Does EU CRA compliance require advanced OTA update capabilities?

The European Union’s Cyber Resilience Act (CRA) is a momentous regulation designed to bolster the cybersecurity of products with digital elements (PDEs) on the European Union (EU) market. The number of connected devices is exponential, spanning everything from industrial machinery to everyday consumer gadgets; the CRA establishes strict requirements to ensure these products remain secure throughout their entire lifecycle from design to decommission.

EU CRA security update requirements

At the heart of the CRA is a clear message that security is not a one-time effort but an ongoing responsibility. The CRA essentially boils down to enforcing security as the most important and necessary part of any PDE. Across all verticals, aside from a few covered by existing regulations, the CRA ensures that commercially available products are built secure by default and kept secure with mechanisms in place for consistent and timely vulnerability detection, remediation, and disclosure.

At the center of the compliance requirements is over-the-air (OTA) software updates. First, products must receive security updates. CRA Annex I 1.3(k) mandates that manufacturers must ensure product security “through security updates, including, where applicable, through automatic updates and the notification of available updates to users.” Second, the security updates must be deployed quickly. The CRA reinforces the time parameters of security updates throughout the regulation. Security updates must not only be delivered, but delivered swiftly. Annex 1.2.2 explicitly requires manufacturers to address and “remediate vulnerabilities without delay,” separating security patches from functionality updates where possible to avoid delays. Annex 1.2.7 and 1.2.8 further enforce the necessity for mechanisms that enable timely and secure distribution of patches for users. These timing requirements place a significant pressure on OEMs to distribute updates automatically, if possible, but also almost instantaneously, if not. These annex requirements, both for automation and punctuality, further reinforce the necessity of advanced OTA updates to comply.

Whether deployed in homes, hospitals, factories, or remote environments, today’s connected products often number in the hundreds, or even thousands, across geographies, connectivity conditions, and environments. Manually updating IoT or connected products is neither practical nor scalable, consuming vast resources. In reference to CRA compliance, manual product updates leave critical security gaps — in terms of time, coverage, and agility. In other words, OTA software updates aren’t just a best practice. OTA updates are a legal obligation to comply with the CRA parameters on 1) providing security updates in a 2) quick manner. Without robust OTA update capabilities, manufacturers risk non-compliance, exposing users and ecosystems to preventable security breaches.

The importance of OTA updates under the EU CRA 

At its core, an OTA software update allows manufacturers to remotely deliver and install new firmware, patches, or software versions on devices without needing physical access or manual intervention. OTA updates allow an essential security update to be delivered to an entire device fleet almost instantly once a need is identified — an essential capability for connected products, especially with security threats constantly evolving. Vulnerabilities can emerge at any time, sometimes within days of a product release. OTA updates provide the agility required to patch these vulnerabilities quickly, ensuring devices stay secure no matter where they are deployed or when they are exploited.

Beyond efficiency and cost savings, secure OTA updates in connected products are mission-critical for security and compliance. An insecure or poorly designed OTA update process introduces its own set of risks. Failed updates can brick devices, cause malfunctions, or open new security gaps. Worse, if adversaries intercept or manipulate the update process, the entire product fleet can be compromised at scale.

The EU CRA outlines clear requirements for security updates. To comply, manufacturers must provide OTA updates to ensure timely patching, secure distribution and installation, and end user notification and disclosure. As a result, every aspect of the OTA update process — from transmission to installation — must be designed with security, reliability, and resilience in mind.

The core security pillars for EU CRA compliance 

Without the use of OTA updates, EU CRA compliance is nearly impossible, and when possible, highly impractical and inefficient. Even so, the regulation goes a step further, requiring that updates be secure, reliable, and verifiable. Meeting these requirements involves implementing a multi-layered security approach across devices, fleets, and operational processes. OTA updates are essential for compliance, but furthermore, the OTA update mechanism must be robust across multiple levels, from device to fleet to operations. 

Device-level security

Each connected product must have security embedded at the device level. This starts with encrypted communications and mutual TLS (mTLS) to authenticate both the device and the OTA update server. Code signing is critical at this level to ensure that only verified, authorized software can be installed, protecting against tampering or inauthentic updates.

