The EU Cyber Resilience Act requires IoT and hardware manufacturers to comply by December 2027. Deadlines, requirements, SBOM, penalties up to €15M — complete guide by Platanor. The EU Cyber Resilience Act (Regulation EU 2024/2847) requires all manufacturers of connected hardware and software products sold in the European Union to implement mandatory cybersecurity measures and maintain technical documentation by December 11, 2027. Products that do not comply cannot be legally placed on the EU market. Fines reach up to €15 million or 2.5% of global annual turnover — whichever is higher — and authorities can order product recalls and market bans. If you make IoT devices, smart hardware, or any product with a digital component and plan to sell in the EU, this law applies to you directly. Why CRA exists — and why it matters more than most manufacturers realise For years, the IoT market had a dirty secret: security was optional. A smart lock, an industrial sensor, a connected appliance — all could ship with hardcoded passwords, no firmware verification, and zero update mechanism. Manufacturers got away with it because there was no law that said otherwise. The result was predictable. The Mirai botnet in 2016 turned hundreds of thousands of compromised IoT devices into a weapon that knocked major internet infrastructure offline. Similar attacks happened again in 2017, 2019, 2021. The devices involved were not exotic or niche — they were consumer cameras, routers, and home appliances from mainstream manufacturers. The European Union watched this pattern and decided someone had to be responsible. CRA shifts that responsibility clearly and permanently to the manufacturer. The logic is straightforward: the person who designs and sells the product is the only one in a position to build security in from the start. Users cannot patch firmware they cannot access. Enterprises cannot secure devices they did not build. Only manufacturers can make this decision — so CRA makes it a legal obligation. Who CRA applies to CRA applies to any manufacturer, importer, or distributor that places a "product with digital elements" on the EU market — regardless of where the company is based. A Ukrainian startup, a Polish SME, a Taiwanese hardware company, a US software vendor — if the product is sold in the EU and has a digital component, CRA applies. What counts as a "product with digital elements": Any hardware device with embedded software (IoT devices, smart appliances, industrial equipment, medical devices outside MDR scope) Standalone software products Mobile applications that are integral to a hardware product's operation Any product that connects directly or indirectly to a network or another device The scope is intentionally broad. If your product has a microcontroller, a wireless radio, or an app — you are in scope. What is explicitly excluded: Medical devices (regulated under MDR and IVDR) Aviation equipment (EASA regulations apply) Automotive products (UN ECE Regulations R155/R156) Marine equipment Open source software distributed freely for non-commercial purposes Products developed exclusively for national defence or security If your product falls under one of these exclusions, check the specific sectoral regulation — it likely has its own security requirements. Product categories: how CRA classifies risk CRA divides all in-scope products into three categories based on cybersecurity risk. This classification determines what kind of compliance process you need to follow. Default Products (~90% of the market) Most consumer and business IoT devices fall here. Products that are not explicitly listed as Important or Critical are Default by definition. Compliance process: Self-assessment. You evaluate your own product against CRA requirements, prepare the technical documentation, sign the Declaration of Conformity, and apply CE marking. No third-party auditor required. Examples: smart home appliances, consumer electronics, most BLE-connected devices, basic industrial sensors. Important Products — Class I Products with functions that carry elevated cybersecurity risk. Class I products require either self-assessment against harmonised standards or third-party assessment if harmonised standards are not applied. Examples: identity management and access control systems, smart locks and security cameras, wearable health monitors (non-medical), connected toys. Important Products — Class II Higher criticality. Third-party conformity assessment by a Notified Body is mandatory regardless of whether you follow harmonised standards. Examples: firewalls, intrusion detection systems, hypervisors, tamper-resistant microprocessors. Critical Products The highest risk tier. Requires a European cybersecurity certification scheme (such as EUCC). Examples: hardware security modules (HSM), root CA software, smart card readers for PKI infrastructure. For most IoT and hardware manufacturers in the SME space, the relevant question is whether you are Defau...