Do all smart home devices fall under the CRA?

Yes, virtually all connected consumer products fall under the CRA if they contain software and have a direct or indirect network connection. This includes smart home devices, connected appliances, wearables, and smart toys.

How often must firmware updates be provided for IoT devices?

The CRA does not prescribe a fixed update frequency. However, security updates must be provided promptly after a vulnerability becomes known. Manufacturers must also demonstrate a secure update infrastructure.

What role does cloud connectivity play in CRA compliance?

Cloud services required for the core functionality of the IoT device are considered part of the product. The security of cloud interfaces, data storage, and authentication must be addressed in the CRA documentation.

How does Kunnus help with the large number of different product variants?

Kunnus enables the definition of product families with shared base components. Variant-specific differences are mapped as modules. This allows SBOMs and risk assessments to be managed efficiently across the entire portfolio.

All Industries

IoT & Connected Consumer Products

Connected consumer products are at the heart of the Cyber Resilience Act. Smart home devices, wearables, and connected appliances process sensitive user data and are permanently connected to the internet. The CRA demands security by default, regular updates, and transparent vulnerability communication from manufacturers.

Start CRA Assessment Now

CRA Relevance for IoT Consumer Products

Connected consumer products are one of the primary targets of the Cyber Resilience Act. Their widespread adoption, permanent connectivity, and handling of personal data make them a critical product category.

WiFi and Bluetooth-enabled devices are permanently exposed and must provide secure default configurations out of the box
Cloud connections require secure authentication and encrypted data transmission as a CRA baseline requirement
Firmware updates must be delivered securely and provided throughout the entire product lifecycle
Personal data on IoT devices requires special protection measures at the intersection of CRA and GDPR
The high volume of connected consumer products multiplies risk: every vulnerability potentially affects millions of devices

Compliance Challenges for IoT Consumer Products

Massive Product Portfolios with Short Cycles

IoT manufacturers frequently launch new product generations. For each generation, SBOMs must be created, vulnerabilities monitored, and updates provided, including for older products still in use.

Heterogeneous Software Stacks

IoT devices combine embedded firmware, RTOS, open-source libraries, and cloud backend services. Creating a complete SBOM across all layers requires specialized tools.

Secure Update Mechanisms

Over-the-air updates must be tamper-proof, reliable, and reversible. The CRA requires signed updates and a secure update infrastructure.

Consumer Communication on Vulnerabilities

When vulnerabilities are discovered, end consumers must be informed and updates provided. CRA reporting obligations require clear processes and fast response times.

How Kunnus Helps IoT Manufacturers

Product Portfolio Management

Manage all product generations, firmware versions, and variants in a central platform. Kunnus maintains an overview of the compliance status of every single product.

Multi-Layer SBOM Generation

Kunnus captures software components across all layers: firmware, operating system, libraries, and cloud services. This creates a complete picture of the software composition.

Automated CVE Monitoring

As soon as a new vulnerability is disclosed, Kunnus automatically checks all affected products in your portfolio and prioritizes the required actions by risk level.

Compliance Reporting and Notification Duties

Generate CRA-compliant reports and prepare vulnerability notifications. Kunnus supports you in meeting the 24-hour reporting obligation to ENISA.

Explore All Features

Frequently Asked Questions

Common questions about CRA compliance in this industry.

Check Your IoT Products' CRA Readiness

Find out how well your connected consumer products are prepared for the Cyber Resilience Act and where action is needed.

Start CRA Assessment Now

IoT & Connected Consumer Products