AWS IoT Services Alignment with the European Union Cyber Resilience Ac…

Introduction

In today’s digital world, Internet of Things (IoT) security and compliance continues to evolve. The European Union’s Cyber Resilience Act (CRA) is reshaping how IoT manufacturers, developers, and service providers approach their work. Let’s explore what this means for AWS IoT customers and manufacturers using connected devices.

Understanding the CRA’s impact

The CRA, enacted on December 10, 2024, requires comprehensive cybersecurity for products with digital components. This act aims to address the growing risks associated with the digitalization of physical products and the rising number of cyberattacks targeting connected devices.

Historically, many consumer and industrial IoT products were developed without adequate security controls. Now, through its security-by-design and security-by-default requirements, the CRA helps to ensure a higher level of trust, resilience, and accountability throughout the product lifecycle.

CRA product categorization

Let’s look at the official regulation document for EU CRA based on ANNEX III and IV of Regulation (EU) 2024/2847. Instead of “low-risk” vs “critical,” the CRA classifies products with digital elements based on their cybersecurity-related functionality and level of risk.

The classification system includes:

1. Important products with digital elements (Annex III):
   • Class I products
   • Class II products
2. Critical products with digital elements (Annex IV)

This classification reflects the products’ cybersecurity-related functions and their potential risk based on the intensity and ability to disrupt, control, or damage other products or users’ health, security, or safety.

For example:

• Class I products:
  • Network management systems
  • Public key infrastructure and digital certificate issuance software
  • Physical and virtual network interfaces
  • Routers, modems intended for internet connection, and switches
  • Microprocessors with security-related functionalities
  • Microcontrollers with security-related functionalities
  • Smart home general purpose virtual assistants
  • Smart home products with security functionalities
  • Internet connected toys with social interactive or location tracking features
  • Personal wearable products with specific characteristics
• Class II products:
  • Hypervisors and container runtime systems
  • Firewalls and intrusion detection and prevention systems
  • Tamper-resistant microprocessors
  • Tamper-resistant microcontrollers
• Critical products with digital elements:
  • Hardware devices with security boxes
  • Smart meter gateways within smart metering systems and other devices for advanced security purposes
  • Smartcards or similar devices, including secure elements

Key implications for manufacturers of products with digital elements

Referring to the official regulation document for EU CRA, let’s look further into the requirements.

1. Mandatory security requirements (based on Annex I)
   • Products must be:
     • Made available without known, exploitable vulnerabilities
     • Provided with secure by default configuration
     • Protected from unauthorized access through authentication and access control
     • Protected through encryption of relevant data at rest or in transit
     • Protected against data manipulation/modification
     • Limited to processing only necessary data (data minimization)
     • Protected to ensure availability of essential functions
     • Designed to minimize attack surfaces
     • Designed to reduce impact of incidents
     • Equipped to record and monitor relevant internal activity
     • Designed to allow secure data removal and transfer
2. Vulnerability handling requirements (based on Annex I, Part II)
   • Manufacturers must:
     • Identify and document vulnerabilities (including the software bill of materials)
     • Address and remediate vulnerabilities without delay
     • Apply effective and regular security tests
     • Share information about fixed vulnerabilities
     • Implement coordinated vulnerability disclosure policies
     • Facilitate vulnerability information sharing
     • Provide secure update distribution mechanisms
     • Ensure security updates are disseminated without delay and free of charge
3. Conformity assessment and marking
   • Products require CE marking to demonstrate compliance
   • Critical products require third-party conformity assessment
4. Timeline for compliance
   • Main obligations become effective starting on December 11, 2027.
   • Vulnerability handling and incident reporting obligations begin on September 11, 2026.
5. Incident reporting requirements:
   • Submit notifications through the he European Union Agency for Cybersecurity (ENISA) single reporting platform.
   • Report actively exploited vulnerabilities within 24 hours of discovery.
   • Submit incident notifications within 72 hours and final reports within one month.
   • Inform users about incidents and available corrective measures.
6. Lifecycle management require manufacturers to:
   • Provide a support period of at least 5 years or an expected lifetime if shorter.
   • Retain security updates for a minimum of 10 years after issue or the remainder of the support period, whichever is longer.
   • Retain technical documentation and the EU declaration of conformity for at least 10 years after the product placement or support period, whichever is longer.
   • Ensure procedures are in place for products to remain in conformity with the regulation.
   • Monitor and document cybersecurity aspects throughout the support period.
   • Systematically document relevant cybersecurity aspects and update the cybersecurity risk assessment.
   • Exercise due diligence when integrating components from third parties.
   • Provide clear information about the end of support period at the time of purchase.

AWS and the CRA

AWS provides a comprehensive suite of services designed to help implement the technical measures needed to address the CRA’s essential cybersecurity compliance requirements across all product categories.

