Cyber Resilience Act obligations for IoT manufacturers, importers, and distributors

The EU approved the Cyber Resilience Act (CRA) earlier this year, and it should be fully enforced by 2027. There seems to be some confusion about the scope of CRA; it broadly covers IoT and similar products, whether they are consumer or B2B products. In this blog post, I give some taste of CRA based on Article 13, "Obligations of manufacturers".

A digital product on the EU market must meet the essential requirements in CRA Annex I. For this, the product manufacturer has to perform a risk analysis and mitigate the discovered risks. Further, the manufacturer must conduct a security assessment and create technical documentation, which has to be provided to authorities on request. The product's support period must be at least five years, during which the manufacturer must assess the security situation and provide security mitigations and updates as appropriate. The manufacturer's responsibility covers the third-party software components used in the product. The manufacturer must also maintain a software bill of materials (SBOM), which it provides to authorities on request.

The above highlighted some CRA obligations for IoT product manufacturers. However, CRA Article 19, "Obligations of importers", and Article 20, "Obligations of distributors", extend the responsibility to meet CRA requirements and obligations to product importers and distributors.

In the Test of Things, we provide assessment and support to achieve CRA compliance with the proper technical documentation. Our approach relies on tools and automation so that our customers remain compliant with CRA despite changes in the threat landscape and regulation. Contact us if you want our help with the CRA obligations or other IoT security requirements!