Another vital step is securing the device lifecycle. Devices often spend months in storage or transit before activation, during which software vulnerabilities may emerge. A CRA-compliant OTA update process must include a secure “first boot” update. Ensuring the device installs the latest security patches immediately upon initial use, secure “first boot” updates prevent outdated software from becoming an easy target the moment the device connects.

Fleet-level security

The OTA update infrastructure must support fleet-wide monitoring, configuration management, and remote troubleshooting to identify vulnerabilities and respond quickly to threats. When managing highly complex products, secure orchestration is essential. Orchestration capabilities help manage the software-hardware and intra-component dependencies within a connected product, synchronizing numerous updates to ensure a consistent and successful update deployment.

Advanced features like phased rollouts and automated retries are critical for risk management, allowing manufacturers to deploy updates gradually and respond swiftly if issues arise. Granular deployment capabilities reduce the chances of large-scale failures while maintaining compliance and service continuity.

Operations-level security

Security at the operations level extends beyond the devices themselves to safeguarding the people and processes that manage them. Role-based access control (RBAC) ensures that only authorized personnel can perform sensitive operations, while two-factor authentication (2FA) adds an extra layer of protection against unauthorized access.

The CRA also emphasizes transparency and traceability. Every software update must be documented in a continuously updated software bill of materials (SBOM), which tracks software components and dependencies. Maintaining detailed audit logs of updates, changes, and access events is equally important, ensuring accountability while simplifying compliance reporting. At the operations level, a robust OTA update solution that can explicitly support and track process security is essential for manufacturers that want to avoid noncompliance penalties and protect their product and end consumer. 

The CRA implicitly requires the use of OTA updates, the only option with the potential to be automated. Diving further into the regulation reveals that compliance is almost impossible without a robust OTA update system in place. While a simple OTA update system can quickly roll out updates at the device level, an underdeveloped solution typically creates more issues than benefits, including creating exposure, vulnerabilities, and new threat vectors. The pitfalls of an underperforming OTA update system come to light before even considering the fleet or operational capabilities required for manufacturers to protect products and comply. 

The importance of a robust OTA update infrastructure

Security and automation alone aren’t enough to meet the EU CRA’s extensive requirements; robustness is equally critical (Annex I 2.7, 2.8). A secure OTA update system must quickly remediate vulnerabilities while simultaneously ensuring updates succeed under real-world conditions. The goal is security with minimal downtime and avoiding large-scale disruptions. Compliance requires that robustness is baked into the device and supporting infrastructure (Annex I - III), keeping products protected, secure, and operational. 

One of the greatest risks with OTA updates is that a failed update can render devices inoperable, especially if no fail-safes exist. To mitigate this risk, a robust OTA update infrastructure must include automated rollback functionality; if an update fails or causes system instability, the device automatically reverts to the last known operational and secure state. Automatic retry mechanisms are also essential to handle scenarios where devices experience intermittent connectivity, ensuring updates are applied successfully even after initial failures or delays.

Integrity verification is equally critical, using end-to-end validation to confirm both the update package and the installation process are error-free. Additionally, phased rollouts and canary deployments allow manufacturers to send updates gradually, starting with a small subset of devices. A staged deployment strategy reduces risk by enabling rapid detection and resolution of issues before full-scale rollout.

By implementing automatic rollback and retry capabilities and thorough validation steps, manufacturers can safeguard their users and their brand reputation from outages and attacks. Ultimately, a robust OTA update infrastructure ensures continuous service, customer trust, and long-term competitiveness, while simultaneously being essential to reach full EU CRA compliance. 

Compliant and competitive: Secure and robust OTA update capabilities

The EU CRA sets a new bar for security across the connected product market in the EU, and by extension, the global market. For manufacturers of IoT, smart, and connected products, security and compliance are continuous processes that demand robust infrastructure. Establishing a secure and robust OTA update system is central and critical to staying competitive in a market where security is essential for compliance and trust.

As AI-driven devices and increasingly complex IoT ecosystems become mainstream, the demand for reliable, fast, and secure software updates will only grow. Regulatory fines, reputational damage, and operational failures can derail progress; a best-in-class OTA update infrastructure is an absolute necessity for operational success and regulatory compliance. Implementing robust OTA update capabilities future-proofs product offerings, ensures EU CRA compliance, and prepares manufacturers for long-term success in the connected future.

Download the new regulatory overview for more information on complying with the CRA’s extensive security requirements. 

Read the overview