Vulnerability Management
Vulnerability Management is essential for maintaining the security and resilience of products with digital components. Manufacturers must regularly assess risks to identify cybersecurity threats and vulnerabilities that could impact the safety, privacy or availability of their products.
Once risks are identified, organizations must take action to fix these issues, ensuring the products remain secure throughout their lifecycle. This includes ongoing monitoring for new threats and updating products as needed, following CRA guidelines. With these proactive measures, companies strengthen the security of their products and help protect the wider ecosystem from evolving cyber risks.
Overview and key principles of vulnerability management for learning and understanding.
Identify tools, technologies, and resources that can be effectively integrated into your product.
Explore resources to understand compliance and standards in vulnerability management.
Understanding Vulnerability Management
An IoT manufacturer must implement a structured vulnerability management process to ensure device security throughout its lifecycle. Guidelines are elaborated in Annex I and Annex II of the CRA. This includes:
1. Maintain a Complete SBOM (Software Bill of Materials)
Generate and update a full SBOM for every firmware release, listing all third-party libraries, open-source components, and dependencies.
Use tools like Syft, SPDX, or CycloneDX to automate SBOM generation.
Store the SBOM in a machine-readable format (JSON/XML) for automated security scanning.
2. Track Newly Disclosed Vulnerabilities
Continuously monitor CVE databases (e.g., NVD, MITRE CVE, OSV) for vulnerabilities affecting components in the SBOM.
Use automated vulnerability scanners like Grype, Trivy, or Anchore to check firmware and dependencies for known CVEs.
Subscribe to vendor security mailing lists (e.g., Linux Kernel, OpenSSL, BusyBox) and threat intelligence feeds.
3. Assess Impact & Risk Prioritization
Map discovered vulnerabilities to affected firmware versions and evaluate their exploitability.
Use CVSS scoring to assess risk and determine if an immediate fix is required.
If the vulnerability is remotely exploitable or impacts critical functionality (e.g., authentication, encryption, network stack), escalate priority.
4. Publish Security Advisories & Disclosures
When a vulnerability is confirmed, issue a Security Advisory detailing:
Affected firmware versions and device models.
CVE ID, impact assessment, and workaround (if applicable).
Timeline for patch release and mitigation steps.
Publish advisories on the company website, industry forums, and notify customers via email or an API-driven security feed.
5. Release Patches & Mitigations
Provide a signed firmware update with the patched version, ensuring secure delivery using A/B partitioning, RAUC, or Mender.
For devices unable to receive firmware updates, suggest mitigations like network segmentation, firewall rules, or configuration changes.
Ensure updates are cryptographically signed and verified using Ed25519 or RSA signatures to prevent supply chain attacks.
Overview of key elements, enforcement and requirements
While most of CRA requirements will be enforced in February 2027, the vulnerability management and incident reporting obligations will be enforced from November 2025.
Vulnerabilities must be reported to ENISA, which oversees CERT-EU. IoT device manufacturers are required to provide a single point of contact (SPOC) for security-related communications. This SPOC should offer clear guidance on installing security patches or updates, specify the duration of the support period, and include a comprehensive Software Bill of Materials (SBOM). This measure is particularly important, as IoT device manufacturers are now obligated to maintain their products even after they have been placed on the market.
Furthermore, all products must be accompanied by a mandatory risk analysis. In addition, architectural drawings, along with SBOM and the all other technical details of the update mechanism must be included, as well as a risk analysis itself.
A SPOC is responsible for coordinating the national application of the CRA. The SPOC will act as the intermediary between the national authorities and the European Commission, ensuring smooth reporting of cybersecurity incidents, including vulnerabilities and cyberattacks. This central authority will manage communication with manufacturers and oversee the implementation of compliance measures, as well as assist with incident response and enforcement of the act’s requirements across digital products.
-
Annex I defines essential requirements . They are subdivided into requirements for security product properties and vulnerability handling. All vulnerabilities should be patched or remediated by the usage of security updates.
-
Annex V mandates detailed requirements on the technical documentation, which is mandatory for the CE mark. That documentation should hold the update mechanism.
Key elements
-
Coordinated Vulnerability Disclosure: Manufacturers must create a policy for reporting product vulnerabilities, including a clear channel for third parties to submit reports. Shared vulnerability information should be communicated with relevant organizations.
-
Single Point of Contact: Manufacturers must provide a single point of contact for users to report vulnerabilities. If vulnerabilities are identified in third-party or open-source components, the manufacturer must notify the component maintainer.
-
Importer & Distributor Responsibilities: Importers and distributors must report identified vulnerabilities to manufacturers .
-
Good Faith Security Research: The CRA encourages Member States to protect security researchers from legal liabilities for their efforts.
-
Bug Bounty Programs: Manufacturers are encouraged to adopt coordinated disclosure programs with recognition and compensation for vulnerability reports, known as bug bounty programs.
-
International Standards: Vulnerability disclosure programs should align with standards like ISO/IEC 29147 and ISO/IEC 30111 to ensure transparency and efficiency.
