The Cyber Resilience Act (CRA) has quickly become one of the most impactful regulatory changes for companies building connected devices — including us at Sensoan. For months now, the CRA has been part of our everyday conversations: design reviews, customer discussions, internal workshops, and even those spontaneous moments around the coffee machine. The question that keeps popping up, both internally and with our customers is: what does the Cyber Resilience Act mean for IoT product development?
While regulations often feel like something that happens “outside” of engineering, the CRA is something different. It reaches directly into how devices are designed, developed, maintained, and eventually decommissioned. And that’s why we’ve chosen to approach it not as a mandatory box‑ticking exercise, but as an opportunity to build better products.
Why the CRA Matters
Cyber Resilience Act and IoT product development in practice
Connected devices live long lives out in the field, sometimes 5, 10, or even 15 years. During that time, threats evolve, environments change, and systems need to adapt.
The CRA pushes every manufacturer to take this seriously by requiring:
- Secure‑by‑design development practices
- Proven lifecycle security, not only launch‑day security
- Continuous vulnerability handling
- Secure decommissioning processes
- Transparency toward customers
These are all areas that have always mattered — the CRA simply ensures they cannot be ignored.
How CRA Has Changed Our Work
For us, the most important shift has been the mindset: starting security improvements from the first design discussions, instead of trying to patch missing elements later in the development cycle.
1. Security from day zero
Before any code is written, we now evaluate architectural choices, component selection, radio technologies, update mechanisms, and attack surfaces with CRA requirements in mind.
2. Documented, repeatable processes
The CRA expects verifiable processes. This has pushed us to refine how we justify decisions, track changes, and ensure traceability throughout the device’s entire life cycle. This kind of clarity also aligns well with Sensoan’s brand promise of practical, reliable IoT engineering.
3. Lifecycle‑wide responsibility
Security doesn’t stop when the device ships.
We look at:
- Long‑term update capability
- Vulnerability management
- Secure retirement and decommissioning
- Customer‑facing documentation
This helps us deliver solutions that remain safe, stable, and trusted for years. Something critical infrastructure customers value deeply, as highlighted in our marketing focus areas.
Yes, It Adds Work – But It’s Worth It
We won’t pretend there’s no extra overhead. There is.
But the benefits are real:
- Stronger, more reliable products
- Faster onboarding for new team members
- Clearer expectations in customer projects
- Lower long‑term maintenance effort
- Increased trust and transparency
And most importantly: better end‑user security.
We’ve already implemented these refined processes into our ongoing projects, and the impact is visible. The CRA didn’t just help us become compliant. It helped us build better engineering habits.
What’s Next?
The regulation is still evolving, and so will our processes. But one thing is clear: the CRA is here to stay, and it’s shaping the next decade of connected devices. We no longer ask what the Cyber Resilience Act means for IoT product development. We now see it as a requirement for verifiable processes and long‑term lifecycle planning.
We’ll continue sharing what we learn along the way and how companies can prepare without slowing down their innovation.
Want to talk about CRA in your own project?
Whether you’re designing a new device or evaluating how CRA affects your existing products, we’re happy to help.
Unfamiliar with the CRA? Read more here: Cyber Resilience Act, CRA | NCSC-FI