Markings
Back to Blog
Compliance Guides
18 min read

EU Cybersecurity Act: New Requirements for IoT Devices in 2025

The EU Cybersecurity Act introduces mandatory security requirements for connected devices. Learn what manufacturers of IoT products must do to comply.

T

Thibault Helle

EU Cybersecurity Act requirements for IoT and connected devices

The EU Cybersecurity Act and related regulations are transforming security requirements for connected devices. This guide explains what IoT manufacturers need to know about compliance in an increasingly security-focused regulatory landscape.

Understanding the EU Cybersecurity Framework

The EU has implemented comprehensive cybersecurity legislation affecting IoT devices, creating a multi-layered regulatory framework:

1. Cybersecurity Act (Regulation 2019/881)

The foundational EU cybersecurity legislation that:

  • Establishes EU cybersecurity certification framework: Creates harmonized approach to product security certification
  • Creates common security standards: Provides consistent baseline across member states
  • Strengthens ENISA's role: European Union Agency for Cybersecurity gains enhanced mandate for coordination
  • Enables voluntary certification schemes: Initially voluntary, becoming mandatory for specific product categories
  • Facilitates mutual recognition: Certificates recognized across all EU member states

Key provisions:

  • Three assurance levels: Basic, substantial, and high
  • Product-specific certification schemes
  • Regular review and update mechanisms
  • Market surveillance coordination

2. Cyber Resilience Act (CRA) - Proposed

The most significant upcoming change, expected to apply from 2025-2027:

Scope:

  • Mandatory cybersecurity requirements for products with digital elements
  • Covers hardware and software products
  • Applies throughout entire product lifecycle
  • Includes post-market obligations

Core requirements:

  • Security by design and by default
  • Vulnerability handling and disclosure
  • Mandatory security updates
  • Supply chain security measures
  • Conformity assessment procedures
  • CE marking for cybersecurity

Product categorization:

  • Class I (Default): Most products, lower cybersecurity risk
  • Class II (Important): Products with significant security implications
  • Critical products: Highest security requirements

Implementation timeline:

  • Regulation adoption: Expected 2024-2025
  • Transition period: 24-36 months
  • Full enforcement: Likely 2026-2028

3. NIS2 Directive

Network and Information Security Directive (revised):

  • Network and information security requirements: Essential services must implement security measures
  • Applies to critical infrastructure: Energy, transport, healthcare, digital infrastructure
  • Supply chain security obligations: Risk management for suppliers and service providers
  • Incident reporting: Mandatory breach notification within 24 hours
  • Accountability: Management liability for security failures

Impact on IoT manufacturers:

  • Products sold to essential entities must meet NIS2 requirements
  • Supply chain security documentation required
  • Incident response capabilities necessary
  • Security testing and certification may be mandated

4. Radio Equipment Directive (RED)

Article 3(3)(d)-(f) requirements for wireless devices:

  • Protection of networks from harm
  • Protection of personal data and privacy
  • Protection against fraud
  • Applied to consumer-facing wireless IoT devices

Integration with Existing Frameworks

Cybersecurity requirements integrate with:

  • CE marking directives: Cybersecurity as essential requirement
  • GDPR: Data protection and privacy
  • Product Safety Regulation: Overall product safety framework
  • Market Surveillance Regulation: Enforcement coordination

Who is Affected?

The cybersecurity regulations apply broadly across the IoT ecosystem:

Manufacturers

Primary responsibility holders including:

Consumer IoT devices:

  • Smart home devices (thermostats, cameras, door locks)
  • Wearables (fitness trackers, smart watches)
  • Connected entertainment (smart TVs, streaming devices)
  • Home networking equipment (routers, extenders)
  • Smart appliances (refrigerators, washing machines)

Industrial IoT equipment:

  • Manufacturing automation
  • Process control systems
  • Remote monitoring devices
  • Industrial sensors and actuators
  • Building management systems

Connected medical devices:

  • Remote patient monitoring
  • Connected diagnostic equipment
  • Implantable devices with connectivity
  • Hospital IoT infrastructure

Automotive electronics:

