What Does CRA Compliance Look Like in the Smart Physical Security Industry?

With the exponential increase of reliance on connected devices in daily life and the prominence of cyberattacks worldwide, the European Union has proposed the Cyber Resilience Act (CRA), officially adopted in October 2024. The CRA is the first European regulation to uphold legislation horizontally across the entire market of products with digital elements (PDEs) – securing products, components, and subcomponents in the whole supply chain instead of simply the final usage stage. Essentially, the CRA enforces comprehensive lifecycle cybersecurity practices, including the timely disclosure and remediation of threats, continually identifying issues and releasing software patches, maintaining a comprehensive software bill of materials (SBOM), and ensuring the ability to reset a product to its original secure state. With severe noncompliance fines of €15 million ($15,739,800.00) or 2.5% of global annual turnover and the loss of ability to sell in the EU market, noncompliance is entirely out of the question. And with the broad definition of PDEs, all for-profit digital products sold in the European market are affected. 

To improve product cybersecurity across the entire lifecycle, the Cyber Resilience Act enforces its stringent requirements to bolster device and operational security for all PDEs through five critical areas.

•  Maintaining an accurate Software Bill of Materials (SBOM): Manufacturers must maintain an accurate and continually updated Software Bill of Materials (SBOM) for PDEs, detailing software components and dependencies in a machine-readable format and providing access when required for compliance verification.
•  Detecting hardware and software vulnerabilities: To ensure product integrity, manufacturers of products with digital elements must regularly identify, document, and test for hardware and software vulnerabilities.
•  Remediation with secure software updates: To address vulnerabilities, all PDEs must receive timely, secure, and free software updates. Unlike functionality updates, security updates must be installed automatically and quickly upon vulnerability discovery.
•  Public disclosure of vulnerabilities: Annex 1 of the CRA mandates a coordinated vulnerability disclosure policy with a single point of contact. The policy requires disclosing details of addressed vulnerabilities after released updates and promptly fixing all vulnerabilities through separate security patches.
• Resetting the PDE to its original secure state: Manufacturers must include a reset function that restores PDEs to an original secure state, ensuring security patches are preserved rather than reverting to the original manufactured state with potential vulnerabilities.

 These extensive requirements and severe penalties apply horizontally across all PDEs in the European market. As the act focuses on security, additional requirements exist for product types that process data, store personal records, and supply foundational security functions.

A Higher Standard for CRA Compliance in the Physical Security Industry

The Cyber Resilience Act (CRA) expands its scope to physical security and data processing solutions, classified throughout the legislation as Class I, Class II, and Critical products. Annex III of the CRA covers the multiple product types and provides important distinctions, while Annex IV covers Critical products. Under the CRA, products that fall under these classes have higher security requirements than general PDEs.

These product types are PDEs that handle data transmission, cybersecurity, or data processing, requiring deeper security scrutiny under the CRA. Products falling under the Class I distinction serve an inherent data processing or security function as consumer-based products on a small scale. Class II products also deal with data processing and security but on a much larger scale, primarily for security and infrastructure at the network level. Class II products are often available as enterprise solutions. Additionally, Annex IV covers products classified as Critical PDEs; these products specifically include secure elements in their hardware and fall under the same scrutiny as products in Class I and II.

 Smart physical security systems, whether in homes or commercial settings, fall into these categories of heightened scrutiny due to their handling of user data, real-time security functions, or secure hardware integrations. Manufacturers of these products must adopt higher standards to comply with the CRA, avoid fines, and maintain their availability in the European market. Smart home security, named under Class I, and smart cards in Annex IV, must meet the extensive CRA additional class-specific requirements, specifically more intense built-in security and auditing practices; commercial smart security products likely fall into the same realm. According to Article 7(4) of the CRA, these products outlined in Annex III and IV will be subject to an extensive conformity assessment following the full examination procedure from Article 5 of EU 182/2011.

Timeline of the CRA

Following formal adoption on October 10, 2024, the Cyber Resilience Act will reach complete application by 2027. Starting from this point, the 36-month “implementation period” begins with data collection and a slow rollout of auditing and reporting requirements until the legislation is fully applicable across the European Union. Manufacturers, especially those within the physical security industry focusing on offerings under Class I, Class II, or Critical products, must provide supplemental focus on documentation as the implementation period progresses.

