The CRA and Your Backend: When the Cloud Platform Becomes Part of the Product

In the world of IoT and connected devices, the user-facing hardware is almost never standalone; it is often functionally dependent on a backend service (cloud platform, APIs, remote databases) to perform its essential functions.

The EU Cyber Resilience Act (CRA) is a product-centric regulation, but its scope is deliberately broadened to capture these necessary "backend services."

The Key Definition: "Remote Data Processing Solution"

The CRA doesn't just regulate the physical device or the downloadable software. It explicitly includes "remote data processing solutions" within the definition of a "product with digital elements" (PDE), provided two key conditions are met:

1. Functional Necessity: The remote data processing (your backend) is for which the software is designed and developed by or under the responsibility of the manufacturer, and the absence of which would prevent the product from performing one of its functions.

• Example: If your smart sensor needs to connect to your proprietary cloud platform to store, process, or send configuration data to function correctly, that cloud backend component is in scope.

2. Responsibility of the Manufacturer: The backend service is developed by, or under the responsibility of, the manufacturer placing the final product on the market.

Crucial Distinction: The CRA does not regulate pure Software-as-a-Service (SaaS) offerings that are wholly independent of a physical or downloadable product. Those are generally covered by the NIS 2 Directive. The CRA only steps in when the remote service is integral to the product's function.

Essential Requirements for the CRA-Relevant Backend

For the components of your backend that fall under the "remote data processing solution" definition, the security teams must ensure they comply with the CRA's Essential Requirements (Annex I), just like the hardware/firmware:

1. Security by Design and Default

• Risk Assessment: Manufacturers must conduct a thorough cybersecurity risk assessment during the planning and design phase and take the outcome into account throughout the entire product lifecycle to minimize risks.

• Reduced Attack Surface: The back-end must be designed and developed to limit attack surfaces and reduce the impact of potential security incidents.

• Secure Configuration: Products must be delivered with secure-by-default settings and allow users to reset to a secure state. This includes banning weak default passwords.

• Data Protection: The back-end must ensure the confidentiality and integrity of processed data, particularly through mechanisms like encryption of data at rest and in transit. It must also adhere to data minimization principles.

• Access Control: Robust protection against unauthorised access is mandatory, typically achieved through strong authentication, identity, and access management systems.

2. Lifecycle Vulnerability Management

• Vulnerability Handling Process: The manufacturer must establish and implement a process for handling vulnerabilities across the product's lifespan.

• Updates and Patching: Security updates must be made available without delay and free of charge to address vulnerabilities throughout the product's defined support period.  For the cloud back-end, this means continuous patching and security maintenance.

• Software Bill of Materials (SBOM): Manufacturers must provide technical documentation, including an SBOM, which is a list of all software components used in the product. This helps in tracking and addressing vulnerabilities in third-party components.

3. Reporting and Transparency

• Incident and Vulnerability Reporting: Manufacturers are obligated to report actively exploited vulnerabilities and severe security incidents affecting the product to the relevant authorities (e.g., ENISA) within 24 hours of becoming aware of them.

• User Communication: Users must be informed about security incidents and provided with mitigation measures in a timely manner.

• Technical Documentation: Comprehensive documentation covering the design, risk assessment, and vulnerability management of the cloud back-end must be maintained and made available to market surveillance authorities.

Applicability

The CRA is a product-centric regulation. A cloud back-end is subject to these rules if it meets the definition of a remote data processing solution that is:

1. Integrated into or connected to a product with a digital element (like an IoT device, smart home appliance, operating system, etc.).

2. Its development has been the responsibility of the product manufacturer (or a third party acting on their behalf).

If a cloud service is offered as a pure Software-as-a-Service (SaaS) and does not qualify as a component of a "product with digital elements" under the CRA's definition, it would primarily be subject to other EU legislation like the NIS2 Directive instead of the CRA.

The requirements for full compliance are set to apply from December 11, 2027.

Test of Things is designed to automate cybersecurity compliance of end-to-end IoT systems, including devices, back-ends and mobile applications.