Implementing CRA in Practice: Annex I, SBOM, OTA, and Key Management for IoT OEMs

Where Annex I lives — and the five responsibilities OEMs must actively own

Product Line

IoT Security

Published

2026-05-12

Read Time

min read

Key Takeaways

CRA requirements ultimately map to two areas: platform-level security capabilities and ongoing operational responsibilities.
Silicon vendors increasingly cover hardware-layer security capabilities, while OEMs remain responsible for operational security ownership across the product lifecycle.
For many IoT OEMs, the largest new gaps are cryptographic asset management and SBOM operations rather than firmware implementation itself.

CRA changes who owns cybersecurity responsibility

Many IoT OEMs already ship products with secure boot, encrypted communication, OTA updates, and access control. The EU Cyber Resilience Act (CRA) changes what those capabilities mean operationally.

Under CRA, cybersecurity becomes a long-term manufacturer responsibility tied directly to the CE mark. The OEM — not the silicon vendor, cloud provider, or contract manufacturer — becomes legally responsible for maintaining the product’s cybersecurity throughout its lifecycle.

After 11 September 2026, Article 14’s 24-hour reporting window becomes a legal obligation rather than an internal SLA. After 11 December 2027, products that do not meet Annex I requirements may no longer conform to CRA requirements for EU market access.

The EU Cyber Resilience Act places legal liability for product cybersecurity squarely on the manufacturer holding the CE mark. Top-tier breaches carry administrative fines up to €15M or 2.5% of global annual turnover for the preceding financial year, whichever is higher.

This article focuses on the engineering and operational view:

where Annex I requirements actually land
which responsibilities are solved during platform selection
which responsibilities OEMs must continuously operate throughout the product lifecycle

What CRA exposes inside many IoT programs

Many organizations still operate security-critical processes through manual or weakly governed workflows.

Typical examples include:

firmware signing keys stored on build servers
device certificate signing keys stored in databases
per-device keys generated in batches and shared with contract manufacturers manually
OTA encryption keys copied between systems without auditability
SBOMs assembled manually before release
no clearly assigned owner for vulnerability disclosure or Article 14 reporting

Before CRA, many of these were treated as internal operational weaknesses. Under CRA, they become manufacturer liability.

Article 14’s reporting obligations and Annex VII documentation requirements make traceability, ownership, and repeatable operational controls increasingly necessary at production scale.

Where Annex I requirements actually land

CRA requirements generally fall into two categories:

platform-level security capabilities
ongoing operational responsibilities

Platform security capabilities

REQUIREMENT	CRA WORDING	CRA REFERENCE
Secure boot & anti-rollback	Integrity of data, commands, programs and configuration	I.1(f)
Secure debug	Protection from unauthorized access; limit attack surfaces including external interfaces	I.1(d) + I.1(j)
Data confidentiality	Confidentiality of stored, transmitted or otherwise processed data	I.1(e)
Runtime integrity & exploitation mitigation	Integrity of data, commands, programs and configuration; availability of essential and basic functions; exploitation mitigation mechanisms	I.1(f) + I.1(h) + I.1(k)
Attack surface minimization	Limit attack surfaces including external interfaces	I.1(j)
Updatability mechanism	Vulnerabilities can be addressed through security updates	I.1(c)
Secure default configuration & event logging	Secure-by-default configuration; recording and/or monitoring relevant internal activity	I.1(b) + I.1(l)

Ongoing operational responsibilities

REQUIREMENT	CRA WORDING	REFERENCE
Identity, access control, and secure update operations	Protection from unauthorized access; vulnerabilities addressed through security updates	I.1(d) + I.1(c)
Software Bill of Materials (SBOM)	Drawing up a software bill of materials in a commonly used and machine-readable format	I.2(1)
Vulnerability handling	Address vulnerabilities without delay; coordinated vulnerability disclosure; early warning notification (24 h), vulnerability notification (72 h), final report (14 d)	I.2(2) + I.2(5) + Art 14
5-year minimum support	Handle vulnerabilities effectively for a support period of at least 5 years from placing on the market	Art 13(8)
10-year documentation retention	Technical documentation retained for 10 years from when the product was last placed on the market	Annex VII + Art 13(13)

The sections below explain what these requirements mean operationally for IoT OEMs.

Five responsibilities OEMs must actively own

The tables above show where Annex I requirements live. The sections below explain what they mean operationally — one capability largely decided during platform selection, and four ongoing operational responsibilities carried across the product lifecycle.

1. Silicon security foundation

Hardware security is the foundation; software cannot retrofit capabilities the silicon platform does not support.

Before committing to an SoC or MCU family, OEMs should verify the following capabilities.

Hardware root of trust

An isolated secure execution environment anchored by immutable boot ROM and hardware-validated TRNG.

Without it, integrity claims rely heavily on software assumptions that become difficult to defend.

Hardware-backed secure key storage

Private keys, device identities, and OTA decryption keys stored inside protected hardware boundaries such as secure elements, TrustZone, or PUF-derived storage.

