CRA Compliance Checklist: IoT Sensors & Connected Devices
Default Class (self-assessment) — most IoT sensors with limited functionality
IoT sensors — temperature, humidity, pressure, flow, and motion sensors — are the backbone of industrial and building automation. Most fall into the Default CRA class, but their constrained hardware often makes meeting Annex I security requirements challenging. Manufacturers must plan for secure update mechanisms even on resource-constrained devices.
1. Scope & Hardware Constraints
Confirm the sensor connects to a network (wired or wireless) — if not, it may be out of CRA scope
Standalone sensors with no network connectivity are not 'products with digital elements' under the CRA.
Assess hardware capabilities for implementing cryptographic functions (TLS, signature verification)
Constrained microcontrollers (e.g. ARM Cortex-M0) may require hardware-accelerated cryptography to meet performance requirements.
Document which security requirements cannot be met in current hardware revision and plan next-gen architecture
If current hardware cannot support required security features, document the plan to address this in future product generations.
2. Product Security
Implement device authentication using unique per-device credentials or certificates
Each sensor must authenticate to the gateway or cloud backend. Shared group keys are not acceptable.
Encrypt all data transmitted from the sensor (DTLS for constrained devices, TLS for capable devices)
For resource-constrained sensors, DTLS 1.3 or OSCORE provides encrypted communication with lower overhead than TLS.
Implement a firmware update mechanism — local (USB/JTAG) or OTA if hardware supports it
Even resource-constrained sensors require an update path. If OTA is not feasible, document a field-serviceable update procedure.
Verify firmware signatures before applying updates
Signature verification is required even for local updates. Use hardware root-of-trust (secure boot) where supported.
Implement rate limiting and connection throttling to protect against DoS attacks
Sensors must remain available under adverse network conditions and basic attack scenarios.
3. CVD & Vulnerability Management
Publish a CVD policy covering all active IoT sensor product lines
Security researchers increasingly investigate IoT sensor firmware. A CVD policy creates a structured channel.
Define support periods per sensor model — consider 5–7 year operational lifetimes
Industrial IoT sensors are often deployed for many years. Support periods must reflect realistic operational lifetimes.
Build SBOM tracking into your firmware build pipeline for automated CVE monitoring
Automated SBOM generation at build time is far more reliable than manual tracking across many sensor variants.
4. CE Marking
Compile technical file with hardware security assessment, firmware SBOM, and risk assessment
For a sensor product family, one technical file can cover multiple variants with the same security architecture.
Issue EU Declaration of Conformity and affix CE marking
IoT sensors already bear CE marking for radio (RED) and EMC. The CRA adds cybersecurity requirements to the DoC.
Track your IoT Sensors & Connected Devices compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our sensors use Zigbee or Z-Wave — are they in scope even though they don't connect to the internet directly?+
Yes. Sensors connecting to a local network (even a mesh radio network like Zigbee or Z-Wave) are in scope. 'Indirect' connectivity via a hub or gateway is sufficient to bring a device within CRA scope.
Can one CVD policy and CE marking cover our entire sensor product range?+
Yes, provided all sensors in the range share the same security architecture and the technical documentation covers all variants. A single Declaration of Conformity can cover a product family with identical security properties.
Need a CVD policy for IoT Sensors & Connected Devices?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.