The European Union Cyber Resilience Act (CRA): Why remediation requires over-the-air (OTA) updates

The EU Cyber Resilience Act (CRA), approved in October 2024, is at the forefront of a new regulatory wave, demanding more from manufacturers than traditional security measures. Going beyond traditional cybersecurity best practices, the CRA applies horizontally across products with digital elements (PDEs) and requires actively managing security risks throughout a product's lifecycle.

A central component of CRA compliance is the Act's remediation requirement. Specifically, Annex 1.2(c) mandates that manufacturers must: “ensure that vulnerabilities can be addressed, including, where applicable, through automatic security updates that are installed within an appropriate time frame.” 

In practical terms, the emphasis on “automatic” and “appropriate time frame” necessitates over-the-air (OTA) update capabilities.

IoT devices often operate in diverse and remote environments. With roughly 16 billion IoT devices worldwide, the average fleet sits at thousands to tens of thousands of devices across industry verticals.¹ Since a traditional manual update process requires an onsite visit and IoT devices often exist across diverse and even remote environments, technicians would be required to instantaneously visit and update many devices every time an update becomes available. Updating an entire device fleet, even on the lower end of the spectrum at a few thousand devices within “an appropriate time frame” with manual or physical updates, would present an impractical and costly challenge that only increases the risk of noncompliance. 

The importance of OTA updates for IoT

Taking the large scale of IoT fleets into account, manual or physical updates are impractical and sometimes impossible, further supporting the necessity of OTA updates to ensure security and compliance.  Updating an IoT fleet at this scale with traditional methods is impractical today.  

OTA update technology eliminates these barriers; manufacturers can deploy security patches instantly and remotely, ensuring compliance with the CRA’s remediation timelines. As the scale and complexity of IoT device fleets grow, OTA capabilities evolve beyond convenience; they become an operational necessity for maintaining robust security standards and achieving CRA compliance. Additionally, OTA updates bolster device security by reducing downtime and minimizing the window of exposure to potential threats, ultimately preserving user trust and securing the integrity of IoT ecosystems. With OTA updates, manufacturers can meet the CRA’s extensive remediation requirements, ultimately protecting users and maintaining compliance across an entire fleet of connected devices, regardless of size, physical location, or ecosystem complexity. 

Understanding the remediation mandate of the EU CRA

The CRA's objective is clear: to minimize vulnerabilities across all products with digital elements (PDEs) sold within the EU. The objective focuses on making devices “secure by design” and “secure throughout” their entire lifecycle. The CRA moves beyond initial security requirements, demanding continuous maintenance, timely updates, and proactive vulnerability management. 

Under Annex I, the CRA requires that devices be “secure by default.” Additionally, Clause 55 states that products must meet security standards at the time of market entry and throughout their intended use. These directives underline a commitment to ongoing security, and remediation plays a central role in this, as vulnerabilities will undoubtedly be discovered during the product's intended use.

But what exactly does remediation entail under the CRA? The Act requires manufacturers to maintain robust patch management processes, disclose vulnerabilities responsibly, and meet strict timelines for addressing identified security issues. Non-compliance carries significant risks, including steep fines and potential exclusion from the EU market. 

Real-time response to cyber threats

The CRA sets high expectations for how manufacturers handle vulnerability remediation. Timely updates are not just encouraged—they are required. The regulation spells out the various areas of compliance, with noncompliance penalties reaching upwards of €15 million or 2.5% of global turnover. The threat of losing the CE mark on a non-compliant product also exists. There are four main areas of compliance:

1. Third-party component verification: Clause 34 imposes due diligence requirements for any third-party components, including free and open-source software. Manufacturers must verify these components’ cybersecurity integrity, conform to regulatory standards, ensure regular updates, and perform routine security checks.
2. Notify third-party creators about vulnerabilities: Article 13.6 mandates that manufacturers notify the creators or maintainers of third-party components about identified vulnerabilities, sharing relevant details for resolution. Additionally, Article 13.8 requires a structured vulnerability disclosure policy, ensuring that internal and external reports are effectively managed.
3. Implement a structured vulnerability disclosure policy: Clause 36 mandates that manufacturers establish a clear policy for managing vulnerability reports, both internal and external, to ensure effective handling and resolution.
4. Address vulnerabilities swiftly and transparently: Annex I.2.2 and I.2.4 specify that vulnerabilities must be addressed swiftly, with security updates provided promptly and separated from functional updates where possible. Disclosures about resolved vulnerabilities should also be made public, detailing the issue, impacts, and severity, although immediate publication may be deferred to allow users time to apply patches without increasing security risks.

How OTA updates streamline compliance 

OTA updates make real-time security patching possible, which is essential for addressing vulnerabilities promptly and meeting CRA deadlines. In contrast, manual updates or delayed patch deployment can lead to severe consequences, including increased exposure to cyberattacks and potential fines for non-compliance. Manufacturers who rely on outdated or manual update methods risk missing critical remediation windows, making their products more susceptible to exploitation and subject to regulatory penalties. OTA technology mitigates these risks by enabling swift, automated patching that can be deployed as soon as new vulnerabilities are discovered.

Why OTA updates are the backbone of remediation

The EU Cyber Resilience Act (CRA) mandates timely and automated remediation of vulnerabilities, largely making manual update processes obsolete. Over-the-air (OTA) updates are the only viable solution to meet these requirements, offering manufacturers the speed and scalability necessary to address vulnerabilities across large fleets or critical devices. Automation eliminates the delays, errors, and security risks associated with manual methods like USB sticks or on-site interventions. At the same time, features such as encrypted delivery, rollback, and delta capabilities ensure secure and efficient patch deployment. These capabilities directly align with the CRA’s Annex 1.2(c), which demands rapid, reliable updates to safeguard connected devices.

Beyond efficiency and regulation, OTA updates enhance the security of device fleets by reducing the risk of breaches during the update process, a common vulnerability in manual workflows. When addressing either fleets of IoT devices or isolated critical systems, OTA update capabilities enable manufacturers to comply with CRA requirements, minimize disruptions, and maintain operational continuity.

Resources 

https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/

Download our white paper for a deep dive into reaching full CRA compliance

Read the overview