EU Cyber Resilience Act
CRA compliance for IoT devices
Connected IoT devices are squarely products with digital elements, so the Cyber Resilience Act applies. Most are default-category and can self-assess — if the firmware’s components, updates and vulnerability handling are documented.
What to focus on
- Inventory firmware and dependencies as an SBOM (CycloneDX/SPDX).
- Provide a secure update mechanism and state the support period.
- Handle known exploitable vulnerabilities before release; monitor for new CVEs.
- Compile Annex VII documentation and sign the Declaration of Conformity for CE marking.
Frequently asked questions
- Does the CRA apply to IoT devices?
- Yes — connected IoT devices are products with digital elements and are in scope. Most are default-category and can self-assess.
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.