Does the CRA apply to all our IoT products?

The CRA applies to all products with digital elements placed on the EU market that are not excluded (e.g. products already covered by sector-specific legislation like medical devices under MDR). This includes consumer IoT, industrial IoT, and smart infrastructure. Check whether your products fall under an exemption - if in doubt, assume the CRA applies.

How do we handle devices that cannot be remotely updated?

If a product cannot receive OTA updates, you must document the manual update process and communicate it clearly to customers. For Critical vulnerabilities in products that cannot be patched, you may need to offer replacement, provide network-level mitigations, or communicate the risk clearly enough that customers can make an informed decision. The CRA expects manufacturers to design products with update capability - this will be enforced on future products.

What is a Software Bill of Materials (SBOM) and do we need one?

An SBOM is a machine-readable inventory of all software components in your product, including open-source libraries, third-party SDKs, and firmware components. The CRA's Annex I references the need to identify and document product components. Maintaining an SBOM makes it much faster to assess your exposure when a new CVE is published for a component. SPDX and CycloneDX are the dominant formats.

Can a single CVD policy cover all our IoT product lines?

Yes. A single policy can cover multiple product lines provided the scope section lists all applicable products. If different products have significantly different update mechanisms or EOL dates, consider product-specific addenda rather than entirely separate policies.

What triggers Article 14 reporting for an IoT vulnerability?

Article 14 is triggered when you become aware that a vulnerability in your product is actively being exploited in the wild, or when there is a severe security incident. For IoT, this could include large-scale botnet activity exploiting your devices, active exploitation of authentication bypasses, or incidents affecting critical infrastructure customers. The 24-hour early warning window starts when you become aware - document when you first learned of the exploitation.

← All templates

Free Template

CVD Policy Template for IoT Manufacturers

A CVD policy template tailored to the specific challenges of IoT and connected device manufacturers: long product lifespans, constrained firmware update mechanisms, heterogeneous fleets, and supply chain complexity. Structured for CRA compliance.

Article 13 · Article 14 · Annex I · Article 13

ForIoT device manufacturers, connected hardware vendors, and embedded systems companies placing products with digital elements on the EU market

CRA Articles

Article 13Article 14Annex IArticle 13

Policy Statement

Article 13(1)

[COMPANY NAME] develops and manufactures connected devices and IoT products. We are committed to the security of our products throughout their supported lifecycle and maintain this Coordinated Vulnerability Disclosure (CVD) policy in compliance with the EU Cyber Resilience Act (Regulation (EU) 2024/2847) and ISO/IEC 29147.

Given the nature of embedded and connected devices - including long deployment lifespans, constrained update mechanisms, and physical access considerations - we place particular emphasis on timely firmware updates, clear end-of-support communication, and supply chain vulnerability coordination.

Note

IoT manufacturers face heightened CRA scrutiny because vulnerabilities in deployed devices can persist for years. Signalling awareness of the specific challenges (lifecycle, firmware, physical access) in your policy statement builds credibility.

Scope - Products and Firmware

Article 13(4), Article 13

This policy covers all [COMPANY NAME] connected products, including:

[PRODUCT LINE 1] (model [X], firmware [X.X] and later)
[PRODUCT LINE 2] (hardware revision [Y], firmware [X.X] and later)
Associated mobile applications (iOS and Android)
Associated cloud services and APIs at [DOMAIN]
OTA (over-the-air) update infrastructure

End-of-life products: Products that have reached end-of-support are excluded from this policy. See our product lifecycle page at [EOL URL]. For products within 12 months of EOL, we will continue to address Critical and High severity vulnerabilities.

Excluded from scope:

Vulnerabilities requiring physical destruction of the device
Vulnerabilities in third-party firmware stacks not distributed by [COMPANY NAME]
Products modified from their factory configuration

Note

IoT scope statements must address firmware versions explicitly. Old firmware on deployed devices can be a significant source of vulnerabilities. Defining EOL handling is critical - the CRA expects you to maintain security for the product's supported life.

How to Report a Vulnerability

Article 13(1)

Report vulnerabilities in [COMPANY NAME] products via:

Portal (preferred): [VULNERABILITY DISCLOSURE PORTAL URL] Email: [[email protected]] PGP key: Fingerprint [FINGERPRINT], available at [PGP KEY URL]

For hardware-specific or firmware vulnerabilities, please include:

Device model and hardware revision (printed on device label)
Firmware version (visible in device settings or [HOW TO FIND IT])
Network configuration at time of discovery (local network / cloud-connected / air-gapped)
Whether physical access to the device was required
Reproduction steps including any tools or equipment needed

For supply chain or component-level vulnerabilities (e.g. a vulnerability in a chipset, RTOS, or third-party library), please include the component name and version if known.

Note

IoT researchers need specific guidance on firmware and hardware version identification - this information is often buried in menus or printed on labels. Reducing friction in the reporting intake improves report quality and researcher experience.

