On 3 December 2025, the European Commission published its first Frequently Asked Questions document on the Cyber Resilience Act (CRA). This is the first official implementation guidance since the regulation was published in November 2024, and it provides important clarifications on how manufacturers should approach compliance.

The FAQ is a substantial document covering scope, product classification, manufacturer obligations, vulnerability reporting, conformity assessment, and timelines. For product teams preparing for the December 2027 deadline, Chapters 4 (Manufacturer Obligations) and 5 (Reporting) contain the most actionable guidance.

The European Commission has published Implementing Regulation (EU) 2025/2392, providing the detailed technical descriptions that define exactly which products fall into the CRA's "Important" and "Critical" risk categories. This is the first major piece of secondary legislation under the Cyber-Resilience Act, and it removes much of the ambiguity around product classification.

The Cyber-Resilience Act (CRA) is the EU's first horizontal law that legally mandates Secure-by-Design for products with digital elements. It sets clear obligations for confidentiality and integrity, but it deliberately avoids naming specific algorithms or key sizes. That raises an immediate question for device makers:

What exactly counts as “state-of-the-art” cryptography under the CRA?

Inspired by Markku-Juhani O. Saarinen’s paper “CRA and Cryptography: The Story Thus Far” (IACR ePrint 2025/2092), this post explains how European standardisation work is answering that question – and what it means for your products.

On June 27, 2025, the US Food and Drug Administration (FDA) published a landmark update to its premarket cybersecurity guidance, superseding the version from September 2023. This new document provides critical clarity for medical device manufacturers by consolidating previous guidances and formally defining the legal obligations for "cyber devices" under Section 524B of the FD&C Act.

On 16 June 2025, the UK's Information Commissioner's Office (ICO) published new draft guidance aimed directly at the manufacturers and developers of Internet of Things (IoT) products. This is a significant development for any company placing connected devices on the UK market, providing much-needed regulatory clarity on how data protection law applies to the IoT ecosystem.

On November 20, 2024, the Cyber-Resilience Act (CRA) was officially published in the EU's Official Journal as Regulation (EU) 2024/2847. This marks the final, formal step in a legislative process that will fundamentally reshape the market for connected devices.

The UK's Ministry of Defence (MOD) recently published a thought-provoking document via its Defence Science and Technology Laboratory (Dstl) that every product security leader should read: the Secure by Design Problem Book.

The NIS 2 Directive (EU 2022/2555) was published in the Official Journal of the EU in December 2022, officially replacing the original NIS Directive. This new legislation significantly expands the scope of Europe's cybersecurity rules, imposing stricter risk-management and reporting obligations on a wider range of critical sectors.

In a move with major implications for the connected device market, the European Commission published Delegated Regulation (EU) 2022/30 in January 2022. This act officially activated the dormant cybersecurity clauses within the Radio Equipment Directive (RED), turning what were once recommendations into hard legal requirements.

In a significant step forward for cybersecurity, ETSI formally published EN 303 645 in June 2020. This standard establishes a baseline for the security of internet-connected consumer devices, providing a practical, risk-based framework for manufacturers.