The EU Cyber Resilience Act – A Guide for Manufacturers and Economic Operators

Scope and Affected Stakeholders of the CRA

The CRA applies to all products with digital components that are directly or indirectly connected to other devices or networks. Especially affected are manufacturers of products with wireless technologies such as Wi-Fi, Bluetooth, Zigbee, LoRaWAN, or cellular communication. These products fall under both the CRA and the RED, necessitating dual regulatory consideration.

Specifically affected by the CRA are for example:

• Smart home devices with Wi-Fi/Bluetooth (e.g., thermostats, alarm systems, cameras)
• Wearables and consumer electronics
• Industrial IoT components with wireless communication
• Communication modules in machinery, vehicles, or medical devices
• Gateways and routers with wireless technology

Timeline and Deadlines

Following its formal adoption in 2024, the CRA will enter into force in August 2025.

• A 36-month transition period is provided for the implementation of product-related requirements.
• For vulnerability management, the transition period is only 21 months.

Companies should use this time to evaluate current processes and implement necessary adjustments.

Obligations for Manufacturers and Economic Operators

Manufacturers must ensure that a product complies with CRA requirements before it is placed on the market. This is especially important for wireless products, which often contain complex software functions, wireless interfaces, and potentially security-critical communication paths.

Requirements for the CRA include:

• Integration of security features during the design phase (“security by design”)
• Consideration of radio protocols and their vulnerabilities in risk assessments
• Provision of regular security updates for radio modules and embedded software
• Maintenance of comprehensive technical documentation, including all wireless interfaces and their security measures
• Ensuring that wireless communication is protected against tampering, eavesdropping, and replay attacks

Importers and distributors must only place compliant products on the market. They must be able to provide technical documentation upon request and cooperate with relevant authorities.

Detailed Security Requirements

Particularly relevant for manufacturers of wireless products are:

• Authentication of endpoints: Preventing unauthorized access to wireless networks
• Encryption of wireless data: Securing communication over Wi-Fi, Bluetooth, etc.
• Securing over-the-air (OTA) updates: Ensuring authenticated and integrity-protected updates
• Minimizing the attack surface: Disabling unused wireless interfaces and services
• Firmware hardening: Protecting wireless firmware through secure boot and code signing

Vulnerability Management and Notification Obligations

Manufacturers must establish vulnerability management processes that explicitly cover wireless components. Wireless technologies are particularly vulnerable to attacks such as spoofing, jamming, or man-in-the-middle. Manufacturers must continuously monitor these risks and include them in their reporting obligations to ENISA.

Conformity Assessment Procedures

Many wireless products may be placed on the market through self-assessment, provided:

• All relevant harmonized standards (e.g., EN 303 645, ETSI EN 301 489) are met
• The product is not classified as critical

In more complex cases—e.g., with security-critical wireless communication—evaluation by a notified body such as cetecom advanced is required.

Practical Implementation of the CRA

Technical implementation for wireless products is especially challenging due to the involvement of both hardware and software. Manufacturers should integrate the following steps into their development processes:

• Use of secure wireless protocols (e.g., WPA3, BLE Secure Connections)
• Application of threat modeling specifically for wireless communication paths
• Creation of a software bill of materials (SBOM), including pre-integrated wireless stacks
• Validation of security requirements via wireless-level penetration testing
• Integration of firmware update mechanisms with signature verification

Harmonization with Existing Standards

To meet CRA requirements, manufacturers of wireless products can refer to standards such as:

• ETSI EN 303 645: Cybersecurity for IoT devices
• ISO/IEC 27001: Information Security Management
• IEC 62443: Industrial cybersecurity
• Common Criteria for safety-critical components (The EUCC certification based on Common Criteria can serve as evidence for CRA compliance)

Typical Challenges and Pitfalls

Wireless products often use pre-built modules or third-party stacks. Manufacturers must ensure these components are documented, tested, and maintained. A major challenge lies in guaranteeing that security updates are also provided in a timely manner for pre-integrated wireless modules.

Practical Recommendations for Preparation

To prepare effectively for the CRA, manufacturers of wireless products should systematically review and adapt their development and documentation processes. A key step is full identification and documentation of all wireless components used in products, including firmware versions. This transparency is essential not only for conformity assessments but also for future updates and security evaluations.

Another critical aspect is the in-depth security evaluation of wireless protocols used. Manufacturers must be able to prove that protocols such as Wi-Fi, Bluetooth, or proprietary solutions have been assessed for current security features and, where necessary, replaced with stronger alternatives.

Additionally, it is vital to review whether existing OTA update features comply with CRA requirements – particularly regarding authentication, integrity, and fail-safety. Secure update mechanisms are a cornerstone of product maintenance and a key pillar of cyber resilience.

Finally, a comprehensive wireless security gap analysis conducted by an accredited testing laboratory is recommended. This involves a thorough assessment of technical, organizational, and documentation-related aspects against CRA requirements. It provides companies with a clear overview of current gaps and enables early planning of corrective actions.

Conclusion

The Cyber Resilience Act presents particular challenges for manufacturers of wireless products. They must comply not only with CRA regulatory requirements but also with the technical specifics of wireless communication. Acting early and designing products with security and transparency in mind secures not only market access but also customer and partner trust.

How cetecom advanced Can Support You

As an internationally recognized notified body and independent testing and certification organization, cetecom advanced offers extensive expertise in evaluating products with digital and wireless components. Our services range from early consulting on standards-compliant security architectures to conducting conformity assessments under the CRA and RED.

We place particular emphasis on supporting our clients in meeting the cybersecurity requirements of Article 3.3 (d), (e), and (f) of the RED. These include the protection of personal data, prevention of fraudulent access, and measures to ensure network and service integrity. Since 2024, these requirements have been defined in greater detail through the harmonized standard ETSI EN 18031, which provides technical specifications for wireless products. EN 18031 is a key reference for demonstrating compliance with both RED and CRA cybersecurity requirements.

With our consulting services on the application of EN 18031 and other relevant standards such as EN 303 645 and ETSI TS 103 701, we help you leverage synergies between RED and CRA. Our approach combines technical security testing (e.g., penetration tests, wireless protocol analysis, OTA validation), structured risk analysis, and robust documentation support. If desired, we accompany you all the way to formal CE marking – efficient, practical, and fully compliant.