Vulnerability Management in Consumer IoT: Why No IoT Manufacturer Is Ready for CRA Vulnerability Management (And How to Fix It) (R02d)
This talk delivers critical insights from frontline analysis of EU Cyber Resilience Act implementation, revealing that despite positive industry momentum, zero major manufacturers currently meet all eight CRA essential requirements for vulnerability management. Drawing from empirical assessment of leading brands-including Asus, Samsung, Apple, and GM-the talk exposes systematic gaps across the compliance lifecycle, from product release through 10-year maintenance obligations.
Key insights include:
– 30% growth in vulnerability disclosure policy adoption, yet critical failures persist in customer notification, reporting mechanisms, and support period compliance
– No existing international standard provides complete CRA coverage-manufacturers face a fragmented landscape requiring meta-standard approaches.
– Eight actionable recommendations derived from supporting actual manufacturers.
The talk addresses the disconnect between regulatory expectations and operational reality for consumer IoT, providing implementers, consultants, and policymakers with practical pathways to compliance through the CRA Basics initiative. Attendees gain concrete strategies for navigating technical challenges (SBOM maintenance, patch deployment, vulnerability detection) and organisational barriers (resource constraints, vendor dependencies, ROI justification) before full CRA enforcement.