  • Telematics systems
  • Over-the-air update systems
  • Vehicle-to-everything (V2X) communication
  • Autonomous driving systems
  • In-vehicle infotainment

Network equipment:

  • Switches and routers
  • Access points
  • Network security appliances
  • Telecommunications equipment

Software products with security implications:

  • Operating systems
  • Security software
  • Network management software
  • Cloud services and platforms

Importers and Distributors

Extended responsibilities:

  • Verify manufacturer compliance before placing on market
  • Ensure technical documentation available
  • Cooperate with market surveillance authorities
  • Report known cybersecurity issues
  • Maintain traceability records

Economic Operators in Supply Chain

  • Component suppliers must provide security information
  • Software vendors must disclose vulnerabilities
  • Cloud service providers must ensure security
  • Open source maintainers face new obligations

Key Requirements for IoT Devices

1. Security by Design

Products must be designed with cybersecurity from the start:

Risk Assessment During Design Phase:

  • Threat modeling of system architecture
  • Attack surface analysis
  • Privacy impact assessment
  • Data flow security analysis
  • Identification of security-critical components

Secure Development Practices:

  • Secure coding guidelines implementation
  • Code review processes
  • Security testing integration in development
  • Version control and change management
  • Security training for development teams

Threat Modeling:

  • STRIDE methodology application (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
  • Attack tree development
  • Vulnerability prioritization
  • Mitigation strategy planning

Security Architecture Documentation:

  • Component security boundaries
  • Trust relationships
  • Authentication and authorization flows
  • Cryptographic key management
  • Secure communication channels
  • Security assumptions and dependencies

2. Secure Default Configuration

No security weaknesses in out-of-box configuration:

No Default Passwords:

  • Unique credentials per device
  • Forced password change on first use
  • Strong password requirements
  • Account lockout policies
  • Password complexity enforcement

Minimal Attack Surface:

  • Only necessary services enabled
  • Debug features disabled in production
  • Unused ports and interfaces disabled
  • Minimal software footprint
  • Principle of least functionality

Secure Protocols Enabled by Default:

  • TLS 1.2 or higher for communications
  • Strong cipher suites
  • Certificate validation enabled
  • Secure boot mechanisms
  • Encrypted storage

Unnecessary Services Disabled:

  • No Telnet, FTP, or insecure protocols
  • Unused network services shut down
  • Background services minimized
  • Administrative interfaces protected

3. Vulnerability Management

Comprehensive approach to security flaws:

Process for Receiving Vulnerability Reports:

  • Public security contact information
  • Coordinated vulnerability disclosure (CVD) policy
  • Vulnerability reporting form or email
  • Acknowledgment within defined timeframe
  • Clear escalation procedures

Timely Security Updates:

  • Critical vulnerabilities patched within days
  • High-severity issues within weeks
  • Regular security patch releases
  • Emergency update capability
  • Backwards compatibility considerations

Vulnerability Disclosure Policy:

  • Public disclosure timing (typically 90 days)
  • Coordination with affected parties
  • CVE number assignment
  • Security advisory publication
  • Credit to researchers

Incident Response Procedures:

  • Incident classification system
  • Response team and responsibilities
  • Investigation and root cause analysis
  • Containment and remediation
  • Customer communication plan

4. Software Updates

Mandatory update capabilities:

Ability to Receive Security Updates:

  • Over-the-air (OTA) update mechanism
  • Secure update channel (signed updates)
  • Automatic update checking
  • Fallback and recovery mechanisms
  • Update notification system

Clear Update Policy and Timeline:

  • Defined support period (minimum 3-5 years for consumer products)
  • End-of-life (EOL) communication policy
  • Update frequency commitment
  • Legacy version support policy
  • Post-EOL security guidance

Automated Update Mechanisms:

  • Background update downloads
  • Scheduled installation windows
  • Minimal user interaction required
  • Automatic rollback on failure
  • Update verification before installation

User Notification of Available Updates:

  • In-device notifications
  • Email alerts
  • Web portal information
  • Release notes and changelogs
  • Critical vs. optional update distinction

