The Internet of Things on AWS – Official Blog
AWS IoT Services Alignment with the European Union Cyber Resilience Act (EU CRA)
Introduction
In today’s digital world, Internet of Things (IoT) security and compliance continues to evolve. The European Union’s Cyber Resilience Act (CRA) is reshaping how IoT manufacturers, developers, and service providers approach their work. Let’s explore what this means for AWS IoT customers and manufacturers using connected devices.
Understanding the CRA’s impact
The CRA was enacted on December 10, 2024, and its requirements begin to go into effect in September 2026 (for vulnerability reporting obligations) and December 2027 (full compliance). The CRA requires comprehensive cybersecurity for products with digital elements. This act aims to address the growing risks associated with the digitalization of hardware and software and the rising number of cyberattacks targeting connected devices.
Historically, many consumers and industrial IoT products were developed without adequate security controls. Now, through its security-by-design and security-by-default requirements, the CRA helps to ensure a higher level of trust, resilience, and accountability throughout the product lifecycle.
What is the CRA?
Regulation (EU) 2024/2847, also titled the Cyber Resilience Act, is a regulation of the European Union that introduces EU-wide cybersecurity requirements for “products with digital elements,” hardware or software “intended for connection to a device or network” and made available within the EU. The CRA includes “essential cybersecurity requirements” for the design and development of products with digital elements and for a manufacturer’s processes. It also includes required vulnerability reporting obligations when a product with digital elements is experiencing a “severe incident” or “actively exploited vulnerability.”
In addition to a broad category of product with digital elements, the CRA also describes additional requirements for “important” products with digital elements, and “critical” products with digital elements. Manufacturers should look to the CRA to determine what steps are needed to comply with the CRA based on the type of product with digital elements they offer in the EU.
Planning for CRA Compliance for IoT Manufacturers
AWS provides a comprehensive suite of services that can help IoT manufacturers implement measures needed to address the CRA’s essential cybersecurity requirements across all product categories.
Planning for compliance
AWS IoT services offer solutions to help meet the CRA requirements across different product classifications while manufacturers prepare for the CRA’s implementation timeline.
Security requirements:
- Use AWS IoT Core with X.509 certificates for authentication and access control.
- Implement TLS 1.2 encryption for data in transit with AWS IoT Core.
- Enable AWS IoT policies for access control and data protection.
- Use AWS IoT Device Defender for monitoring and security assessment.
- Implement AWS IoT Device Management for secure updates.
Vulnerability handling requirements:
- Use AWS Security Hub and Amazon Detective for vulnerability detection.
- Implement Amazon EventBridge for incident workflow automation.
- Use AWS IoT Device Defender for continuous security monitoring.
- Store vulnerability and incident data in Amazon Security Lake for documentation.
Implementation example: Smart Thermostat (Class I important product)
Securely implementing a smart thermostat as a Class I product under the EU CRA begins with its design and development. AWS customers can use AWS IoT Core’s just-in-time Registration (JITR) for secure provisioning, while using AWS Certificate Manager to handle certificate management or AWS IoT Core directly when using certificates managed by AWS IoT. Access control can be enforced through AWS IoT policies to ensure proper authorization.
Data protection is implemented through multiple security layers. AWS IoT Core enforces TLS 1.2 encryption for secure data transmission while strict topic access controls govern data access. In addition, AWS IoT Device Defender provides continuous security monitoring to detect and prevent potential threats.
Customers can use AWS IoT Device Management to manage the device lifecycle through the required 5-year minimum support period. This includes maintaining device security through secure over-the-air (OTA) updates with signed firmware and tracking software states to maintain version control.
AWS IoT Device Defender can help customers perform continuous security metric monitoring while Amazon EventBridge can enable customers to implement automated incident detection. AWS CloudWatch and Amazon Simple Notification Service (Amazon SNS) can enable customers to set up security alerts. Customers can use AWS Lambda to implement automated remediation actions, which could include certificate revocation or device quarantine when security issues are detected.
Amazon EventBridge can help customers create a structured report to incident reporting with notification workflows. Customers can also use Amazon Security Lake for comprehensive record-keeping and secure documentation storage.
Looking ahead: The impact of CRA on IoT security
AWS IoT customers must review the CRA to determine their compliance obligations under the Act. The CRA also creates a strategic opportunity to enhance security practices and build stronger trust with end-users through certified compliance measures.
The regulation excludes specific domains that already have comprehensive regulatory frameworks. For example, medical devices fall under the Medical Devices Regulation (MDR), while automotive systems follow (EU) 2019/2144 standards. The CRA covers products with digital elements at a broader level. This broad scope demonstrates how the regulation will shape the future of IoT security and product development.
Organizations leveraging AWS IoT solutions should view CRA compliance as an investment in product quality and market competitiveness. CRA standards will help establish more secure and reliable IoT products, which will benefit both manufacturers and consumers while raising the bar for IoT security across the industry.
Conclusion
As manufacturers face new cybersecurity challenges under the CRA, AWS IoT services can help deliver the security foundation they need. These services combine built-in security features, automated monitoring, and comprehensive documentation to help manufacturers meet CRA requirements with confidence. By implementing AWS IoT’s security-first approach, manufacturers can transform regulatory compliance from a challenge into a competitive advantage.
As you prepare for the 2027 implementation deadline, early adoption of these AWS IoT security features can help establish the necessary infrastructure for compliance with the CRA’s essential requirements, vulnerability handling processes, and incident reporting obligations. This proactive approach not only supports regulatory compliance but also enhances overall product security and customer trust in the increasingly connected digital marketplace.
Important reminder: While AWS services can help implement technical controls, you as the customer are solely responsible for ensuring full compliance with all EU CRA requirements including proper product classification, conformity assessment procedures, and ongoing maintenance of required documentation. Importantly, even if your products don’t fall within specific categories, you may still need to comply with the EU CRA regulation, and you must carefully review the law to understand how it applies to your specific use cases.
Related links
To learn more about the technologies or features used in this blog, explore the following pages:
- AWS IoT Security Best Practices
- European Union Cyber Resilience Act Overview
- AWS IoT Zero Trust workshop
- Internet of Things (IoT) Lens
- AWS IoT Greengrass for Edge Compliance
- AWS Compliance programs
- AWS Security Hub
- AWS Audit Manager
- AWS Security Best Practices
- AWS Security Checklist
- AWS Well-Architected Framework – Security Pillar
- AWS Cloud Adoption Framework – Security Perspective
- Encrypting Data at Rest
- Setup Just-in-Time Provisioning with AWS IoT Core
- Get started with AWS IoT workshop
- AWS IoT Greengrass workshop
- Regulation of European Parliament on horizontal cybersecurity requirements for products with digital elements
- US Cyber Trust Mark for US market
- UNECE WP.29 and AWS IoT for connected vehicle cybersecurity
About the author
Syed Rehan
Syed is a Senior AI Solutions Cybersecurity Product Architect at Amazon Web Services (AWS), operating within the AWS AI Solutions organization. As a published books author on Cybersecurity, Machine Learning and IoT he brings extensive expertise to his global role. Syed serves a diverse customer base, collaborating with security specialists, CISOs, developers, and security decision-makers to promote the adoption of AWS Security services and solutions. With in-depth knowledge of cybersecurity, machine learning, artificial intelligence, IoT, and cloud technologies, Syed assists customers ranging from startups to large enterprises. He enables them to construct secure IoT, ML, and AI-based solutions within the AWS environment