AWS IoT Services Alignment with the European Union Cyber Resilience Act (EU CRA)

Introduction

In today’s digital world, Internet of Things (IoT) security and compliance continues to evolve. The European Union’s Cyber Resilience Act (CRA) is reshaping how IoT manufacturers, developers, and service providers approach their work. Let’s explore what this means for AWS IoT customers and manufacturers using connected devices.

Understanding the CRA’s impact

The CRA, enacted on December 10, 2024 (The Act’s requirements will not apply before Sep 2026 for vulnerability reporting obligations and Dec 2027 for the full compliance), requires comprehensive cybersecurity for products with digital elements. This act aims to address the growing risks associated with the digitalization of physical products (as well software) and the rising number of cyberattacks targeting connected devices.

Historically, many consumer and industrial IoT products were developed without adequate security controls. Now, through its security-by-design and security-by-default requirements, the CRA helps to ensure a higher level of trust, resilience, and accountability throughout the product lifecycle.

CRA product categorization

Let’s look at the official regulation document for EU CRA based on ANNEX III and IV of Regulation (EU) 2024/2847. Instead of “low-risk” vs “critical,” the CRA classifies products with digital elements based on their cybersecurity-related functionality and level of risk.

The classification system includes:

1. Important products with digital elements (Annex III):
   • Class I products
   • Class II products
2. Critical products with digital elements (Annex IV)

This classification reflects the products’ cybersecurity-related functions and their potential risk based on the intensity and ability to disrupt, control, or damage other products or users’ health, security, or safety. Products that do not fall under the scope of any of these categories still need to comply with the regulation you should review the law (EU CRA) and understand how it applies to your use cases.

For example (not exhaustive list):

• Class I products:
  • Network management systems
  • Public key infrastructure and digital certificate issuance software
  • Physical and virtual network interfaces
  • Routers, modems intended for internet connection, and switches
  • Microprocessors with security-related functionalities
  • Microcontrollers with security-related functionalities
  • Smart home general purpose virtual assistants
  • Smart home products with security functionalities
  • Internet connected toys with social interactive or location tracking features
  • Personal wearable products with specific characteristics
• Class II products:
  • Hypervisors and container runtime systems
  • Firewalls and intrusion detection and prevention systems
  • Tamper-resistant microprocessors
  • Tamper-resistant microcontrollers
• Critical products with digital elements:
  • Hardware devices with security boxes
  • Smart meter gateways within smart metering systems and other devices for advanced security purposes
  • Smartcards or similar devices, including secure elements

Key implications for manufacturers of products with digital elements

Referring to the official regulation document for EU CRA, let’s look further into the requirements.

1. Essential Cybersecurity requirements (based on Annex I)
   • Products must be:
     • Made available without known, exploitable vulnerabilities
     • Provided with secure by default configuration
     • Protected from unauthorized access through authentication and access control
     • Protected through encryption of relevant data at rest or in transit
     • Protected against data manipulation/modification
     • Limited to processing only necessary data (data minimization)
     • Protected to ensure availability of essential functions
     • Designed to minimize attack surfaces
     • Designed to reduce impact of incidents
     • Equipped to record and monitor relevant internal activity
     • Designed to allow secure data removal and transfer
2. Vulnerability handling requirements (based on Annex I, Part II)
   • Manufacturers must:
     • Identify and document vulnerabilities (including the software bill of materials)
     • Address and remediate vulnerabilities without delay
     • Apply effective and regular security tests
     • Share information about fixed vulnerabilities
     • Implement coordinated vulnerability disclosure policies
     • Facilitate vulnerability information sharing
     • Provide secure update distribution mechanisms
     • Ensure security updates are disseminated without delay and free of charge
3. Conformity assessment and marking
   • Products require CE marking to demonstrate compliance
   • Critical products require third-party conformity assessment
4. Timeline for compliance
   • Main obligations become effective starting on December 11, 2027.
   • Vulnerability handling and incident reporting obligations begin on September 11, 2026.
5. Incident reporting requirements:
   • Submit notifications through the he European Union Agency for Cybersecurity (ENISA) single reporting platform.
   • Report actively exploited vulnerabilities within 24 hours of discovery.
   • Submit incident notifications within 72 hours and final reports within one month.
   • Inform users about incidents and available corrective measures.
6. Lifecycle management require manufacturers to:
   • Provide a support period of at least 5 years or an expected lifetime if shorter.
   • Retain security updates for a minimum of 10 years after issue or the remainder of the support period, whichever is longer.
   • Retain technical documentation and the EU declaration of conformity for at least 10 years after the product placement or support period, whichever is longer.
   • Ensure procedures are in place for products to remain in conformity with the regulation.
   • Monitor and document cybersecurity aspects throughout the support period.
   • Systematically document relevant cybersecurity aspects and update the cybersecurity risk assessment.
   • Exercise due diligence when integrating components from third parties.
   • Provide clear information about the end of support period at the time of purchase.

AWS and the CRA

AWS provides a comprehensive suite of services designed to help implement the technical measures needed to address the CRA’s essential cybersecurity compliance requirements across all product categories.

Planning for compliance

AWS IoT services offer solutions to help meet the CRA requirements across different product classifications while manufacturers prepare for the CRA’s implementation timeline.

