by Syed Rehan on 24 DEC 2025 in AWS IoT Core, AWS IoT Device Defender, AWS IoT Greengrass, Best Practices, Business Intelligence, Customer Solutions, Europe, Regions, Security, Security & Governance, Technical How-to, Thought Leadership Permalink Share

Introduction

In today’s digital world, Internet of Things (IoT) security and compliance continues to evolve. The European Union’s Cyber Resilience Act (CRA) is reshaping how IoT manufacturers, developers, and service providers approach their work. Let’s explore what this means for AWS IoT customers and manufacturers using connected devices.

Understanding the CRA’s impact

The CRA was enacted on December 10, 2024, and its requirements begin to go into effect in September 2026 (for vulnerability reporting obligations) and December 2027 (full compliance). The CRA requires comprehensive cybersecurity for products with digital elements. This act aims to address the growing risks associated with the digitalization of hardware and software and the rising number of cyberattacks targeting connected devices.

Historically, many consumers and industrial IoT products were developed without adequate security controls. Now, through its security-by-design and security-by-default requirements, the CRA helps to ensure a higher level of trust, resilience, and accountability throughout the product lifecycle.

What is the CRA?

Regulation (EU) 2024/2847, also titled the Cyber Resilience Act, is a regulation of the European Union that introduces EU-wide cybersecurity requirements for “products with digital elements,” hardware or software “intended for connection to a device or network” and made available within the EU. The CRA includes “essential cybersecurity requirements” for the design and development of products with digital elements and for a manufacturer’s processes. It also includes required vulnerability reporting obligations when a product with digital elements is experiencing a “severe incident” or “actively exploited vulnerability.”

In addition to a broad category of product with digital elements, the CRA also describes additional requirements for “important” products with digital elements, and “critical” products with digital elements. Manufacturers should look to the CRA to determine what steps are needed to comply with the CRA based on the type of product with digital elements they offer in the EU.

Planning for CRA Compliance for IoT Manufacturers

AWS provides a comprehensive suite of services that can help IoT manufacturers implement measures needed to address the CRA’s essential cybersecurity requirements across all product categories.

Planning for compliance

AWS IoT services offer solutions to help meet the CRA requirements across different product classifications while manufacturers prepare for the CRA’s implementation timeline.

Security requirements:

• Use AWS IoT Core with X.509 certificates for authentication and access control.
• Implement TLS 1.2 encryption for data in transit with AWS IoT Core.
• Enable AWS IoT policies for access control and data protection.
• Use AWS IoT Device Defender for monitoring and security assessment.
• Implement AWS IoT Device Management for secure updates.

Vulnerability handling requirements:

• Use AWS Security Hub and Amazon Detective for vulnerability detection.
• Implement Amazon EventBridge for incident workflow automation.
• Use AWS IoT Device Defender for continuous security monitoring.
• Store vulnerability and incident data in Amazon Security Lake for documentation.

Implementation example: Smart Thermostat (Class I important product)

Securely implementing a smart thermostat as a Class I product under the EU CRA begins with its design and development. AWS customers can use AWS IoT Core’s just-in-time Registration (JITR) for secure provisioning, while using AWS Certificate Manager to handle certificate management or AWS IoT Core directly when using certificates managed by AWS IoT. Access control can be enforced through AWS IoT policies to ensure proper authorization.

Data protection is implemented through multiple security layers. AWS IoT Core enforces TLS 1.2 encryption for secure data transmission while strict topic access controls govern data access. In addition, AWS IoT Device Defender provides continuous security monitoring to detect and prevent potential threats.

Customers can use AWS IoT Device Management to manage the device lifecycle through the required 5-year minimum support period. This includes maintaining device security through secure over-the-air (OTA) updates with signed firmware and tracking software states to maintain version control.

AWS IoT Device Defender can help customers perform continuous security metric monitoring while Amazon EventBridge can enable customers to implement automated incident detection. AWS CloudWatch and Amazon Simple Notification Service (Amazon SNS) can enable customers to set up security alerts. Customers can use AWS Lambda to implement automated remediation actions, which could include certificate revocation or device quarantine when security issues are detected.

Amazon EventBridge can help customers create a structured report to incident reporting with notification workflows. Customers can also use Amazon Security Lake for comprehensive record-keeping and secure documentation storage.

Looking ahead: The impact of CRA on IoT security

AWS IoT customers must review the CRA to determine their compliance obligations under the Act. The CRA also creates a strategic opportunity to enhance security practices and build stronger trust with end-users through certified compliance measures.

The regulation excludes specific domains that already have comprehensive regulatory frameworks. For example, medical devices fall under the Medical Devices Regulation (MDR), while automotive systems follow (EU) 2019/2144 standards. The CRA covers products with digital elements at a broader level. This broad scope demonstrates how the regulation will shape the future of IoT security and product development.

Organizations leveraging AWS IoT solutions should view CRA compliance as an investment in product quality and market competitiveness. CRA standards will help establish more secure and reliable IoT products, which will benefit both manufacturers and consumers while raising the bar for IoT security across the industry.

Conclusion

As manufacturers face new cybersecurity challenges under the CRA, AWS IoT services can help deliver the security foundation they need. These services combine built-in security features, automated monitoring, and comprehensive documentation to help manufacturers meet CRA requirements with confidence. By implementing AWS IoT’s security-first approach, manufacturers can transform regulatory compliance from a challenge into a competitive advantage.

As you prepare for the 2027 implementation deadline, early adoption of these AWS IoT security features can help establish the necessary infrastructure for compliance with the CRA’s essential requirements, vulnerability handling processes, and incident reporting obligations. This proactive approach not only supports regulatory compliance but also enhances overall product security and customer trust in the increasingly connected digital marketplace.

Important reminder: While AWS services can help implement technical controls, you as the customer are solely responsible for ensuring full compliance with all EU CRA requirements including proper product classification, conformity assessment procedures, and ongoing maintenance of required documentation. Importantly, even if your products don’t fall within specific categories, you may still need to comply with the EU CRA regulation, and you must carefully review the law to understand how it applies to your specific use cases.