Understanding Security by Design: EU CRA Guide for IoT Manufacturers

The European Union's Cyber Resilience Act (CRA) is a landmark regulation designed to strengthen the security of connected devices throughout the EU market. By establishing rigorous security standards for IoT manufacturers, the EU CRA seeks to prevent cyber threats from infiltrating and compromising critical digital infrastructures and sets a clear expectation: security should not be an optional feature but a built-in, essential component of every IoT device.

As one of the most far-reaching and strict cybersecurity regulations in the world, the EU CRA is expected to influence other global markets, with other countries likely to adopt similar regimes and private companies likely to require their suppliers to meet the CRA standards to ensure the security of their connected devices (and ensure compliance with the CRA).

This post is part of a 6-part mini-series that will guide IoT manufacturers through the EU Cyber Resilience Act’s requirements in detail, starting with the concept at the core of the EU CRA — secure by design and by default. 

Why Secure by Design is Critical for IoT

IoT devices represent a unique cybersecurity challenge. Their constant connectivity; integration into sensitive environments like smart homes, healthcare systems, and industrial control networks; and the vast amounts of personal and operational data they process make them prime targets for cyberattacks. Despite this, they remain inherently vulnerable, with devices often lacking robust security features - exposing them to a wide range of cyber threats, from data breaches to distributed denial of service (DDoS) attacks.

The EU CRA imposes security by design as a requirement because malicious actors frequently target IoT devices as an entry point to launch large-scale attacks. These attacks can cause widespread disruption to entire networks or critical infrastructure systems, such as energy grids and transportation networks, putting both personal data and public safety at risk. It is the starting point for compliance with the CRA. 

Specific Secure by Design Requirements Under the EU CRA

Design Phase Requirements

Under the CRA, manufacturers must integrate security practices during the design phase. This means incorporating the following features from day one:

• Secure boot — to ensure devices only run trusted software, preventing malicious code from executing during startup.
• Access controls — to regulate which users or systems can interact with the device.
• Encryption — to safeguard the integrity and confidentiality of the data both at rest and in transit.

These features are critical to reducing the attack surface and preventing common initial access techniques. 

Ensuring the supply chain security of all components also becomes crucial, as the CRA emphasizes the need to secure the entire production lifecycle, including third-party software and hardware providers. Therefore, manufacturers must implement secure-by-design principles down through their supply chain for hardware, software, and third-party components. This includes having identified security requirements, performing threat modeling during the design stage to anticipate potential attack paths, and incorporating security features that mitigate those risks. 

Default Security Settings

One of the CRA’s key provisions is that devices must ship with advanced security settings enabled by default. This approach aligns with the CRA’s user-first security philosophy, recognizing that users cannot always be expected, or even realize the need, to configure sophisticated security mechanisms themselves. 

As a result, features like default password protections, automatic firmware updates, and encrypted communication channels must be built into every device. That said, manufacturers must strike a careful balance between usability and security to prevent usability challenges for consumers, such as complex initial setups or limited functionality out of the box. Clear documentation and intuitive set-up guides should prevent customers from turning off critical protections in favor of convenience.

Lifecycle Security Management 

The CRA mandates ongoing continuous security management throughout the product's lifecycle and makes manufacturers responsible for ensuring that devices remain protected from emerging threats.

To meet these requirements, manufacturers must deliver regular security updates, vulnerability patches, and critical firmware upgrades and develop an ongoing vulnerability monitoring and incident response strategy to swiftly address potential breaches or exploits in real-time. This includes, where possible, establishing systems for over-the-air (OTA) updates, ensuring that security patches are pushed to devices seamlessly without requiring user intervention. 

Additionally, manufacturers are expected to implement end-of-life security policies, specifying how long devices will receive updates and how to manage risks for devices beyond their supported lifecycle. This is particularly important as legacy devices could become vulnerable if they are no longer supported but remain in use.

EU CRA Compliance Advice for IoT Manufacturers

As outlined above, to fully comply with the CRA’s stringent security by design requirements, IoT manufacturers must implement a comprehensive, multi-phase approach that embeds security at every stage of product development and management. Here are four strategies to implement that will help you achieve compliance. 

1. Conduct Security Risk Assessments: Security assessments should begin at the earliest design stages and continue throughout the product’s lifecycle. By identifying and addressing potential vulnerabilities early, manufacturers can reduce risk before products hit the EU market. Ongoing assessments ensure that new and evolving threats are detected and mitigated as they emerge, helping to maintain robust security even as the threat landscape evolves. It will also provide documentation that may be necessary to demonstrate compliance. 
2. Integrate Security Testing: Manufacturers must implement continuous testing methodologies, including static code analysis, penetration testing, and vulnerability scanning, to identify potential security gaps. By performing regular testing throughout development and after deployment, vulnerabilities can be detected and addressed before they become critical, ensuring ongoing compliance with CRA standards. This area of compliance may provide a method of demonstrating due diligence to EU authorities, which could be critical in avoiding heavy fines in the event a vulnerability is discovered following release. 
3. Establish a Robust Post-Deployment Strategy: Compliance with the CRA doesn’t end when a product ships — security must be maintained throughout the device's entire lifecycle. This requires a robust post-deployment strategy that includes continuous monitoring, timely vulnerability management, and an effective incident response plan. By implementing real-time monitoring and rapid response mechanisms, manufacturers can address emerging threats, deploy necessary patches, and ensure devices remain secure long after reaching the consumer. All of this will be critical to avoiding adverse findings and penalties under the CRA. 

Common Challenges and Solutions for IoT Manufacturers

Compliance with the CRA introduces several challenges for IoT manufacturers. However, with the right strategies, these challenges can be managed effectively:

• Balancing Security and Usability: One of the core tensions in designing secure IoT devices is balancing strong security measures with ease of use. To mitigate this, manufacturers should design intuitive security features that protect users without compromising their experience. Automating security settings and providing simple yet secure default configurations are key.
• Resource Constraints: Many manufacturers face budgetary or expertise-related challenges when implementing security measures. Manufacturers can streamline compliance efforts and reduce the strain on internal teams by investing in automated security tools and partnering with third-party experts like Finite State.
• Staying Up-to-Date with EU CRA Requirements: The Cyber Resilience Act is likely to evolve, and staying compliant requires manufacturers to stay informed about regulatory updates. Regular engagement with regulatory bodies and partnerships with security specialists can help ensure companies remain compliant as standards evolve.

Conclusion

The EU Cyber Resilience Act marks a significant shift in how IoT devices must be designed, manufactured, and managed. By embedding security from the outset and maintaining it throughout the lifecycle, manufacturers not only comply with regulatory mandates but also enhance the resilience of their devices in an increasingly hostile cyber environment.

Finite State is uniquely positioned to help IoT manufacturers meet these challenges head-on. Our comprehensive security solutions, from automated assessments to continuous monitoring and detailed compliance reporting, empower manufacturers to build secure, resilient devices that comply with the EU CRA. 

Ready to streamline your compliance journey and fortify your IoT devices? Book a demo today to see how Finite State can help you meet EU CRA requirements and stay ahead of emerging threats.