Cyber Resilience Act compliance assured: How our IoT sensors meet the new EU security standards

In today’s hyperconnected world, wireless IoT sensors form the backbone of smart infrastructure across industries – from manufacturing and agriculture to healthcare and smart cities. As these devices proliferate, so do concerns about their security vulnerabilities. The European Union’s Cyber Resilience Act (CRA) represents a watershed moment for IoT manufacturers, establishing clear cybersecurity requirements for products with digital elements.

We recognise that the CRA isn’t merely a regulatory hurdle but an opportunity to build trust, enhance product quality, and differentiate in an increasingly competitive market. This article explores how our approach to sensor design and manufacturing aligns with the CRA’s requirements, ensuring that our products not only comply with regulations but exceed expectations for security and reliability.

Understanding the EU Cyber Resilience Act

The EU Cyber Resilience Act (Regulation EU 2024/2847), formally proposed in September 2022 and expected to come into full effect by 2025, aims to establish a comprehensive framework for cybersecurity requirements for products with digital elements throughout their lifecycle. This legislation responds to the increasing number of cyber incidents and the growing interconnectedness of digital devices.

For IoT sensor manufacturers, the CRA introduces several key obligations:

1. Security by design: Products must be designed with cybersecurity as a fundamental consideration from the outset.
2. Risk assessment: Manufacturers must conduct thorough risk assessments and implement appropriate security measures.
3. Vulnerability management: Processes must be in place to identify, document, and address vulnerabilities throughout the product lifecycle.
4. Security updates: Products must be capable of receiving security updates for a reasonable period.
5. Documentation and transparency: Clear documentation about security features and practices must be provided to users.
6. Conformity assessment: Products must undergo assessment procedures to demonstrate compliance.

Our approach to CRA compliance

Secure by design architecture

Our newest generations of NB-IoT and Bluetooth Low Energy sensors incorporate security at the foundational level. Rather than treating security as an add-on feature, we’ve architected our sensors with security as a core design principle:

• Minimal attack surface: We’ve adopted a minimalist approach to firmware, including only essential components and eliminating unnecessary and unused features that could introduce vulnerabilities.
• Secure boot process: Our sensors implement secure boot mechanisms that verify the integrity of firmware before execution, preventing the loading of tampered software.
• No unused hardware interfaces: Our sensors are designed without any unused hardware interfaces (such as USB ports) that could potentially be exploited for unauthorised access, significantly reducing the physical attack surface of the devices.
• Tamper resistant hardware: Our newest NB-IoT sensors include a built-in anti-tampering switch. If the device is opened, the owner can be notified immediately.

Comprehensive data protection

Data security is paramount in our design philosophy, addressing the CRA’s requirements for protecting sensitive information:

• End to end encryption: Data transmitted by our sensors over Bluetooth Low Energy is encrypted using industry-standard protocols (AES-256), ensuring that information remains confidential from point of collection to final destination.
• Cryptographic data signing: Each sensor is equipped with a unique private key securely stored in its hardware. All measurements and data transmissions are cryptographically signed using this private key before transmission, allowing the Efento Cloud platform to verify the authenticity and origin of each data point. This ensures that only data from legitimate sensors is processed and prevents data spoofing or injection attacks.
• Secure storage: Local data storage employs encryption and access controls to protect information at rest.
• Data minimisation: Our sensors collect only the data necessary for their intended function, reducing the risk associated with excessive data collection and storage.

Resilient communication protocols

Communication security is often the weakest link in IoT deployments. Our sensors address this vulnerability through:

• Secure NB-IoT communication: Our NB-IoT sensors establish secure connections through private Access Point Names (APNs), creating isolated communication channels that are segregated from public internet traffic, with additional layers of encryption applied to all data transmitted over these channels.
• Bluetooth Low Energy security: Data transmitted by our sensors over Bluetooth Low Energy is encrypted using industry-standard protocols (AES-256), ensuring that information remains confidential from point of collection to final destination

Vulnerability management & updates

The CRA emphasises the importance of ongoing security management throughout a product’s lifecycle:

• Automated vulnerability scanning: Our development process includes automated scanning tools that identify potential vulnerabilities in both code and third-party components.
• Over-the-Air (OTA) update: Secure OTA capability enables remote patching of security vulnerabilities without physical access to deployed sensors.
• Cryptographically signed updates: All firmware updates are digitally signed to prevent the installation of unauthorised or malicious code.
• Update verification: Before applying updates, sensors verify the integrity and authenticity of the new firmware package.
• Rollback protection: Prevention of downgrading to vulnerable firmware versions protects against known exploit reintroduction.
• Extended support commitments: We provide security updates for a minimum of five years from product release, exceeding typical industry standards.

