The Global Influence of the EU’s Cyber Resilience Act on IoT Security

The Cyber Resilience Act (CRA) is regulation aimed at strengthening cybersecurity in digital products. The CRA is poised to be as influential as the EU’s General Data Protection Regulation (GDPR) which influenced global data privacy standards, with the CRA expected to impact how manufacturers worldwide approach security. The EU is requiring that best practice becomes the minimum standard, so the CRA sets clear obligations for businesses supplying digital products to the EU market.

A History of IoT Security Gaps

In 2015, researchers demonstrated how a Jeep Cherokee’s Uconnect infotainment system could be remotely accessed, allowing control over steering and braking. The industry responded by implementing network segmentation, preventing unauthorised communication between different vehicle systems. In 2016, the Mirai botnet attack exploited weak passwords in connected devices to launch large-scale DDoS attacks, disrupting internet services. More recently, in 2023, the MOVEit Transfer attack showed how vulnerabilities in widely used software can affect entire supply chains. These incidents have reinforced the need for consistent security requirements across IoT and software products.

Why the CRA is Significant

The CRA requires manufacturers to integrate security into product design, provide ongoing vulnerability management, and improve supply chain transparency through Software Bills of Materials (SBOMs). Unlike previous guidelines, these measures are now legal requirements, with significant penalties for non-compliance. The regulation applies to all digital products sold in the EU, meaning global manufacturers must align with its standards if they want to continue operating in the region.

A Global Impact

GDPR led many companies outside the EU to adopt stronger data protection measures to ensure compliance. The CRA is expected to have a similar effect on cybersecurity. International manufacturers will either apply CRA-level security globally or create separate product lines, which can be inefficient. Governments in other regions may also look to the CRA when shaping their own cybersecurity policies, further extending its influence.

A Shift in Cybersecurity Regulation

The CRA represents a move towards enforceable security obligations rather than voluntary guidelines. By setting a clear baseline for security, it establishes a model that could drive further regulation worldwide. Businesses that prepare for these requirements now will be positioned to meet both EU and future international standards. As cybersecurity expectations evolve, the CRA is likely to shape the approach to digital product security far beyond Europe.

Matthew Duke-Woolley, Analyst, Beecham Research