Summary

The EU Cyber Resilience Act (CRA) introduces specific cybersecurity requirements for IoT devices, recognizing their unique challenges and the diverse nature of IoT ecosystems. This article outlines the targeted cybersecurity measures and security-by-design principles that IoT device manufacturers must adhere to under the CRA.

Relevant CRA Provisions

• Recital (10)
• Recital (50)
• Article 2
• Article 12

Detailed Explanation

The CRA addresses the unique cybersecurity risks associated with IoT devices by imposing specific requirements tailored to their diverse nature. IoT devices, including smart home products with security functionalities, connected toys, and personal wearable health technology, are categorized as important products with digital elements due to the significant cybersecurity risks they pose. These products must undergo stricter conformity assessment procedures to ensure they meet the essential cybersecurity requirements.

Additionally, the CRA mandates that manufacturers incorporate security-by-design principles into the development of IoT devices. This includes conducting thorough cybersecurity risk assessments and implementing measures to mitigate identified risks. Where certain essential cybersecurity requirements are not applicable due to the nature of the product, manufacturers must provide a clear justification and take alternative measures to address any associated cybersecurity risks.

Obligations for Stakeholders

Manufacturers: Must ensure that IoT devices comply with the essential cybersecurity requirements, conduct cybersecurity risk assessments, and implement security-by-design principles. They must also provide clear justifications where certain requirements are not applicable and take alternative measures to address risks.

Distributors and Importers: Must ensure that IoT devices they make available on the market comply with the CRA’s requirements and that manufacturers have conducted the necessary assessments and implemented appropriate measures.