5. Data Protection

GDPR-compliant security measures:

Encryption of Sensitive Data:

  • Data in transit encryption (TLS 1.2+)
  • Data at rest encryption
  • End-to-end encryption where appropriate
  • Key management systems
  • Secure key storage (hardware security modules where needed)

Secure Data Storage:

  • Encrypted filesystems
  • Secure credential storage
  • Tamper-resistant storage for critical data
  • Secure deletion capabilities
  • Data isolation between users/tenants

Privacy by Design Principles:

  • Data minimization
  • Purpose limitation
  • Storage limitation
  • Privacy-enhancing technologies
  • User control over personal data

GDPR Compliance:

  • Lawful basis for processing
  • Consent mechanisms
  • Right to access, rectification, erasure
  • Data portability
  • Data breach notification (72 hours)

Conformity Assessment Requirements

Essential Requirements

Manufacturers must demonstrate compliance with cybersecurity requirements:

  1. Conduct Cybersecurity Risk Assessment
    • Systematic threat identification
    • Vulnerability analysis
    • Impact assessment
    • Risk prioritization
    • Mitigation planning
  2. Implement Appropriate Security Measures
    • Technical controls (encryption, authentication, etc.)
    • Organizational measures (policies, procedures)
    • Physical security where relevant
    • Supply chain security measures
  3. Create Technical Documentation
    • Security risk assessment report
    • Security architecture documentation
    • Test results and certifications
    • Vulnerability management procedures
    • Update policy documentation
  4. Maintain Documentation for 10 Years
    • Version control
    • Secure storage
    • Accessibility for authorities
    • Update documentation for changes
  5. Affix CE Marking (with Cybersecurity Compliance)
    • CE mark indicates cybersecurity compliance
    • EU Declaration of Conformity includes cybersecurity
    • Reference to cybersecurity standards
    • Notified Body involvement if required

Conformity Assessment Routes

Product cybersecurity risk determines the assessment route:

Route 1: Self-Assessment (Module A)

For lower-risk products (Class I under CRA):

  • Internal security testing: Manufacturer conducts own security evaluation
  • Declaration of Conformity: Self-declaration of compliance
  • Technical documentation: Maintained by manufacturer
  • No third-party required: Unless voluntary certification desired

Suitable for:

  • Basic consumer IoT devices
  • Products with limited connectivity
  • Low-risk data processing
  • Non-critical applications

Route 2: Third-Party Assessment (Various Modules)

For higher-risk products (Class II and Critical under CRA):

  • Notified body involvement: EU-designated cybersecurity certification body
  • Cybersecurity certification: Formal certificate of compliance
  • Regular surveillance audits: Periodic reassessment
  • Ongoing monitoring: Continued oversight during market lifetime

Required for:

  • Products with significant security implications
  • Critical infrastructure components
  • High-risk data processing
  • Security-sensitive applications

Notified Body Activities:

  • Security assessment against standards
  • Penetration testing oversight
  • Documentation review
  • Factory audits if applicable
  • Certificate issuance and maintenance

Documentation Requirements

Cybersecurity Technical File Must Include:

Comprehensive documentation proving cybersecurity compliance:

1. Security Risk Assessment

Threat Identification:

  • External threats (hackers, malware, nation-states)
  • Internal threats (insider threats, misconfiguration)
  • Physical threats (tampering, theft)
  • Supply chain threats (compromised components)

Vulnerability Analysis:

  • Software vulnerabilities
  • Hardware vulnerabilities
  • Configuration weaknesses
  • Protocol and interface vulnerabilities
  • Cryptographic weaknesses

Security Controls Implemented:

  • Preventive controls
  • Detective controls
  • Corrective controls
  • Compensating controls

Residual Risks:

  • Risks accepting after mitigation
  • Justification for acceptance
  • User warnings about residual risks

2. Security Architecture

System Design Documentation:

  • High-level architecture diagrams
  • Component interactions
  • Trust boundaries
  • Security zones

Component Security Analysis:

  • Security properties of each component
  • Trusted vs. untrusted components
  • Security dependencies
  • Third-party component security

