EU Cyber Resilience Act: What does it mean for security & dev teams?

Many Internet of Things (IoT) devices have fairly poor security. Encountering one developed with vulnerable code, weak default passwords, and missing security best practices is common. 

As a result, many botnets are built using IoT devices because they’re cheap and easy for cybercriminals to exploit en masse. The EU Cyber Resilience Act (CRA) went into effect in December 2024, with main obligations applying from 2027. 

It is an effort to raise the bar for the security of internet-connected systems, especially IoT devices or “hardware and software products with digital elements.”  This includes everything from smart speakers to internet-connected toasters and coffee pots.

It’s important to note that the Act isn’t limited to hardware and can include software such as password managers, firewalls, operating systems, and VPNs. The Act’s definition of “Products with Digital Elements” (PDEs) is intentionally broad but does exclude things managed under other laws, such as medical devices or aviation components.

The Act defines consistent cybersecurity requirements for these devices, and compliant devices will bear the CE marking. Organizations that fail to comply with its requirements face penalties of up to €15 million or 2.5% of the org’s total worldwide annual turnover, whichever is greater.

The goal of the Act is to help consumers identify secure products and to protect against common threats associated with these devices, such as:

IoT Botnets

 IoT devices are often targeted by botnet malware, designed to allow an attacker to use compromised devices for malicious activities. Common threats associated with these botnets include distributed denial-of-service (DDoS) attacks, credential stuffing, and scanning systems for vulnerable software.

Data theft

While the threat of an internet-connected camera might be obvious, a user might not consider the types of health and location data collected by a fitness tracker. Even a smart thermostat could determine when a home or business is most likely to be unoccupied. Implementing stronger security standards reduces the risk of these types of data being stolen and misused by an attacker.

Ransomware

Ransomware can render important data inaccessible or threaten to publicly release it if a ransom demand isn’t met. IoT devices expand the range of these potential threats, such as threatening to break a pacemaker or set a smart thermostat to unlivable temperatures.

Key security capabilities for CRA compliance

The core goal of the EU Cyber Resilience Act is to enhance the security of IoT devices and other internet-connected systems. The Act contains a mix of explicit and implicit requirements for organizations to have certain security-related capabilities and processes in place, including:

• Cybersecurity training: Only about a third of developers are trained to write secure code. To minimize the volume of exploitable vulnerabilities in its products and conform with the Act, organizations will need development and security teams to work together and align product development with security frameworks. 

• Code security: Improving code security helps companies meet compliance goals by reducing the number of vulnerabilities that reach production systems. Some secure coding best practices include educating developers on common errors, automating security testing in Continuous Improvement/Continuous Development (CI/CD) pipelines, and managing potential vulnerabilities in third-party dependencies and libraries.

• Vulnerability management: The Act explicitly requires device manufacturers to implement a vulnerability management program, including documenting vulnerabilities and reporting production vulnerabilities that are actively exploited by an attacker to ENISA. Vulnerability management entails security testing during software development, regular vulnerability scans and penetration tests, and the ability to detect and respond appropriately to active exploitation of their products.

• Risk assessment: According to the Act, manufacturers must perform ongoing, comprehensive risk assessments for their products. This includes the ability to not only identify vulnerabilities but also assess their likelihood of exploitation and the potential impacts that an attack could have on the device’s owners.

• Technical documentation: When claiming conformance with the Act, an organization must submit technical documentation, including information on the product’s security features, potential risks of using it, how to remove data from the product, and instructions on how to use it safely. This requires the ability to clearly describe the product’s function and how to operate it securely.

Assessment requirements based on categories

The extent to which requirements apply to an organization depend on how Products with Digital Elements (PDEs) are classified by the Act. The Act defines three main categories:

• Default: Most PDEs fall into the Default category, which allows self-assessment of conformity to the Act. This category includes everything that isn’t explicitly listed in the other two.

• Important: The Important category includes higher-risk PDEs and is further divided into Class 1 (including password managers, VPNs, and operating systems) and Class 2 (including firewalls and tamper-resistant microprocessors). Class 1 PDEs can undergo self-assessment with more stringent requirements for conformity, but Class 2 requires a third-party assessment.

• Critical: These systems are higher-risk and include devices such as smartcards and smart meter gateways. They must undergo a third-party assessment against certain criteria.

How the Act impacts different teams and stakeholders

The EU Cyber Resilience Act has the potential to dramatically reshape how the manufacturers of IoT devices and other Internet-connected systems operate. While lax software security was acceptable in the past, the Act imposes more stringent requirements and penalties for non-compliance. 

Achieving compliance with the new mandates will impact teams and stakeholders throughout the organization, including the development, QA, cyber security, legal, and management teams.

Developers

The Act’s largest impact is on an organization’s development teams and tying their efforts to security practices. 

Because the Act holds device manufacturers to higher security standards, developers will need to be more aware of secure coding best practices and work with security to minimize the number of bugs and vulnerabilities that reach production.

The Act also requires more frequent software updates for devices to close potentially exploitable security gaps. This means that developers will spend more time on fixing existing code rather than developing new features. This may also include rapidly developing patches for vulnerabilities once they have been discovered to be an active target of attacks.

Quality assurance

While the QA team may be part of the larger development team, ideally an organization will have separate teams to develop and test software. The introduction of the Act prioritizes the QA team’s efforts to identify vulnerabilities before they are released to production systems.

Security 

The Act requires device manufacturers to report vulnerabilities under active exploitation to ENISA within 24 hours of discovery. 

Often, the responsibility for identifying these attacks and performing investigations will fall on an organization’s security team or incident response team (IRT).

An organization’s visibility into these incidents may come from third-party reports or by the team’s own efforts. For example, a security team may operate honeypots to help detect automated attacks or perform threat research on the Dark Web. 

In both cases, the security team will likely be responsible for investigating and triaging the threat and communicating with stakeholders inside and outside of the organization.

Legal and Compliance

The EU Cyber Resilience Act adds new regulatory responsibilities for affected organizations. 

An organization’s legal and compliance teams will need to be aware of the new requirements and help to ensure that the organization is compliant. 

Additionally, these teams may be responsible for communicating with regulators, law enforcement, and other external stakeholders in the event of a reportable incident, such as active exploitation of an organization’s products.

Management

With a new focus on the security of Internet-connected products, the C-suite and the board need to allocate funding to ensure that affected teams have the required skills and resources to achieve compliance. 

Additionally, management is responsible for managing the organization’s risk exposure and potential for non-compliance overall.

Hack The Box’s role in helping organizations comply

The EU Cyber Resilience Act makes security a priority for device manufacturers. Meeting its requirements means that development, QA, and security teams need to have certain skills, such as:

• Secure coding.

• Vulnerability detection and remediation,

• Incident response.

• Threat research.

Hack The Box offers hands-on training designed to bring teams up to speed in the skills that they need, including incident response, vulnerability testing, and threat research.

These resources can be invaluable for organizations looking to ensure that their teams have the skills needed to align with regulatory requirements and avoid the potential risks of non-compliance.