Why cloud IoT solutions alone are not EU CRA compliant

The European Union Cyber Resilience Act (CRA) is the first regulation aimed at horizontally bolstering security across all products with digital elements (PDEs) for sale in the European Union. The EU CRA applies to all commercial PDEs except for a few specific industries already covered by pre-existing regulations, such as the defense and medical industries. The landmark act is the first of its kind that mandates sweeping compulsory compliance, with large penalties ranging from €15 million to 2.5% of global turnover.

Modern IoT environments require modern solutions

The default update tools provided by cloud and IT vendors often seem like a logical starting point. But relying on these solutions alone leaves critical security, scalability, and compliance gaps. While cloud platforms and desktop update systems played a vital role in transforming software delivery, these solutions were never designed for the realities of smart, connected products operating in a cyber-physical world—and under the EU Cyber Resilience Act, the shortcomings of these tools can lead directly to non-compliance.

If a single update can fail across similar desktop machines, imagine the failure rate across a global fleet of diverse IoT devices, each with different chipsets, memory constraints, and connectivity profiles.

IoT environments dramatically amplify this complexity. IoT products exist in diverse, resource-constrained, and often disconnected environments—remote surveillance cameras, industrial robots, smart energy grids—where the assumptions of stable connectivity, uniform hardware, and centralized management simply don’t hold. Yet, under the CRA, manufacturers are now responsible for issuing secure, timely software updates across these fragmented ecosystems. As the EU CRA redefines the standards for digital product security in the EU, it's clear that tools built for cloud or IT management fall short in achieving compliance for IoT products.

Adapting to the unique nature of IoT environments

In the IT world, updates typically assume always-on connectivity, ample storage, and a controlled hardware landscape. But IoT devices are deployed on fishing vessels, inside smart meters, in agricultural fields, or across national infrastructure; they may only connect intermittently, be powered by batteries, or operate with tight memory and processing constraints. A software update strategy that assumes uniformity and stable conditions simply doesn’t translate.

Unlike traditional IT systems, IoT products operate across highly variable, decentralized, complex, and resource-constrained environments. Devices may differ in hardware architecture, operating systems, memory, connectivity capabilities, and power availability. The heterogeneity within IoT products makes managing software updates fundamentally different from cloud or desktop environments.

IoT devices often operate without stable internet access—think of maritime sensors or cameras in remote infrastructure—rendering traditional cloud or desktop update tools dependent on persistent, high-bandwidth connectivity useless. More critically, IT update solutions lack IoT-essential features like automated rollback (which prevents bricking by allowing rollback to a working version), delta updates (which reduce bandwidth consumption by only transmitting changes), and granular deployment controls (to account for timezone, geography, or device-specific behavior).

The EU CRA was drafted specifically to enforce security amidst this level of complexity. To ensure long-term product security, manufacturers must continuously monitor and update their devices, regardless of the fleet size or fragmentation. However, that’s only possible with an update strategy tailored to the IoT ecosystem, where a purpose-built over-the-air (OTA) update infrastructure accounts for real-world complexity and constraints and the dynamic security posture of connected products.

Trying to retrofit a cloud or desktop solution to handle IoT updates often results in inconsistent rollouts, increased failure rates, and unacceptable downtime. Under the EU CRA, update failure isn’t just inconvenient—it’s a liability. The regulation mandates timely, secure updates across the full device lifecycle. Anything less risks compromising user safety, product integrity, and regulatory compliance. For IoT devices, EU CRA compliance demands a purpose-built update infrastructure that can handle the complexity of physical and digital environments and the evolving threat landscape ahead.

Public cloud services: Building blocks, but not complete solutions

Many public cloud providers offer IoT services marketed as end-to-end solutions, including remote management and OTA updates. However, when compared against the EU CRA requirements, it’s clear these offerings are only partial solutions. At best, public cloud services provide building blocks for a fully-compliant strategy; at worst, they create gaps that manufacturers must fill themselves, often at significant risk and cost.

Public cloud IoT platforms typically provide SDKs and cloud-side APIs for managing communication or sending jobs to devices. The device-side software, arguably the most critical piece for secure and reliable updates, is often minimal or missing. Manufacturers are left to build the device-side functionality themselves, including handling update integrity, rollback, fail-safes, and compliance auditing.

This do-it-yourself model may work for limited, tightly controlled deployments. But for EU CRA compliance, it also creates a fragile system. Each new product, firmware revision, or device variant demands repeat integration, testing, and validation, which isn't scalable or secure by default.

Additionally, cloud-centric solutions introduce long-term risk by creating vendor dependence, or lock-in. As providers evolve their platforms, deprecate services, or raise prices, OEMs may find themselves trapped in an ecosystem that no longer meets evolving requirements like the EU CRA. Since cloud solutions are typically not purpose-built for regulatory compliance, security responsibilities fall squarely on the manufacturer, increasing liability exposure.

In the context of the EU CRA, relying solely on public cloud IoT services for secure updates is an incomplete approach. The framework may exist, but the OEM remains responsible for its structural integrity.

Build for the future with a robust purpose-built OTA update infrastructure

The EU CRA upholds sweeping requirements across the market for connected products in both the EU and the global economy. Keeping abreast of the ongoing mandates calls for comprehensive security measures, minimal downtime, and overall secure-by-default configuration supported with robust feature sets. Establishing a secure, scalable management infrastructure with robust OTA update capabilities is essential to remaining compliant.

Implementing robust OTA update capabilities provides OEMs with future-proofing and ensures compliance while cementing long-term success and leadership in the IoT world.  

Download the new regulatory overview for more information on staying compliant with the CRA’s extensive security requirements. 

Read the overview