Security Incident Response Team (CSIRT) and ENISA via a single reporting platform. A more detailed vulnerability notification is required within 72 hours, and a final report no later than 14 days after a corrective measure is available.
- Severe incidents impacting product security also require a 24-hour early warning notification.
- Manufacturers must also inform impacted users about the vulnerability or incident and any necessary risk mitigation measures.
- Software Bill of Materials (SBOM) – Manufacturers are required to identify and document all components in their products, including by drawing up an SBOM in a commonly used, machine-readable format. This is vital for tracking known vulnerabilities and avoiding unnecessary updates. Kate highlighted how Zephyr’s capability to generate SBOMs with just a few lines of code puts them in a strong position for this requirement (around 0:08:00).
- Secure by Design and Updates – Products must be available with a secure by default configuration. Manufacturers should design products to receive automatic security updates (with an opt-out mechanism) and ensure updates are disseminated without delay and generally free of charge.
- CE Marking – Products with digital elements must bear the CE marking to indicate conformity with the CRA.
How Golioth Assists Your Compliance
At Golioth, we’re keenly aware of these evolving regulations. Our platform’s capabilities are designed to help manufacturers meet many of these demands for their embedded IoT devices:
- Over-the-Air (OTA) Updates – The CRA emphasizes the need for secure and timely distribution of security updates. Golioth’s OTA service is a direct answer to this, enabling manufacturers to quickly deploy security patches and new functionality to their fleet of devices, even thousands of miles away. This is crucial for addressing identified vulnerabilities and ensuring ongoing compliance.
- Device Management and Remote Interaction – Our platform allows you to monitor and interact with your fleet. This helps manufacturers stay aware of their devices’ status and deliver necessary updates effectively.
- Remotely manage and update device configurations – The Golioth Settings service ensures adherence to secure defaults across the entire fleet and have stored backup configurations.
- Detect Anomalies – The CRA’s emphasis on “reporting on possible unauthorised access” [Annex I, Part I, point 2(d); 339, 671] is key here. By analyzing patterns in device logs (e.g., unusual data access, unexpected process starts) and streamed data, manufacturers can identify deviations from normal behavior that may indicate an intrusion attempt or an actively exploited vulnerability.
- Continuous Data Feed – Devices can be configured to stream telemetry data, events, and critical security logs directly to the Golioth cloud. This provides manufacturers with the real-time visibility needed to “know when someone was in the system”. An example of this is a light detection circuit on a board that reports back over the Golioth stream service, for when there is an unauthorized opening of a case.
- Facilitate Rapid Reporting – The CRA’s 24-hour reporting window for actively exploited vulnerabilities and severe incidents [Article 14(2)(a), 14(4)(a); 231, 233, 542, 544] is extremely tight. Centralized and accessible logs via Golioth enable manufacturers to quickly gather the necessary information for early warning notifications and subsequent detailed reports, ensuring compliance with these critical timelines.
The EU’s Cyber Resilience Act is a significant step towards ensuring more secure digital products for consumers, moving away from a “throwaway economy” (around 6:50). It’s a call for manufacturers to prioritize cybersecurity throughout the product lifecycle. By leveraging robust platforms like Golioth, built on secure foundations like Zephyr, you can better navigate these regulations and deliver more resilient IoT products.
Want to learn more about how Golioth’s Firmware SDK and platform can help your product meet these new cybersecurity challenges? Check out our documentation and examples, schedule a discovery call, or join the discussion on our forum!
No comments yet! Start the discussion at forum.golioth.io