Smart locks, connected thermostats, IP cameras, intelligent lighting – the smart home market is growing rapidly. With the Cyber Resilience Act (CRA), manufacturers of smart home devices must for the first time meet mandatory cybersecurity requirements before selling their products in the EU. This article explains the specific obligations and provides practical guidance for implementation.
Why the CRA Particularly Affects the Smart Home Market
Smart home devices are the textbook example of the product category the CRA aims to regulate. They are permanently connected to the internet, collect sometimes sensitive data (camera footage, movement patterns, voice recordings), and are frequently used by consumers who are not IT security experts.
The industry's security track record prompted the legislator to act: default passwords like "admin" or "1234," missing update mechanisms, and unencrypted data transmission were standard for many devices for years. The CRA puts an end to this.
For smart home and consumer electronics manufacturers, this means cybersecurity is no longer an optional feature but a market prerequisite. Without CRA conformity, no new product may be sold on the EU market from late 2027 onwards.
Product Classification: Where Does Your Smart Home Device Fall?
The CRA divides products into different categories requiring different conformity assessment procedures. For smart home devices, two categories are primarily relevant.
Most smart home devices – smart bulbs, smart plugs, connected household appliances, fitness trackers – fall into the simplest category as standard products. Self-assessment by the manufacturer is sufficient here.
However, some smart home products qualify as "important products" in Class I. These include smart locks and other physical access control systems, baby monitors and home surveillance cameras, smart smoke detectors and security sensors, and connected alarm systems. Stricter conformity assessment requirements apply to these products. Self-assessment is possible, but only when harmonized standards are fully applied.
Routers, firewalls, and other network devices that often form the foundation of a smart home network fall into Class II and require involvement of a notified body.
Specific Requirements for Smart Home Manufacturers
CRA requirements for smart home manufacturers can be organized into five core areas.
No more default passwords. Every device must ship with a unique password or force the user to set one during initial setup. This also applies to devices controlled via an app – the initial connection between app and device must be secure.
Secure data handling. Data may only be collected to the extent necessary for the device's function. Stored data must be encrypted. For devices with cameras or microphones, users must always be able to tell whether recording is active. Communication between device, cloud, and app must be encrypted end to end.
Update capability throughout the support period. Manufacturers must be able to deliver security updates and communicate a defined support period. The CRA requires the support period to be at least five years or match the expected product lifetime – whichever is shorter. For smart home devices that consumers often use for many years, this can be a significant commitment.
SBOM and vulnerability management. Every product needs a complete Software Bill of Materials. Manufacturers must establish a process for ongoing monitoring of known vulnerabilities in their components and deliver security patches promptly. Actively exploited vulnerabilities must be reported to ENISA within 24 hours from September 2026.
Consumer transparency. The CRA requires that consumers are informed before purchase about the support period and when the device will stop receiving security updates. This information must be clearly visible on packaging or in the online store.
Typical Challenges for Smart Home Manufacturers
In practice, smart home manufacturers face specific challenges. Many devices use shared platforms (e.g., ESP32-based devices with similar firmware), meaning a vulnerability in the platform affects dozens of products simultaneously. Manufacturers must be able to quickly determine which products are affected – this is precisely what an up-to-date SBOM enables.
Another challenge: many smart home devices have limited processing power and memory, making implementation of modern security mechanisms difficult. Encryption, secure boot processes, and over-the-air updates must run on hardware optimized for minimal power consumption.
The cloud dependency of many smart home products creates additional requirements: if the device cannot function without a cloud connection, the manufacturer must ensure cloud service availability throughout the entire support period. The CRA also requires that end of cloud support be communicated in advance.
Competitive Advantage Through Early Compliance
Manufacturers who implement CRA compliance early position themselves strategically. Retailers and online marketplaces will increasingly require proof of CRA conformity before listing products. Those who can provide this proof while competitors are still catching up gain shelf space and visibility.
Consumers are also developing a growing awareness of connected device security. A CRA-compliant product with transparent security information builds trust and justifies a higher price compared to competitors without demonstrable security standards.
Kunnus supports smart home and consumer electronics manufacturers in implementing CRA compliance efficiently – from automated SBOM creation through continuous vulnerability monitoring to complete documentation.
Where do you stand on CRA compliance? Our free CRA readiness assessment gives you a clear overview of your status and next steps in just a few minutes.