Adapting to new cybersecurity regulations can be challenging for embedded developers. Here, we discuss these challenges and introduce some tools for meeting them.
allaboutcircuits.com, May. 01, 2025 –
Internet of Things (IoT) devices and ecosystems are increasingly attracting state, national, and supranational regulation that encourages developers to ensure their cybersecurity. The challenge for IoT developers is threefold:
In this article, we’ll explore these challenges in the context of the European Union’s Cyber Resilience Act (CRA). We’ll then discuss the role that independent third parties can play in validating developers’ efforts to meet its requirements.
The CRA requires that digital products and services that connect to other devices or networks be secure by design and resilient against cyber threats. Additionally, they must offer cybersecurity protections throughout their lifetime.
Many of the CRA’s technical requirements are what you would expect: implementing cybersecurity-by-design strategies, offering secure-by-default configurations, and adding appropriate levels of encryption and access control. However, the CRA also requires that manufacturers carry out risk assessments and keep them updated to address any vulnerabilities throughout the product’s life.
The CRA calls on manufacturers to apply due diligence when integrating third-party components or services into their products. As well, it asks for comprehensive documentation, including a declaration of conformity with the regulations.
The CRA entered into force on December 10, 2024. It’s being implemented in three phases:
For some, these deadlines represent a challenge that they would prefer not think about. However, the costs for failing to address the CRA’s requirements can be high. These include fines of up to 2.5% of the manufacturer’s global annual turnover, restrictions on selling the product, and even product recalls.
Thoughtfully structured tools can help IoT developers consider the requirements of the CRA and how they should adjust their design processes in response. Such tools can also highlight areas in which their best efforts alone will be insufficient for meeting all the CRA’s requirements—for example, when the cybersecurity of the physical design is reliant upon an external service.