Response Commitments and Firmware Update Process

Article 13, Article 13

[COMPANY NAME] commits to the following:

| Milestone | Target | |---|---| | Acknowledgment | Within 48 hours | | Initial triage and severity assessment | Within 5 business days | | Firmware update or mitigation plan | Within 30 days for Critical/High | | Status updates to reporter | At least every 30 days | | OTA firmware update release | As soon as practicable | | Security advisory publication | On or after firmware update |

Firmware update delivery: [COMPANY NAME] delivers security updates via OTA (over-the-air) firmware updates. Updates are pushed automatically to all devices running affected firmware versions where auto-update is enabled. For devices with auto-update disabled, customers are notified via [EMAIL / MOBILE APP NOTIFICATION / DASHBOARD].

Devices without OTA capability: For products that do not support OTA updates ([LIST MODELS]), security updates are delivered via [MANUAL DOWNLOAD PROCESS / SERVICE CENTRE PROCEDURE].

Note

IoT manufacturers must explain their firmware update delivery mechanism. Regulators and customers need to know how a patch reaches deployed devices. If you have devices without OTA, document the manual path - ignoring it is not an option under the CRA.

Safe Harbour

[COMPANY NAME] authorises security research conducted in good faith on our products in accordance with this policy. We will not pursue legal action against researchers who:

Purchase or otherwise legitimately obtain [COMPANY NAME] products for testing
Limit testing to their own devices or devices for which they have explicit owner permission
Do not attempt to access other users' devices, cloud accounts, or data
Do not perform denial-of-service attacks on production infrastructure or other users' devices
Report findings to us before public disclosure
Comply with applicable law

Physical hardware modification beyond normal operation (e.g. JTAG, UART, firmware extraction via chip-off) is permitted for research on owned devices, provided you do not use findings to access or harm other users' devices.

Note

IoT safe harbour must address hardware research explicitly. Researchers legitimately perform chip-level analysis, JTAG debugging, and firmware extraction. Prohibiting this would make your programme unusable for hardware security researchers - exactly the people most likely to find critical vulnerabilities.

Supply Chain and Component Coordination

Article 13(4)

IoT products contain significant third-party components: chipsets, real-time operating systems (RTOS), communication stacks, and third-party libraries. [COMPANY NAME] maintains a Software Bill of Materials (SBOM) for its products and monitors component vulnerability feeds.

Where a reported vulnerability originates in an upstream component:

We will notify the upstream vendor or maintainer within [5] business days of confirming the vulnerability.
We will coordinate disclosure timing with the upstream party.
We will report to ENISA if the component vulnerability meets Article 14 thresholds, regardless of upstream remediation status.
We will publish our own advisory noting the upstream component CVE and our fix status.

If you discover a vulnerability that you believe originates in a component (e.g. a specific chipset or RTOS), please include the component name, manufacturer, and version in your report.

Note

Supply chain vulnerability management is an explicit CRA requirement for IoT. Many IoT vulnerabilities originate in shared components (e.g. SDK vulnerabilities affecting thousands of device models). Document your component monitoring and coordination process.

End-of-Life and Legacy Device Policy

Article 13, Annex I

[COMPANY NAME] provides security support for each product for a minimum of [5] years from the date of last sale in the EU.

Our product end-of-life process:

12 months before EOL: We announce EOL status on our website and notify registered owners.
At EOL: We cease regular software updates. Critical vulnerabilities may still receive patches at our discretion.
Post-EOL: We publish a final advisory summarising known unpatched vulnerabilities for retired products to allow customers to make informed decisions about replacement.

Current EOL dates for all products are maintained at [EOL SCHEDULE URL].

For legacy products that cannot receive security updates: we recommend [NETWORK SEGMENTATION / REPLACEMENT / COMPENSATING CONTROLS].

Note

The CRA requires manufacturers to provide security updates for a period commensurate with expected product lifetime, which for IoT can be 10+ years. Document your EOL policy explicitly. The final advisory for retired products is an emerging best practice that demonstrates responsible stewardship.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free for Article 14 compliance.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

CVD Policy Template for Industrial and OT Manufacturers

A CVD policy template for manufacturers of industrial control systems (ICS), SCADA components, PLCs, HMIs, and other operational technology (OT) products. Addresses the unique challenges of OT environments: operational continuity requirements, long deployment cycles, critical infrastructure obligations, and sector-specific regulatory coordination.

Coordinated Vulnerability Disclosure Policy Template

A complete coordinated vulnerability disclosure policy following ISO/IEC 29147 best practice and CRA Article 13. Covers the full disclosure lifecycle: intake, triage, remediation, and coordinated publication.

Vulnerability Reporting Process Template

An internal-facing vulnerability reporting process that documents how your security team handles incoming reports from intake through resolution. Complements your public CVD policy with operational procedures aligned to CRA Article 13 and 14.