Skip to main content

IoT Companion Apps and Their Link to the CRA

Many Internet of Things (IoT) devices rely on companion mobile or desktop apps for setup, control, and data display. If you develop such an app, the EU Cyber Resilience Act (CRA) has implications for both the app and potentially its interaction with the IoT device.

The Companion App as a PDE

Your companion app itself is a "product with digital elements" (PDE) under the CRA, as it's software connecting to a network and/or the IoT device (Article 3,) Point 1). Therefore, all the CRA's essential cybersecurity and vulnerability handling requirements (Annex I) apply directly to the app's design, development, and maintenance.

Secure Communication is Key

The interaction between your companion app and the IoT device is a critical security point:

  • Secure Pairing/Connection: The process of connecting the app to the IoT device must be secure to prevent unauthorized pairing or man-in-the-middle attacks.
  • Authenticated and Encrypted Communication: Data exchanged between the app and the IoT device (commands, status updates, user data) must be protected for confidentiality and integrity, likely through encryption and authentication (Annex I, Part I, Point 2d, 2e, 2f).
  • Firmware Updates via App: If your app is used to deliver firmware updates to the IoT device, both the app's update delivery mechanism and the process on the device need to be secure to prevent malicious firmware from being installed (Annex I, Part II, Point 7).

Who is Responsible for the IoT Device Itself?

The CRA applies to "products with digital elements." If the IoT device itself also meets this definition (which it almost certainly does), its manufacturer has separate CRA obligations.

  • Your Due Diligence: As the developer of the companion app