Upcoming IoT Security Legislation: The EU Cyber Resilience Act – What You Need To Do

By Chris Jones, Crypto Quantique’s Director of Applications, discusses the best approach to meeting CRA challenges for IoT device security.

As the Director of Applications at Crypto Quantique, I’ve been closely following the developments of the European Union’s Cyber Resilience Act (CRA). With its approval by the European Parliament in March 2024, the CRA is set to be implemented later this year, with full compliance required within three years. This legislation is poised to revolutionise the landscape of IoT security by establishing robust cybersecurity standards for hardware and software in IoT devices destined for the EU market.

Key Provisions of the CRA

The CRA introduces several critical requirements for IoT devices and software:

Harmonized Rules: Establishes uniform cybersecurity standards for products with digital elements.

Lifecycle Security: Mandates cybersecurity measures throughout the product lifecycle, from design to end-of-life.

Documentation: Requires comprehensive documentation of cybersecurity practices and risk assessments.

CE Marking: Products must display the CE mark to indicate compliance with the new standards, failure to do so can result in market withdrawal.

Emphasising the Need for Preparation

In my recent talk at Hardware Pioneers in London, I emphasised the importance of being proactive in preparing for the CRA. We’re hearing a lot of companies don’t know about it and therefore aren’t preparing for it. From my perspective, the CRA requires a lot of documentation work, right from the beginning of a design to the end; all aspects of the design process must be documented. We’re trying to get people to understand they must do it, but there are certain areas in the implementation that are quite difficult to do.

The Impact of Non-Compliance

Failure to comply with the CRA can have severe consequences, including the release of vulnerable products, reputational damage, and significant fines. Additionally, products without the CE mark can be restricted or withdrawn from the market. I drew a parallel with the General Data Protection Regulation (GDPR), noting that GDPR suddenly became a major focus – although it had been around for a while, and there were a lot of attempts to get people to be aware of it, it wasn’t until the message popping up about cookies that people woke up. That’s what’s going to happen with CRA.

Addressing Industry Challenges

The CRA has been a long time coming and addresses a critical need for enhanced security in IoT devices. Many device manufacturers have been complacent, believing their security measures were “good enough.” But what’s your risk analysis? How have you determined that? A common response is, ‘Oh, we didn’t do anything’, so how do you know you’re secure enough?

I’ve also noticed that manufacturers often shy away from implementing security measures due to cost concerns, relying instead on microcontroller companies that may not prioritise high security standards. To be fair to them, they have continued to add security peripherals to microcontrollers. But customers are still finding it too complicated. So, they put the chip on their board, sell the product and if they’re asked if the product has security on it, they can say yes – but they haven’t directly implemented it.

Moving Forward

Better communication and tools are essential for improving security implementation. A hardware security root-of-trust, a combination of unique identity and the ability to generate cryptographic keys, is implemented in many microcontrollers. However, it’s difficult to get working and we found a lot of customers really struggle with enabling it to operate in their products. As a result, they look for software that enables them to use this function. Crypto Quantique’s IoT security platform, QuarkLink, is a good example of such software.

On whether the Act was long overdue, I believe it needed to be brought in a little earlier. There have been a lot of advancements in the microcontroller industry with the addition of security functions. The functions have been integrated into these components for several years, but the legislation is needed to compel people to utilise them. Then it will become standard practice.