Tomorrow Golioth will join Canonical (our parent company) in a joint webinar discussing the Cyber Resilience Act (CRA) and how it impacts embedded device development. Edoardo Barbieri, product manager at Canonical, will discuss the impact on devices that live on the edge. We have previously talked to Kate Stewart of The Zephyr Project about how the CRA impacts RTOS based devices.
How will the CRA impact embedded devices?
The CRA covers what the regulation calls “products with digital elements,” and that net is wide. If your device has a logical or physical connection to another device or a network, it’s in scope. It also happens to describe basically everything we work on at Golioth. Smart home gear, industrial sensors, wearables, gateways, the firmware running on them, and the cloud services those devices depend on all fall under the same umbrella.
For most embedded products, compliance is a self-assessment against a set of essential cybersecurity requirements. You document how you meet them, draw up an EU Declaration of Conformity, and affix the CE mark (self certify). For some teams, the critical change is that security stops being a feature you bolt on. Instead, it’s a required default and becomes an obligation throughout and past the life of a product.
At a high level, the CRA expects you to:
- Design and develop the product securely from the start. Products are secure by default, with no known exploitable vulnerabilities at ship time.
- Keep and optionally publish a software bill of materials (SBOM) so you actually know what’s in your firmware.
- Handle vulnerabilities across the product’s support period, which the regulation expects to run at least five years for most devices (or the product’s expected lifetime).
- be able to deliver security updates to devices already in the field.
- Report actively exploited vulnerabilities and severe incidents to ENISA on a tight clock. The first notification is due within 24 hours of becoming aware and the deadline to start is September 11, 2026.
That last set is where a lot of embedded teams feel the squeeze. Monitoring a fleet that’s already deployed, knowing which units are running which firmware, and pushing a fix in days rather than quarters…these are all difficult tasks. But given tools like device management, observability, and over-the-air updates make Golioth a natural fit.
Do you need to care about CRA if you’re not in the EU?
Short answer: yes, if you are planning to sell into that market.
Like GDPR before it, the CRA has extraterritorial reach. It applies to any product made available on the EU market. It doesn’t matter whether your company is headquartered in New York, Shenzhen, or Munich. If your connected device ends up in the hands of EU customers in the course of commercial activity (and “free” still counts as commercial here), you’re the manufacturer, and the full set of obligations lands on you.
This isn’t meant as a scare tactic, but instead a point of information. Every product benefits from better security practices and we all benefit from a marketplace full of secure IoT devices.
Sign up today
You can register for this webinar to watch live on June 24th at 4:30 PM CET (10:30 AM ET). We’ll walk through what the CRA means for the devices you’re building today, take your questions live, and dig into the practical side with Edoardo. Even if you can’t make it live, register and we’ll send you the recording.
No comments yet! Start the discussion at forum.golioth.io