CRA readiness for connected devices: what IAM teams need to prove

TL;DR: The EU Cyber Resilience Act will require connected products to prove security across design, provisioning, updates, and vulnerability response, with non-compliance risking fines up to €15 million or 2.5% of global revenue, according to DigiCert. For identity teams, the real issue is whether device trust, lifecycle evidence, and audit records can survive production scale and long-lived deployments.

NHIMG editorial — based on content published by DigiCert: The Partnerships Powering CRA Readiness Across IoT Device Trust

By the numbers:

• The CRA introduces 22 Annex I obligations that cover the entire device lifecycle.

Questions worth separating out

Q: How should teams prove device identity across the full IoT lifecycle?

A: Teams should bind each device to a unique trusted identity at manufacture, then preserve that identity through enrollment, updates, support, and retirement.

Q: Why do connected devices create harder compliance problems than standalone systems?

A: Connected devices create harder compliance problems because they persist, update, and interact with multiple services over long periods.

Q: What breaks when update trust is separated from device identity?

A: When update trust is separated from device identity, teams can no longer prove that a firmware package belongs to the exact product instance receiving it.

Practitioner guidance

• Map device identity from manufacture to retirement Create a lifecycle register that binds each connected product to its initial credential, certificate, firmware lineage, ownership, and retirement state so compliance evidence is continuous rather than recreated.
• Tie update trust to product identity Require signed update validation, SBOM checks, and vulnerability response records to resolve against the exact device model and instance before deployment approvals are granted.
• Unify compliance evidence across operational systems Link certificate records, provisioning logs, patch history, and support attestations into one audit trail so regulators can follow the full device lifecycle without manual reconciliation.

What's in the full article

DigiCert's full article covers the operational detail this post intentionally leaves for the source:

• How Device Trust Manager, TrustCore SDK, and the DigiCert ONE platform are positioned in the CRA readiness workflow
• How the partnership model is described across manufacturer, integrator, and field validation responsibilities
• How the article frames embedded identity, SBOM generation, and compliance records as part of product delivery
• How DigiCert describes the role of Concept Reply and Digital Reply in translating compliance into deployments

👉 Read DigiCert's analysis of CRA readiness for connected IoT devices →

CRA readiness for connected devices: what IAM teams need to prove?

Explore further

View Full Forum →  |  NHI Foundation Course →