Ensuring IoT Designs Comply With the Cyber Resilience Act—and Are Seen to Do So - Industry Articles (2025)

Internet of Things (IoT) devices and ecosystems are increasingly attracting state, national, and supranational regulation that encourages developers to ensure their cybersecurity. The challenge for IoT developers is threefold:

1. Discovering all the regulations that apply to their IoT devices and ecosystems.
2. Interpreting the regulatory requirements and implementing sound responses.
3. Being recognized as having done so by regulators and the market.

In this article, we’ll explore these challenges in the context of the European Union’s Cyber Resilience Act (CRA). We’ll then discuss the role that independent third parties can play in validating developers’ efforts to meet its requirements.

The Cyber Resilience Act

The CRA requires that digital products and services that connect to other devices or networks be secure by design and resilient against cyber threats. Additionally, they must offer cybersecurity protections throughout their lifetime.

Many of the CRA’s technical requirements are what you would expect: implementing cybersecurity-by-design strategies, offering secure-by-default configurations, and adding appropriate levels of encryption and access control. However, the CRA also requires that manufacturers carry out risk assessments and keep them updated to address any vulnerabilities throughout the product’s life.

A summary of CRA requirements.

The CRA calls on manufacturers to apply due diligence when integrating third-party components or services into their products. As well, it asks for comprehensive documentation, including a declaration of conformity with the regulations.

The CRA entered into force on December 10, 2024. It’s being implemented in three phases:

• By June 11, 2026, EU member states must give the Commission the names of the bodies within their jurisdiction that plan to offer CRA conformity assessments.
• By September 11, 2026, manufacturers must be able to meet the CRA’s requirements for reporting actively exploited vulnerabilities and severe incidents.
• On December 11, 2027, all other requirements of the CRA will become mandatory.

For some, these deadlines represent a challenge that they would prefer not think about. However, the costs for failing to address the CRA’s requirements can be high. These include fines of up to 2.5% of the manufacturer’s global annual turnover, restrictions on selling the product, and even product recalls.

Dealing With the Challenge of Compliance

Thoughtfully structured tools can help IoT developers consider the requirements of the CRA and how they should adjust their design processes in response. Such tools can also highlight areas in which their best efforts alone will be insufficient for meeting all the CRA’s requirements—for example, when the cybersecurity of the physical design is reliant upon an external service.

Third-party assessments of a design’s compliance can help manufacturers achieve regulatory acceptance and market recognition of their efforts to comply with the CRA’s requirements. These assessments must be truly independent to deliver the necessary credibility.

By way of illustration, let’s consider a real-world example involving a cybersecurity tool and a compliance assessment.

The QuarkLink IoT Cybersecurity Platform

Crypto Quantique is a software and semiconductor intellectual property company that offers end-to-end IoT security products. These products range from security IP for chip designers to software tools that help OEMs automate the process of connecting millions of devices to the cloud.

Crypto Quantique’s QuarkLink software platform is designed to simplify security-by-design practices. It has two main components:

• A software development kit (SDK) that enables on-device security features such as secure boot, as well as managing secrets and certificates in devices.
• A cloud platform for securely provisioning devices, on-boarding with third-party cloud services, and key management.

QuarkLink is available on a variety of Linux distributions and works with hardware ranging from resource-constrained MCUs to powerful SoCs. Its breadth of functionality, along with the range of supported devices, make QuarkLink an effective tool for ensuring CRA compliance.

QuarkLink’s breadth of functionality helps make it an effective tool for ensuring CRA compliance.

Cetome’s Independent Assessment

QuarkLink is intended to help customers meet the requirements of the CRA if they use it to develop IoT products and services. Crypto Quantique hired a company called Cetome to provide an independent and unbiased assessment of the extent to which QuarkLink achieves this goal.

Cetome is a globally-operating security consultancy that helps its customers protect against known cyber risks and respond effectively to new challenges. In addition to offering an assessment service, it also tracks the evolution of cybersecurity legislation so it can help customers meet regulatory requirements worldwide.

This makes Cetome’s role—both as an independent advisor on these regulations and an arbiter of compliance—particularly important for building trust in cybersecurity assessments of individual IoT devices and systems.

Independent assessments like this one set out clearly the extent to which online tools like QuarkLink can help with CRA compliance, while summarizing what else needs to be done.

Cetome carried out its analysis of QuarkLink in early 2025. For each of the Essential Cybersecurity Requirements found in Annex 1 of the CRA, Cetome identified a level of compliance support:

• Excellent: Provides an excellent way for customers to reach compliance with little additional work.
• Good: Can help customers reach compliance, but complementary work may be needed.
• Fair: Can only help achieve compliance if additional prerequisites are in place.

The report describes the extent to which QuarkLink’s features can help an IoT developer comply with each Essential Requirement. It’s worth noting that ‘Good’ or ’Fair’ ratings on some requirements may simply mean that what the customer needs to do is outside the scope of this kind of software platform. The report also outlined the gaps a customer would need to fill alongside their use of QuarkLink.

Technical interpretation of the requirements can also be an issue in these assessments. For example, the CRA doesn’t explicitly demand that embedded IoT devices use secure-boot strategies. However, it does demand that any cybersecurity vulnerabilities that emerge while the device is in service are addressed within 48 hours. In many cases, the only way to achieve this will be to issue an over-the-air firmware update—which can only be done securely using a hardware root-of-trust and a secure boot strategy.

Assessment Results

According to Cetome’s assessment, QuarkLink is “a comprehensive all-in-one solution to create and operate secure-by-design products.” The report goes on to identify QuarkLink’s ability to simplify the implementation and management of complex hardware-based security functions as a particular strong point.

This simplification is achieved by having the QuarkLink SDK act as an abstraction layer between the developer and the implementation of native hardware-based security functions. Crypto Quantique has developed partnerships with several chip vendors to ease this implementation challenge.

Cetome’s assessment also highlights QuarkLink’s efficacy at the other end of the IoT continuum, in the cloud. Because it centralizes the management of security secrets and certificates throughout a product’s lifecycle, QuarkLink reduces key risks related to the use of cryptography. These include:

• Insecure implementations.
• Misconfiguration.
• Leaked secrets.
• The continued use of expired certificates.

Overall, the report concluded that “product manufacturers can accelerate their compliance with several Essential Requirements of the CRA” by using QuarkLink. In keeping with the complexities we discussed in the previous section, however, it also warns that “QuarkLink is only an enabler to product security: customers still need to follow a secure-by-design process and apply the CRA Essential Requirements to their entire product.”

Wrapping Up

Whether IoT developers like it or not, the Cyber Resilience Act is here and similar legislation is coming worldwide. Some of this regulation includes very specific requirements that developers must understand, implement, and test in both the marketplace and through independent assessment bodies before they can be certain that their designs are compliant.

Tools such as Crypto Quantique’s QuarkLink can help developers think about meeting such regulatory requirements and implement solutions that do so. Likewise, independent consultants such as Cetome can help IoT developers and the wider marketplace understand how well the requirements of the CRA, and other new regulations, are being complied with in practice.

Featured image used courtesy of Adobe Stock; all other images used courtesy of Crypto Quantique