Secure Communication Protocols:

  • Protocols used
  • Encryption methods
  • Key exchange mechanisms
  • Certificate management

Authentication Mechanisms:

  • User authentication methods
  • Device authentication
  • Multi-factor authentication
  • Session management

3. Security Testing Reports

Penetration Testing Results:

  • Internal and external testing
  • Web application security testing
  • Network penetration testing
  • Wireless security assessment
  • Findings and remediation

Vulnerability Scanning:

  • Automated vulnerability scans
  • Scan results and analysis
  • False positive elimination
  • Remediation tracking

Compliance Testing:

  • Standard compliance verification
  • Test procedures followed
  • Pass/fail results
  • Deviations and justifications

Third-Party Audit Reports:

  • Independent security assessments
  • Certification body reports
  • Accredited lab test results

4. Vulnerability Handling Process

Disclosure Policy:

  • Coordinated disclosure timeline
  • Responsible disclosure guidelines
  • Researcher acknowledgment policy
  • Embargo periods

Response Procedures:

  • Triage and prioritization
  • Investigation process
  • Patch development workflow
  • Testing before release

Update Deployment Process:

  • Update packaging and signing
  • Distribution channels
  • Staged rollout strategy
  • Monitoring and validation

User Communication Plan:

  • Security advisory templates
  • Customer notification methods
  • Severity classification
  • Recommended actions

5. Supply Chain Security

Component Security Verification:

  • Vendor security questionnaires
  • Component vulnerability tracking
  • Secure supply chain requirements
  • Counterfeit prevention

Supplier Assessments:

  • Security criteria for supplier selection
  • Periodic security audits
  • Incident reporting requirements
  • Contractual security obligations

Software Bill of Materials (SBOM):

  • Complete inventory of software components
  • Open source component tracking
  • Version information
  • Known vulnerability cross-reference

Third-Party Library Management:

  • Library approval process
  • Vulnerability monitoring
  • Update and patching procedures
  • Alternatives evaluation

Key Standards for IoT Security

Relevant international and European standards:

ETSI EN 303 645

Consumer IoT security baseline:

  • 13 provisions for consumer IoT security
  • No default passwords
  • Vulnerability disclosure policy
  • Secure updates
  • Secure data storage and transmission
  • Resilience to outages
  • Security testing documentation

Application: Consumer smart home devices, wearables, connected appliances

IEC 62443

Industrial automation security:

  • Comprehensive security framework
  • Security levels SL1-SL4
  • Network segmentation
  • Access control
  • System integrity
  • Data confidentiality

Application: Industrial IoT, manufacturing automation, SCADA systems

ISO/IEC 27001

Information security management:

  • ISMS framework
  • Risk management approach
  • Security controls catalog
  • Continuous improvement
  • Certification available

Application: Organizational security management, larger IoT deployments

NIST Cybersecurity Framework

Security best practices:

  • Identify, Protect, Detect, Respond, Recover
  • Risk-based approach
  • Widely adopted globally
  • Implementation tiers
  • Profile customization

Application: Comprehensive security program development

Additional Relevant Standards

  • ISO/IEC 27034: Application security
  • ISO/IEC 30141: IoT reference architecture
  • IEC 62351: Power systems cybersecurity
  • ISO 21434: Automotive cybersecurity
  • IEC 81001-5-1: Health software security

Support Periods and Updates

Mandatory security support obligations:

Minimum Support Period

Based on Product Lifetime:

  • Consumer devices: 3-5 years minimum (CRA proposal)
  • Industrial equipment: 10+ years typical
  • Critical infrastructure: Product operational lifetime
  • Automotive: Vehicle lifetime (10-15 years)

Factors determining support period:

  • Expected product lifespan
  • Industry practices
  • Product price point
  • Safety criticality
  • Regulatory requirements

Support Period Communication

Clearly Communicated End-of-Support Date:

  • Specified at time of sale
  • Prominent display on packaging and documentation
  • Available on manufacturer website
  • Advance notice before EOL

During Support Period

Security Updates Throughout Support Period:

