The Cyber-Resilience Act (CRA) is the EU's first horizontal law that legally mandates Secure-by-Design for products with digital elements. It sets clear obligations for confidentiality and integrity, but it deliberately avoids naming specific algorithms or key sizes. That raises an immediate question for device makers:

What exactly counts as “state-of-the-art” cryptography under the CRA?

Inspired by Markku-Juhani O. Saarinen’s paper “CRA and Cryptography: The Story Thus Far” (IACR ePrint 2025/2092), this post explains how European standardisation work is answering that question – and what it means for your products.

On June 27, 2025, the US Food and Drug Administration (FDA) published a landmark update to its premarket cybersecurity guidance, superseding the version from September 2023. This new document provides critical clarity for medical device manufacturers by consolidating previous guidances and formally defining the legal obligations for "cyber devices" under Section 524B of the FD&C Act.

On 16 June 2025, the UK's Information Commissioner's Office (ICO) published new draft guidance aimed directly at the manufacturers and developers of Internet of Things (IoT) products. This is a significant development for any company placing connected devices on the UK market, providing much-needed regulatory clarity on how data protection law applies to the IoT ecosystem.

On November 20, 2024, the Cyber-Resilience Act (CRA) was officially published in the EU's Official Journal as Regulation (EU) 2024/2847. This marks the final, formal step in a legislative process that will fundamentally reshape the market for connected devices.

The UK's Ministry of Defence (MOD) recently published a thought-provoking document via its Defence Science and Technology Laboratory (Dstl) that every product security leader should read: the Secure by Design Problem Book.

The NIS 2 Directive (EU 2022/2555) was published in the Official Journal of the EU in December 2022, officially replacing the original NIS Directive. This new legislation significantly expands the scope of Europe's cybersecurity rules, imposing stricter risk-management and reporting obligations on a wider range of critical sectors.

In a move with major implications for the connected device market, the European Commission published Delegated Regulation (EU) 2022/30 in January 2022. This act officially activated the dormant cybersecurity clauses within the Radio Equipment Directive (RED), turning what were once recommendations into hard legal requirements.

In a significant step forward for cybersecurity, ETSI formally published EN 303 645 in June 2020. This standard establishes a baseline for the security of internet-connected consumer devices, providing a practical, risk-based framework for manufacturers.

Welcome to the SecureByDesignHandbook.com project!