The latest European Commission guidance on the Cyber Resilience Act sends a clear message to manufacturers of connected products: cybersecurity must be designed in from the start, maintained throughout the product lifecycle, and supported by demonstrable processes for risk management, vulnerability handling and ongoing support.

For organizations building, deploying and managing connected devices, this is a significant shift. The CRA is not simply another compliance exercise. It reflects a broader market reality that connected products can no longer rely on fragmented security controls, manual processes or assumptions of trust. Security has to be continuous, operational and scalable.

That matters especially in IoT and OT environments, where products often have long lifespans, depend on complex supply chains, rely on third-party components and remote services, and may remain in use for many years after deployment.

Lifecycle security is now a regulatory expectation

One of the clearest themes in the guidance is that cybersecurity does not end when a product is placed on the market. Manufacturers are expected to address security across the full lifecycle of the product, including vulnerability handling, support periods, software updates, technical documentation and ongoing risk assessment.

That is particularly important for connected products in industrial and operational settings. Devices in these environments are rarely static. They evolve through updates, configuration changes, ownership changes, new integrations and, in some cases, substantial modifications. The guidance makes clear that these changes may carry regulatory consequences and must be assessed carefully from a cybersecurity perspective.

For manufacturers, this means security can no longer be treated as a one-time design consideration. It must be supported as an ongoing discipline.

Risk assessment must be practical, documented and product-specific

Another major point in the guidance is the central role of the cybersecurity risk assessment. Manufacturers must identify relevant risks, assess their impact, implement appropriate mitigations and keep that assessment up to date. Importantly, the threshold is not based on a manufacturer’s internal risk tolerance or commercial preference, but on whether the product achieves an appropriate level of cybersecurity for its intended purpose and reasonably foreseeable use.

That has real implications for connected-device manufacturers. It means security decisions must be tied to how a product actually operates in the field, including the environments it connects to, the data it processes, the dependencies it relies on and the threats it may realistically face.

For Device Authority, this aligns closely with the need for identity-driven trust models in IoT and OT. If a manufacturer cannot establish trusted identities for devices, credentials, services and connections, it becomes much harder to enforce policy, protect communications, manage updates securely or demonstrate that cyber risks are being properly mitigated.

Third-party components and remote services do not reduce responsibility

The guidance is also explicit that manufacturers remain responsible for the security of the product as a whole, even where it relies on third-party software, hardware components, cloud platforms or remote data processing solutions. Those dependencies must be considered in the risk assessment, and manufacturers are expected to exercise due diligence to ensure they do not undermine compliance with the CRA’s essential cybersecurity requirements.

This is particularly relevant in modern IoT and OT ecosystems, where products often depend on cloud services for onboarding, command and control, updates, analytics, remote monitoring or identity and access management. The guidance distinguishes between remote data processing that is part of the product and third-party services that function more like external components, but in both cases the manufacturer must understand and mitigate the risks.

That creates a strong case for architectures built around machine identity, automated credentialing and policy enforcement. Where products depend on distributed services and external integrations, trust cannot be assumed. It must be established, verified and maintained continuously.

Support periods will put pressure on manual security models

The CRA guidance also clarifies that manufacturers must determine a support period during which vulnerabilities are handled effectively, and that this period should be at least five years unless the product is expected to be in use for less time. For products expected to remain in use longer, support periods should be longer too.

For connected-device manufacturers, this is a critical point. Many IoT and OT products remain in service for far longer than traditional IT assets. In those environments, manual certificate handling, inconsistent provisioning and ad hoc update processes quickly become operational liabilities.

As support obligations extend over years, the challenge is no longer just initial compliance. It is sustainable security operations at scale.

This is exactly where automation becomes essential. Managing identities, credentials, certificate rotation, secure communications and policy controls manually across a large installed base is costly, error-prone and difficult to audit. A lifecycle automation approach is far better suited to the operational reality the CRA is now reinforcing.

The bigger picture: compliance and resilience now go together

Perhaps the most important takeaway from the guidance is that the CRA is pushing manufacturers toward a more mature security model overall. Compliance is no longer about producing static documentation or passing a point-in-time check. It is about showing that security has been integrated into how products are designed, connected, updated and maintained over time.

For Device Authority, that is a highly relevant market signal.

The organizations best prepared for the CRA will be those that can establish trust in devices and services from the outset, automate credential and identity management at scale, secure communications across distributed environments, and maintain visibility and control throughout the product lifecycle.

In other words, the Cyber Resilience Act is not just raising the compliance bar. It is accelerating the need for a more operational, identity-centric approach to securing connected products.

And for manufacturers navigating complex IoT and OT environments, that shift is long overdue.

The European Commission has set a deadline of 13^th April to receive feedback on this latest guidance. For more background you can also read our previous blog and find out more about our 1 month Industry Proof of Value