Software-only key protection on a general-purpose MCU becomes increasingly difficult to defend as attack value rises.

Cryptographic acceleration

Hardware acceleration for AES, ECC (P-256/P-384), and SHA-256/384.

Software-only cryptography introduces meaningful latency and power overhead once TLS or per-message signing becomes part of the production data path.

Secure debug authentication and anti-rollback

Challenge-response debug authorization tied to immutable secure storage, plus rollback prevention mechanisms enforced during boot.

This prevents known-vulnerable firmware from being reinstalled after remediation.

HSM-compatible vendor toolchain

For OEMs operating HSM-backed signing infrastructure, vendor tooling should support workflows where private keys never leave protected hardware boundaries across:

firmware signing
OTA package encryption
secure provisioning
secure debug reopening

2. Cryptographic asset management

Keys and device certificates secure the product throughout its lifecycle. If a key leaks, the security model collapses regardless of how secure the silicon or firmware may be. Most IoT OEMs manage several classes of cryptographic assets across the product lifecycle.

Firmware signing keys

Used to authenticate firmware images and OTA updates before execution.

Certificate authority keys

Used to issue and manage device certificates across internal and external trust chains.

OTA encryption keys

Used to protect update payloads during distribution.

Secure debug authentication keys

Used to authorize controlled debug reopening for manufacturing, field service, and failure analysis. These assets are typically managed through four connected infrastructure components:

Hardware Security Modules (HSMs)
Key Management Systems (KMS)
Public Key Infrastructure (PKI)
Manufacturing provisioning infrastructure

CRA does not explicitly require HSMs or approval workflows. However, Article 14 reporting obligations and Annex VII documentation requirements make traceability, ownership, and operational governance increasingly difficult without them.

Each key class should have:

a clearly assigned owner
defined approval authority
documented backup and recovery procedures

Device-level traceability — knowing which firmware, keys, and certificates exist on each shipped unit — is not explicitly prescribed by CRA, but becomes the practical foundation for executing Article 14 reporting and Annex VII documentation obligations at production scale.

3. SBOM and vulnerability handling

Once an actively exploited vulnerability becomes known, Article 14 reporting timelines begin immediately. OEMs must be able to identify:

affected products
firmware versions
software components
deployment scope
impacted EU markets

Core operational capabilities typically include the following.

SBOM generation and storage

Per-build SBOM generation using machine-readable formats such as SPDX or CycloneDX, aggregated across product modules and retained historically.

Vulnerability intelligence

Monitoring:

NVD
silicon vendor PSIRT feeds
upstream open-source advisories

Silicon-level vulnerabilities frequently appear first through vendor PSIRT channels.

Coordinated Vulnerability Disclosure (CVD)

A public vulnerability reporting channel supported by an internal triage and response process.

Article 14 reporting procedures

Defined operational ownership for:

incident escalation
ENISA reporting
remediation coordination
customer communication

Submitting the 24-hour notification is only the beginning. Delivering remediation reliably to deployed devices is the larger operational responsibility — and for most connected IoT products, that means OTA.

4. OTA delivery

CRA does not explicitly require OTA capability. But for most connected IoT products, in-field manual remediation is impractical at production scale. In practice, OTA becomes the operational mechanism for executing CRA obligations across the product lifecycle.

OTA systems typically become responsible for:

firmware and configuration updates
vulnerability remediation
certificate and key rotation
rollback handling
incident-response deployment actions

Many OTA systems were originally designed for feature rollout rather than compliance-driven remediation. Security remediation introduces additional operational requirements:

cryptographic verification
staged deployment
deployment traceability
rollback control
recovery handling

5. Technical documentation lifecycle management

CRA documentation obligations extend far beyond product launch. EU market surveillance authorities may request the full conformity package up to ten years after the product was last placed on the EU market.

Typical Annex VII documentation includes:

architecture descriptions and threat models
conformity evidence for Annex I requirements
per-release SBOM history
vulnerability handling records
Article 14 incident logs

For many OEMs, documentation retention becomes a long-term operational system rather than a release-time deliverable.

Maintaining traceable historical records across multiple product generations often becomes an organizational and infrastructure challenge rather than a firmware challenge alone.

CRA changes what OEMs must continuously operate

Silicon vendors increasingly provide strong hardware security foundations through modern SoCs and reference designs. Most IoT OEMs already operate OTA infrastructure and release documentation processes.

For many teams, the largest operational gaps are:

cryptographic asset governance
SBOM operations
vulnerability coordination
lifecycle traceability

CRA ultimately shifts cybersecurity from isolated product features into continuous operational responsibility across the entire product lifecycle.

Need a working architecture for these five responsibilities?

A 30-minute conversation maps your current program against the Annex I operational baseline.

Bob Jiang

Co-Founder & President

Co-founded Snowball Technology to give IoT OEMs something the industry has been missing: a single platform to govern the digital assets a connected device depends on — keys, certificates, firmware, secure configs, SBOMs — across its entire lifecycle.