Security requirements:

• Use AWS IoT Core with X.509 certificates for authentication and access control.
• Implement TLS 1.2 encryption for data in transit with AWS IoT Core.
• Enable AWS IoT policies for access control and data protection.
• Use AWS IoT Device Defender for monitoring and security assessment.
• Implement AWS IoT Device Management for secure updates.

Vulnerability handling requirements:

• Use AWS Security Hub and Amazon Detective for vulnerability detection.
• Implement Amazon EventBridge for incident workflow automation.
• Use AWS IoT Device Defender for continuous security monitoring.
• Store vulnerability and incident data in Amazon Security Lake for documentation.

Implementation example: Smart Thermostat (Class I important product)

Securely implementing a smart thermostat as a Class I product under the EU CRA begins with its design and development. AWS customers can use AWS IoT Core’s just-in-time Registration (JITR) for secure provisioning, while using AWS Secrets Manager to handle certificate management. Access control can be enforced through AWS IoT policies to ensure proper authorization.

Data protection is implemented through multiple security layers. AWS IoT Core enforces TLS 1.2 encryption for secure data transmission while strict topic access controls govern data access. In addition, AWS IoT Device Defender provides continuous security monitoring to detect and prevent potential threats.

AWS IoT Device Management can manage the device lifecycle through the required 5-year minimum support period. This includes maintaining device security through secure over-the-air (OTA) updates with signed firmware and tracking software states to maintain version control.

The vulnerability handling framework consists of multiple integrated components. AWS IoT Device Defender performs continuous security metric monitoring while Amazon EventBridge enables automated incident detection. AWS CloudWatch and Amazon Simple Notification Service (Amazon SNS) handle security alerts. AWS Lambda implements automated remediation actions, which includes certificate revocation or device quarantine when security issues are detected.

Incident reporting utilizes a structured approach with notification workflows configured through Amazon EventBridge. Automated reporting is implemented through AWS services, with all incident documentation maintained securely in Amazon Security Lake for comprehensive record-keeping.

The conformity assessment process follows five key steps:

1. Product classification requires determining the category (Important Class I, Class II, or Critical) and documenting the classification rationale.
2. Conformity assessment.
3. Customers can maintain technical documentation on AWS including, including:
   • Complete risk assessments
   • Detailed security measures
   • Test results
   • AWS security controls and configurations
4. CE marking is applied following successful conformity assessment completion and all documentation is maintained in the AWS systems.
5. Ongoing compliance is ensured.

This comprehensive approach ensures full compliance with EU CRA requirements while maintaining robust security throughout the device lifecycle.

Looking ahead: The impact of CRA on IoT security

For AWS IoT customers, this regulatory framework presents a compliance requirement that must be met. It also creates a strategic opportunity to enhance security practices and build stronger trust with end-users through certified compliance measures.

The regulation excludes specific domains that already have comprehensive regulatory frameworks. Medical devices fall under the Medical Devices Regulation (MDR), while automotive systems follow (EU) 2019/2144 standards. The CRA covers all other connected devices with digital elements. This broad scope demonstrates how the regulation will shape the future of IoT security and product development.

Organizations leveraging AWS IoT solutions should view CRA compliance as an investment in product quality and market competitiveness. CRA standards will help establish a more secure and reliable IoT ecosystem, which will benefit both manufacturers and consumers while raising the bar for IoT security across the industry.

Conclusion

As manufacturers face new cybersecurity challenges under the CRA, AWS IoT services deliver the security foundation they need. These services combine built-in security features, automated monitoring, and comprehensive documentation to help manufacturers meet CRA requirements with confidence. By implementing AWS IoT’s security-first approach, manufacturers can transform regulatory compliance from a challenge into a competitive advantage.

As you prepare for the 2027 implementation deadline, early adoption of these AWS IoT security features can help establish the necessary infrastructure for compliance with the CRA’s essential requirements, vulnerability handling processes, and incident reporting obligations. This proactive approach not only supports regulatory compliance but also enhances overall product security and customer trust in the increasingly connected digital marketplace.

Important reminder: While AWS services can help implement technical controls, you as the customer are solely responsible for ensuring full compliance with all EU CRA requirements including proper product classification, conformity assessment procedures, and ongoing maintenance of required documentation. Importantly, even if your products don’t fall within specific categories, you may still need to comply with the EU CRA regulation and you must carefully review the law to understand how it applies to your specific use cases.

Related links

To learn more about the technologies or features used in this blog, explore the following pages:

• AWS IoT Security Best Practices
• European Union Cyber Resilience Act Overview
• AWS IoT Zero Trust workshop
• Internet of Things (IoT) Lens
• AWS IoT Greengrass for Edge Compliance
• AWS Compliance programs
• AWS Security Hub
• AWS Audit Manager
• AWS Security Best Practices
• AWS Security Checklist
• AWS Well-Architected Framework – Security Pillar
• AWS Cloud Adoption Framework – Security Perspective
• Encrypting Data at Rest
• Setup Just-in-Time Provisioning with AWS IoT Core
• Get started with AWS IoT workshop
• AWS IoT Greengrass workshop
• Regulation of European Parliament on horizontal cybersecurity requirements for products with digital elements
• US Cyber Trust Mark for US market
• UNECE WP.29 and AWS IoT for connected vehicle cybersecurity

About the author