Authentication and access control

Robust authentication mechanisms ensure that only authorised Efento Cloud users and systems can access our sensors:

• Role based access control: Different permission levels can be assigned to different users of Efento Cloud. Additionally, users (or API tokens) can be restricted to accessing data from only specifically selected sensors.
• Session management: Automatic timeout of inactive sessions reduces the risk window for unauthorised access. This is the case for both Efento Cloud (users are logged out in case of inactivity) and connection to sensors with mobile app over Bluetooth (sensor brakes the connection)
• Comprehensive audit trails: All actions performed within the Efento Cloud platform are logged in audit trails. Each log entry contains detailed information including: the specific user who performed the action, the exact timestamp of the action, the nature of the action performed and the affected resource. These audit trails are protected against tampering and can be exported for compliance verification or security incident investigations.
• Unique device passwords: When accessing or changing the settings of Efento sensors with mobile application over Bluetooth, it is necessary to provide device password.  Each sensor comes with a unique password. These passwords are generated during manufacturing and are not based on predictable patterns or serial numbers. This eliminates the security vulnerabilities associated with default or user-created passwords. Additionally, the sensors employ a defense mechanism against brute force attacks. This protection features a back off timer that progressively increases if multiple incorrect password attempts are made during connection attempts. This escalating delay will ultimately prevent an attacker from successfully connecting to the sensor.

Documentation and transparency

The CRA requires clear communication about security features and practices:

• Comprehensive security documentation: We develop and keep detailed documentation of security features, recommended deployment practices, and risk mitigation strategies accompanies all our products.
• Vulnerability disclosure policy: We maintain a clear policy for reporting and addressing security vulnerabilities, including timeframes for remediation. 

Testing and validation

To meet our healthcare and pharmaceutical customers’ requirements, we adopted high standards for quality and security assurance well before the CRA came into effect (read more about Efento Cloud GxP compliance). Our key mechanisms include:

• Penetration testing: Our in-house security team regularly conducts penetration testing on our products (sensors firmware, Efento Cloud and mobile app) to identify potential vulnerabilities.
• Automated testing: Continuous integration includes automated security testing to catch issues early in development.
• Field testing: Security features are tested in real-world deployment scenarios to ensure practical effectiveness.
• Standardised development and deployment flow: We have implemented a standardised development and deployment methodology that minimises the risk of human errors. This includes:
  • Automated code reviews using static analysis tools
  • Code review and approval process for code changes
  • Standardized build environments with integrity verification
  • Automated configuration management with drift detection
  • Continuous validation of security controls throughout the pipeline
  • Version-controlled documentation synchronised with code changes
  • Comprehensive test coverage requirements enforced by the CI/CD pipeline

Future directions

Looking ahead, we’re investing in several areas to further enhance our security posture:

• AI enhanced security monitoring: Developing machine learning capabilities to detect anomalous behavior that might indicate compromise.
• Quantum resistant cryptography: Researching and implementing cryptographic algorithms resistant to quantum computing attacks to ensure the devices security in the future.
• Edge based threat detection: Implementing advanced anomaly detection directly on our sensors to identify and respond to potential security threats in real-time, without requiring cloud connectivity.
• Security lifecycle management: Developing comprehensive solutions for secure decommissioning and data erasure at end-of-life, ensuring that retired devices don’t become security liabilities.

Conclusion

The EU Cyber Resilience Act represents a significant step forward in ensuring the security of connected devices. Rather than viewing compliance as a burden, we see it as an alignment with our core values of building trustworthy, reliable, and secure IoT sensors.

By implementing comprehensive security features—from secure-by-design architecture to end-to-end encryption, from robust authentication to tamper resistance—we’re not just meeting regulatory requirements but fulfilling our responsibility to customers and end-users.

As the IoT landscape continues to evolve, so will our approach to security. Through continuous innovation, rigorous testing, and transparent communication, we remain committed to setting the standard for secure wireless IoT sensors in the age of the EU Cyber Resilience Act and beyond.

This article reflects our understanding of the EU Cyber Resilience Act as of its current form. As the legislation evolves, our security practices and product features will adapt accordingly to maintain compliance and maximize security.