EU Cyber Resilience Act

CRA compliance for IoT devices

Connected IoT devices are squarely products with digital elements, so the Cyber Resilience Act applies. Most are default-category and can self-assess — if the firmware’s components, updates and vulnerability handling are documented.

What to focus on

  • Inventory firmware and dependencies as an SBOM (CycloneDX/SPDX).
  • Provide a secure update mechanism and state the support period.
  • Handle known exploitable vulnerabilities before release; monitor for new CVEs.
  • Compile Annex VII documentation and sign the Declaration of Conformity for CE marking.

Frequently asked questions

Does the CRA apply to IoT devices?
Yes — connected IoT devices are products with digital elements and are in scope. Most are default-category and can self-assess.

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See what the CRA requires for your iot devices.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.