  • Regular security patches
  • Critical vulnerability fixes within days
  • Compatibility maintenance
  • No degradation of security features

Vulnerability Disclosure Even After EOL:

  • Continue to disclose discovered vulnerabilities
  • Provide mitigation guidance if patches not available
  • Recommend product replacement if necessary

Extended Support Options

  • Paid extended support programs
  • Enterprise extended support agreements
  • Open source community takeover possibilities
  • Responsible EOL guidance

Penalties for Non-Compliance

Significant enforcement provisions ensure compliance:

Financial Penalties

Under proposed Cyber Resilience Act:

  • Fines up to €15 million or 2.5% of global annual turnover (whichever is higher)
  • Proportionate to infringement severity
  • Repeated violations face increased penalties
  • Intentional non-compliance more severely penalized

Administrative Measures

Product Recalls:

  • Mandatory recall of non-compliant products
  • Manufacturer bears all costs
  • Logistics and customer communication
  • Disposal of recalled products

Market Withdrawal Orders:

  • Ban on placing products on market
  • Removal of products from distribution channels
  • Stop sale and distribution immediately
  • May affect entire product lines

Prohibition of Market Placement:

  • Temporary or permanent market bans
  • Affects future products if systematic non-compliance
  • Applies across entire EU market

Reputational Damage

Beyond formal penalties:

  • Public disclosure of non-compliance
  • Loss of customer trust
  • Competitive disadvantage
  • Brand value erosion
  • Reduced market share

Criminal Liability

In severe cases:

  • Personal liability for management
  • Criminal prosecution possible
  • Imprisonment for egregious violations
  • Applies when safety endangered

Common Cybersecurity Compliance Challenges

Manufacturers face several obstacles:

1. Legacy Products

Challenge: Updating older products to meet new requirements
Solutions:

  • Assess retrofit feasibility vs. replacement
  • Phased security improvement programs
  • Limited update capability for very old products
  • Clear EOL communication to customers

2. Resource Constraints

Challenge: Small manufacturers lacking security expertise
Solutions:

  • Outsource security assessments
  • Use security-focused development frameworks
  • Leverage AI-powered compliance tools
  • Join industry consortiums for shared resources

3. Supply Chain Complexity

Challenge: Ensuring component and software security across complex supply chains
Solutions:

  • Implement vendor security requirements
  • Use SBOM tools
  • Continuous vulnerability monitoring
  • Contractual security obligations

4. Update Infrastructure

Challenge: Building secure, reliable update mechanisms
Solutions:

  • Use proven update frameworks
  • Cloud-based update services
  • Cryptographic signing of updates
  • Staged rollout capabilities
  • Automated testing before deployment

5. Documentation Burden

Challenge: Creating and maintaining comprehensive security documentation
Solutions:

  • Document security from day one
  • Use templates and automation tools
  • Integrate documentation with development
  • AI-powered documentation assistance

How to Achieve Cybersecurity Compliance

Systematic approach to meeting requirements:

Step 1: Security Assessment

Comprehensive Security Risk Assessment:

  • Engage security experts
  • Use recognized methodologies (STRIDE, PASTA)
  • Document all threats and vulnerabilities
  • Prioritize risks
  • Create risk treatment plan

Step 2: Implement Security Controls

Apply Appropriate Technical and Organizational Measures:

  • Follow security by design principles
  • Implement defense in depth
  • Use proven security technologies
  • Establish security policies and procedures
  • Train development and operations teams

Step 3: Security Testing

Perform Penetration Testing and Vulnerability Assessments:

  • Engage ethical hackers
  • Use automated security testing tools
  • Conduct code reviews
  • Test all interfaces and protocols
  • Verify security controls effectiveness

Step 4: Documentation

Create Detailed Cybersecurity Technical Documentation:

  • Comprehensive security architecture
  • Risk assessment reports
  • Test results and certificates
  • Vulnerability management procedures
  • Update policies

Step 5: Conformity Assessment

Complete Self-Assessment or Engage Notified Body:

  • Determine appropriate route
  • Select accredited certification body if needed
  • Prepare technical file
  • Undergo assessment
  • Obtain certification

