CRA: what to require when procuring IoT/connected hardware?
Adopted 2026-06-16 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
Require CE marking, a completed conformity assessment, a secure-by-default configuration and security updates throughout the support period. Fix these and the incident reporting duty in your contracts before full application on 11 December 2027.
Short answer: When procuring IoT and connected hardware, require the product to comply with the Cyber Resilience Act: CE marking, a completed conformity assessment, a secure-by-default configuration and security updates throughout the support period. Fix these requirements and the incident reporting duty in your contracts.
The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 12 November 2024 and sets cybersecurity requirements for products with digital elements made available on the EU market. IoT and connected hardware โ sensors, gateways, smart devices, trackers and telematics โ fall within scope. The obligations rest primarily with manufacturers, importers and distributors. As a buyer you cannot assume their compliance, but you can require proof of it at procurement and protect yourself that way.
What to require explicitly
For every purchase, request proof of CE marking and a completed conformity assessment. Require a secure-by-default configuration, so the device is set up securely on delivery. Stipulate that the supplier issues security updates throughout the defined support period and remediates vulnerabilities in good time. Ask for the accompanying technical documentation and user information. Where applicable this also gives insight into the product's software components.
What to fix in your contracts
Build the CRA requirements into your procurement terms, purchase orders and renewals. Set out who is responsible for updates, for how long, and how vulnerabilities are reported. From 11 September 2026 the CRA introduces a reporting duty for actively exploited vulnerabilities and severe incidents, to be reported to ENISA and the relevant CSIRT. Agree that your supplier informs you without delay when such a report affects your equipment.
Timeline and approach
The obligations apply in phases: notification of conformity assessment bodies from 11 June 2026, the reporting duty from 11 September 2026, and full application from 11 December 2027. From that date new hardware must comply with the CRA. Map now which connected products you procure and from whom, and ensure your contracts are in order well before 2027.
Read more: Transport & Logistics. Take the scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj
Regulation (EU) 2024/2847 (Cyber Resilience Act); in force 12 November 2024, full application 11 December 2027. - https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
European Commission, Cyber Resilience Act policy page.
Read next
Does my telematics hardware fall under the Cyber Resilience Act?
Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.
Cyber Resilience Act: which deadline applies when?
The CRA (Regulation (EU) 2024/2847) entered into force on 12 November 2024. Key dates: notification of conformity bodies 11 June 2026, reporting obligation 11 September 2026, full application 11 December 2027.
Cyber Resilience Act: what must I require from my suppliers?
Require suppliers of trackers, telematics and IoT to provide proof of CE marking, conformity assessment, secure-by-default configuration and update guarantees. Fix reporting duties and liability in your contracts before full application on 11 December 2027.