Next Steps for OEMs in the Physical Security Industry

With the implementation period commenced, OEMs in the smart physical security industry must take immediate, proactive action to ensure compliance amid heightened requirements due to product class. Establishing a future-proofed OTA update strategy, alongside detailed documentation, is a good starting point for all OEMs; however, those in the physical security industry, especially manufacturers of products mentioned in Annex III and IV of the CRA, must go a step further to prepare for compliance assessments. Physical security products classified as Class I, Class II, or Critical under the CRA must extend compliance preparations, taking additional steps including:

1. Conducting security audits: OEMs must regularly assess their current product portfolio to identify security gaps. The CRA makes these audits the basis for identifying and handling vulnerabilities.
2. Implementing a security-by-design strategy: Products must incorporate security from the ground up. By embedding security into every stage of the development process—design, testing, and deployment—OEMs can ensure their products meet CRA requirements throughout development.
3. Adopting a robust OTA update infrastructure: OEMs must prioritize implementing secure, robust, and automated over-the-air (OTA) update capabilities for all devices. The OTA update infrastructure should facilitate the prompt and reliable distribution of security updates to address identified vulnerabilities, ensuring continuous compliance. A robust OTA should include security at every step while facilitating scalability, integration, and evolving complexity.
4. Focusing on secure lifecycle management: The importance of security and the requirements of the CRA doesn’t stop after deployment. OEMs must enact robust processes for managing device security throughout the entire lifecycle–from design, manufacture, and commission to maintenance and decommissioning stages. Key components are securely deploying updates, actively monitoring vulnerabilities, ensuring device decommissioning without exposing sensitive information, and communicating with customers about vulnerabilities and remediation without delay. However, within CRA, there are more nuanced lifecycle scenarios, such as ensuring the ability to restore a product to its original secure state or checking for security updates at the product’s first activation (secure first boot).

Executing these additional actions streamlines preparation for the CRA’s security requirements while compiling documentation for the incoming conformity audits and extraneous requirements for physical security products.

In embedding security and longevity into a CRA-ready product, OTA capabilities will play a pivotal role across the entire PDE landscape; for physical security products, OTA infrastructure must include robust security, auditing, and network features to streamline compliance. Preparations begin with embedding security at both the device and OTA infrastructure levels, incorporating measures such as mutual TLS encryption, code signing, and secure first boot updates to prevent devices from being compromised upon activation. Security should also extend across the entire device fleet, with granularity in managing updates, monitoring configurations, and responding to vulnerabilities. In the physical security environment, devices such as remote cameras may be in areas with varying levels of connectivity and bandwidth; enabling orchestration capabilities is essential for ensuring security updates are deployed across the board regardless of update complexity or network availability.

At the operational level, robust process security, such as role-based access control (RBAC) and two-factor authentication (2FA), are critical for securing the update infrastructure, ensuring only trusted administrators deploy updates. Furthermore, while maintaining an accurate Software Bill of Materials (SBOM) and tracking dependencies, the ability to log changes and deployments is crucial in maintaining compliance, especially throughout the conformity assessment. Finally, ensuring update robustness through phased rollouts, automated retries, and rollback functionalities minimizes the risk of system failure or downtime, helping to safeguard both PDE security and the overall customer experience throughout the product lifecycle.

Adopting a robust over-the-air (OTA) infrastructure for CRA compliance in the smart physical security industry

Physical security OEMs have additional requirements to proactively prepare for the Cyber Resilience Act (CRA), specifically for documenting changes and upholding timely remediation across an entire fleet. At the center of CRA compliance for physical security OEMs is the need to roll out over-the-air (OTA) updates with solid security features. By integrating secure OTA update mechanisms, OEMs will ensure that devices remain protected throughout their lifecycle—from design to decommissioning. The OTA update infrastructure supports the secure transmission of updates, the ability to monitor device status, and the capacity to swiftly address vulnerabilities as they arise, all of which are critical to maintaining CRA compliance while simultaneously preparing for the extraneous assessment requirements that govern physical security.

Meeting these requirements ensures regulatory adherence and positions OEMs to maintain a competitive edge in the market. By implementing CRA compliance measures, OEMs can reassure customers that their devices are safe, resilient, and capable of withstanding evolving cybersecurity threats. In an increasingly competitive and security-focused landscape, CRA compliance is pivotal to business resilience and long-term success.