Step 6: Ongoing Monitoring

Establish Vulnerability Management and Update Processes:

  • Continuous vulnerability scanning
  • Security monitoring
  • Patch management system
  • Incident response capability
  • Regular security assessments

How AI Can Streamline Cybersecurity Compliance

AI-powered compliance platforms offer significant advantages:

Automated Capabilities

  • Automatically identify applicable security requirements: Based on product type and characteristics
  • Generate security documentation templates: Pre-filled with product information
  • Track vulnerability disclosure obligations: Monitor deadlines and requirements
  • Monitor for security standard updates: Alert to new versions and changes
  • Manage update deployment schedules: Coordinate patches across product portfolio
  • Maintain security assessment records: Organize and version control documentation

Benefits

  • 60-70% reduction in compliance documentation time
  • Improved consistency and completeness
  • Automated regulatory change tracking
  • Integration with development tools
  • Centralized compliance management

Preparing for the Cyber Resilience Act

Though not yet fully in force, proactive preparation is essential:

Immediate Actions

  1. Review Proposed CRA Requirements
    • Understand product classification (Class I, II, or Critical)
    • Identify applicable essential requirements
    • Compare with current security measures
  2. Assess Current Product Security Posture
    • Conduct security audit
    • Identify vulnerabilities
    • Evaluate update mechanisms
    • Review vulnerability handling process
  3. Identify Compliance Gaps
    • Compare current state to CRA requirements
    • Prioritize gaps by risk and effort
    • Create gap closure roadmap
  4. Plan Security Improvements
    • Design secure update system if lacking
    • Implement vulnerability management process
    • Enhance security testing
    • Improve security documentation
  5. Budget for Certification Costs
    • Estimate testing and certification expenses
    • Plan for ongoing surveillance costs
    • Include consultant and tool costs
    • Account for product redesign if needed
  6. Train Development Teams on Security
    • Secure coding practices
    • Threat modeling
    • Security testing methods
    • Compliance requirements

Ongoing Preparedness

  • Monitor CRA legislative progress
  • Engage with industry associations
  • Participate in standard development
  • Build security culture within organization

Resources for IoT Cybersecurity

Valuable resources for compliance:

Official Sources

  • ENISA IoT Security Guidelines: Comprehensive baseline for IoT security
  • ETSI EN 303 645 Standard: Consumer IoT security specification
  • NIST IoT Security Recommendations: Framework and best practices
  • IEC 62443 Industrial Security Standards: Industrial automation security
  • EU Cybersecurity Certification Schemes: Official certification frameworks

Industry Organizations

  • IoT Security Foundation
  • Cloud Security Alliance (IoT Working Group)
  • Industrial Internet Consortium
  • OWASP Internet of Things Project

Tools and Platforms

  • Vulnerability scanning tools
  • SBOM generation tools
  • Security testing frameworks
  • Compliance management platforms
  • AI-powered security assistants

Conclusion

Cybersecurity compliance for IoT devices is becoming mandatory in the EU. The combination of the Cybersecurity Act, proposed Cyber Resilience Act, and other regulations creates comprehensive security requirements that manufacturers must meet.

Stay ahead of evolving cybersecurity requirements with proactive compliance strategies, robust security practices, and AI-powered assistance. Early preparation, systematic implementation, and ongoing vigilance are keys to successful cybersecurity compliance in the connected device era.

The regulatory landscape is shifting toward mandatory, enforceable cybersecurity requirements. Manufacturers who embrace security by design, establish strong vulnerability management, and maintain comprehensive documentation will be best positioned for success in the evolving regulatory environment.

Related Articles

Understanding CE Marking Requirements in 2025: A Complete Guide
Compliance Guides
Understanding CE Marking Requirements in 2025: A Complete Guide
How to Prepare a Declaration of Conformity (DoC) in 2025
How-to Guides
How to Prepare a Declaration of Conformity (DoC) in 2025
How to Conduct a Risk Assessment for CE Marking: Step-by-Step Guide
How-to Guides
How to Conduct a Risk Assessment for CE Marking: Step-by-Step Guide