Planning for compliance

AWS IoT services offer solutions to help meet the CRA requirements across different product classifications while manufacturers prepare for the CRA’s implementation timeline.

Security requirements:

• Use AWS IoT Core with X.509 certificates for authentication and access control.
• Implement TLS 1.2 encryption for data in transit with AWS IoT Core.
• Enable AWS IoT policies for access control and data protection.
• Use AWS IoT Device Defender for monitoring and security assessment.
• Implement AWS IoT Device Management for secure updates.

Vulnerability handling requirements:

• Use AWS Security Hub and Amazon Detective for vulnerability detection.
• Implement Amazon EventBridge for incident workflow automation.
• Use AWS IoT Device Defender for continuous security monitoring.
• Store vulnerability and incident data in Amazon Security Lake for documentation.

Implementation example: Smart Thermostat (Class I important product)

Securely implementing a smart thermostat as a Class I product under the EU CRA begins with its design and development. This phase utilizes AWS IoT Core’s just-in-time Registration (JITR) for secure provisioning and AWS Secrets Manager for certificate management. AWS IoT policies enforce access control and regulates authorization.

Data protection is implemented through multiple security layers. AWS IoT Core enforces TLS 1.2 encryption for secure data transmission while strict topic access controls govern data access. In addition, AWS IoT Device Defender provides continuous security monitoring to detect and prevent potential threats.

AWS IoT Device Management can manage the device lifecycle through the required 5-year minimum support period. This includes maintaining device security through secure over-the-air (OTA) updates with signed firmware and tracking software states to maintain version control.

The vulnerability handling framework consists of multiple integrated components. AWS IoT Device Defender performs continuous security metric monitoring while Amazon EventBridge enables automated incident detection. AWS CloudWatch and Amazon Simple Notification Service (Amazon SNS) handle security alerts. AWS Lambda implements automated remediation actions, which includes certificate revocation or device quarantine when security issues are detected.

Incident reporting utilizes a structured approach with notification workflows configured through Amazon EventBridge. Automated reporting is implemented through AWS services, with all incident documentation maintained securely in Amazon Security Lake for comprehensive record-keeping.

The conformity assessment process follows five key steps:

1. Product classification requires determining the category (Important Class I, Class II, or Critical) and documenting the classification rationale.
2. Conformity assessment varies by classification:
   • Class I products require internal control when using harmonized standards.
   • Class II products need third-party assessment.
   • Critical products must obtain European cybersecurity certification.
3. Technical documentation must be maintained in AWS systems, including:
   • Complete risk assessments
   • Detailed security measures
   • Test results
   • AWS security controls and configurations
4. CE marking is applied following successful conformity assessment completion and all documentation is maintained in the AWS systems.
5. Ongoing compliance is ensured through:
   • Continuous monitoring through AWS IoT Device Defender.
   • Update management through AWS IoT Device Management.
   • Required documentation management and reporting.

This comprehensive approach ensures full compliance with EU CRA requirements while maintaining robust security throughout the device lifecycle.

Looking ahead: The impact of CRA on IoT security

For AWS IoT customers, this regulatory framework presents a compliance requirement that must be met. It also creates a strategic opportunity to enhance security practices and build stronger trust with end-users through certified compliance measures.

The regulation excludes specific domains that already have comprehensive regulatory frameworks. Medical devices fall under the Medical Devices Regulation (MDR), while automotive systems follow UNECE WP.29 standards. The CRA covers all other connected devices with digital elements. This broad scope demonstrates how the regulation will shape the future of IoT security and product development.

Organizations leveraging AWS IoT solutions should view CRA compliance as an investment in product quality and market competitiveness. CRA standards will help establish a more secure and reliable IoT ecosystem, which will benefit both manufacturers and consumers while raising the bar for IoT security across the industry.

Conclusion

As manufacturers face new cybersecurity challenges under the CRA, AWS IoT services deliver the security foundation they need. These services combine built-in security features, automated monitoring, and comprehensive documentation to help manufacturers meet CRA requirements with confidence. By implementing AWS IoT’s security-first approach, manufacturers can transform regulatory compliance from a challenge into a competitive advantage.

As you prepare for the 2027 implementation deadline, early adoption of these AWS IoT security features can help establish the necessary infrastructure for compliance with the CRA’s essential requirements, vulnerability handling processes, and incident reporting obligations. This proactive approach not only supports regulatory compliance but also enhances overall product security and customer trust in the increasingly connected digital marketplace.

Remember that while AWS services can help implement technical controls, manufacturers remain responsible to ensure full compliance with all CRA requirements, which includes proper product classification, conformity assessment procedures, and ongoing documentation maintenance.

Related links

To learn more about the technologies or features used in this blog, explore the following pages:

About the author