Vulnerability management requirements
Requirement | Description |
|---|---|
Identification of Vulnerabilities | Manufacturers must implement processes to identify vulnerabilities throughout the product lifecycle. |
Regular Updates and Patching | Products must allow for timely security updates to address vulnerabilities post-release. |
Vulnerability Disclosure Policy | Manufacturers need a clear process for receiving and addressing vulnerability reports from external parties. |
Risk Assessment and Mitigation | Ongoing evaluation and mitigation of risks related to newly discovered vulnerabilities or emerging threats. |
Post-Market Surveillance | Monitoring and responding to security risks for products already in use, ensuring long-term protection. |
Secure End-of-Life Management | Manufacturers must provide security updates for a defined period even after the product's sale or support ends. |
Compliance and Standards
At the core of the Cyber Resilience Act is vulnerability management. Manufacturers are required to ensure security by design and security by default, which means building cybersecurity features into the development process of their products. Additionally, the CRA enforces CE marking for cybersecurity, ensuring that devices meet a minimum set of standards before entering the market. Non-compliance can result in significant fines and product recalls, which could affect business operations and market reputation. Global manufacturers must align with these standards to ensure their devices are market-ready. Moreover, the CRA aligns with existing regulations like the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS2). While GDPR focuses on personal data protection, the CRA targets overall device integrity and resilience, ensuring that the vast networks of IoT devices do not become entry points for cyberattacks.
The CRA enforces mandatory cybersecurity standards for all digital products, from design to end-of-life. Manufacturers must perform ongoing risk assessments, implement secure-by-design principles and address vulnerabilities proactively. Importantly, compliance includes a requirement for CE marking on digital products, ensuring they meet cybersecurity regulations before they are sold within the European market.
Penalties for non-compliance can be severe, with fines reaching up to 2.5% of global turnover for failing to address serious vulnerabilities. The act is aligned with broader EU frameworks, including the NIS2 Directive, reinforcing overall digital resilience across Europe. This harmonized approach simplifies compliance for businesses, ensuring they meet a unified standard rather than navigating a patchwork of national regulations.
Presumption of Conformity
Article 18 of the Cyber Resilience Act (CRA), "Presumption of Conformity", establishes that products complying with specific harmonized standards or European cybersecurity certifications are presumed to meet CRA requirements, including vulnerability management obligations. This means that manufacturers following recognized standards for vulnerability identification, risk assessment, patch management and secure updates will be deemed compliant with the CRA’s cybersecurity requirements. For vulnerability management, adhering to these standards ensures that processes for detecting, disclosing and mitigating vulnerabilities are aligned with regulatory expectations, streamlining compliance and reducing legal risks.
While this streamlines compliance for manufacturers, its broad scope leaves room for varied interpretation and potential gaps in thorough testing. The presumption relies on cross-references to specific requirements in other documents, and if these are met, the CRA's essential requirements are considered fulfilled. These standards are critical but need to be carefully tailored for effective cybersecurity enforcement. The standards are published in the so called EU “harmonized standards” and are issued by DEN/CENELEC. The list can be found here. If there is no suitable standard that that could be declared “harmonized”, the EU itself can define substitutes, which are then “common specifications”. Any organization that has an Cyber Security Certification Scheme as defined in the CRA, that certification also give presumption of conformity with CE marking.
Possible candidates for standards and certification schemes that could serve as “presumption of conformity”:
-
EN ISO/IEC 15408 (Common Criteria)
-
EN IEC 62443–4–1, EN IEC 62443–4–2 and possibly future “profiles” for specific product groups
-
EN 303645 (Cyber Security for Consumer Internet of Things: Baseline Requirements0
Education and Awareness
Education is critical for ensuring that manufacturers, developers, and end-users understand the cybersecurity risks embedded in everyday devices. The CRA emphasizes the importance of providing training programs for all stakeholders, including software developers, manufacturers and even consumers. By raising awareness about vulnerability management, these efforts reduce the likelihood of oversights that could result in security breaches. Educating developers on how to perform vulnerability assessments and regular security updates is key. Additionally, fostering consumer awareness around the safe use and maintenance of IoT devices helps prevent avoidable security lapses, such as not applying necessary patches.
The CRA emphasizes training and skill development to ensure that manufacturers, developers and operators can effectively identify, assess, and mitigate vulnerabilities. It also promotes public awareness campaigns aimed at educating consumers about the risks associated with insecure digital products. Additionally, organizations must train their staff on secure coding practices, vulnerability disclosure procedures, and the importance of regular security updates. These initiatives not only help meet regulatory requirements but also foster a more resilient workforce capable of addressing emerging cybersecurity threats.
Tools and Technologies
The CRA pushes organizations to adopt advanced vulnerability management tools that continuously monitor systems for flaws and breaches. Key tools include:
-
Vulnerability Scanners: Automated tools that identify weaknesses in systems and software, providing critical insights for timely patching.
-
Patch Management Solutions: Ensures that vulnerabilities are addressed promptly through regular updates, reducing exposure to known exploits.
-
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Monitor and actively prevent potential attacks in real time, safeguarding critical systems.
-
Security Orchestration, Automation, and Response (SOAR) platforms: Automate threat detection and response, streamlining the process of managing cybersecurity incidents.
-
Endpoint Detection and Response (EDR): By monitoring device activity and detecting anomalies, these tools help secure the growing number of connected devices in IoT ecosystems.
Furthermore, AI-driven technologies are becoming indispensable in analyzing massive volumes of security data, identifying patterns and responding to incidents faster than traditional human-centric approaches. Integrating these tools is not only a matter of compliance but also a strategic advantage in preventing costly breaches.