Blog/ , / Building Resilient IoT...

Building Resilient IoT Systems Under the Cyber Resilience Act and RED.

CTHINGS.CO |

CTHINGS.CO - a graphic of a shield

As edge environments grow more distributed and regulated, organizations face increasing difficulty securing, operating, and scaling complex IoT ecosystems. Aligned with the EU Cyber Resilience Act (CRA) and RED, CTHINGS.CO addresses this challenge through security-by-design and intelligent edge orchestration.

The EU Cyber Resilience Act (CRA) represents a major shift in how cybersecurity is governed for connected products. For the first time, manufacturers and solution providers are legally accountable for the security of products with digital elements across their entire lifecycle.

For organizations developing and operating IoT and edge solutions, this introduces a strategic question:

How do you ensure continuous security, operational control, and regulatory compliance across large, distributed device fleets, without increasing complexity or cost?

In this article, we go over the Cyber Resilience Act, Radio Equipment Directive (RED), the specific challenges they create for IoT and edge deployments, and how organizations can meet these requirements in a scalable, business-ready way.

What is the Cyber Resilience Act?

The Cyber Resilience Act is an EU regulation designed to raise the baseline level of cybersecurity for connected hardware and software placed on the European market. It applies to a wide range of digital products, including IoT devices, embedded systems, and the software and services that support them.

Unlike earlier directives, the CRA focuses directly on product security and lifecycle responsibility. Manufacturers and solution providers are required to design products securely from the outset and maintain that security throughout deployment, operation, and updates.

The result is a harmonized cybersecurity standard across the EU - one that shifts security from a reactive activity to a core product and operational requirement.

What the Cyber Resilience Act requires

The CRA establishes clear expectations for how connected products must be built and managed:

  • Security must be embedded by design and by default
  • Vulnerabilities must be managed throughout the product lifecycle
  • Software updates must be secure, timely, and scalable
  • Organizations must maintain visibility, traceability, and accountability

Compliance is not a one-time exercise. It requires ongoing operational discipline and the ability to demonstrate control over deployed systems.

Beyond CRA: RED DA 2022/50 and EN 18031 in Practice

While the Cyber Resilience Act defines the future baseline for connected product security, organizations deploying wireless and radio-enabled devices already face mandatory cybersecurity requirements today.

The Radio Equipment Directive (RED) Delegated Act 2022/50, together with the EN 18031 standard, introduces explicit cybersecurity obligations for radio equipment, including many IoT and edge devices. These requirements focus on protecting networks, safeguarding data, and preventing misuse or unauthorized access.

Compliance with RED DA 2022/50 and EN 18031 is no longer optional. Organizations placing affected devices on the EU market must be able to demonstrate secure configurations, trustworthy update mechanisms, and effective vulnerability handling.

In practice, RED and CRA are complementary. RED establishes immediate, device-level cybersecurity obligations, while the Cyber Resilience Act extends these principles across the full product lifecycle. Together, they reinforce the need for consistent security, visibility, and lifecycle control across IoT and edge deployments.

Why compliance is challenging for IoT and edge deployments

Meeting these regulatory requirements is particularly complex in IoT and edge environments:

  • Devices are geographically distributed across multiple sites and environments
  • Connectivity may be intermittent or constrained
  • Software stacks span hardware, operating systems, containers, and applications
  • Controlling device configurations to reduce attack surface in wireless environments
  • Manual update and monitoring processes do not scale

Without a centralized and standardized approach, security gaps emerge, operational costs increase, and compliance becomes difficult to maintain.

How Orchestra enables CRA and RED-ready IoT operations

To address these challenges, organizations need a solution that embeds security, lifecycle control, and visibility into day-to-day operations. This is where CTHINGS.CO’s Orchestra comes in. Designed for distributed IoT and edge environments, Orchestra brings security, lifecycle management, and operational visibility together in a single platform. Orchestra supports regulatory-ready operations with these capabilities:

  • Standardized application lifecycle management
    Orchestra implements containerized application lifecycle management to standardize how software is packaged, deployed, updated, and versioned. This reduces variability across devices and supports secure, repeatable updates aligned with CRA and RED requirements.
  • Strong device identity and secure communications
    Orchestra is built on a Zero Trust architecture with mutual authentication (mTLS), and encrypted communications by default. This prevents unauthorized network access and protects radio-connected devices against spoofing, interception, and misuse.
  • Fleet-based management at scale
    Devices can be managed as fleets rather than individually, allowing organizations to deploy security updates and configuration changes consistently across large, distributed environments, reducing the risk of misconfiguration and unintended network or radio behaviour.
  • Controlled releases and version visibility
    Structured release management provides clear insight into what software is running where, enabling faster remediation and easier compliance reporting.
  • Centralized monitoring and operational control
    Orchestra delivers real-time visibility into device and application status, helping teams detect issues early, respond quickly, and maintain continuous control over their edge infrastructure.

A business-ready foundation for regulatory compliance

The Cyber Resilience Act sets a new baseline for connected product security. Meeting it requires more than policy - it requires the right operational platform.

Orchestra provides organizations with a scalable, future-proof foundation to meet CRA and RED requirements while improving reliability, reducing risk, and simplifying operations.

Visit our website to learn how Orchestra supports secure, compliant IoT and edge deployments at scale.
CTHINGS.CO

CTHINGS.CO At the CTHINGS.CO blog, we cover the hottest topics related to Networking, Edge Computing, 5G, and IoT, publish updates about our company, and share insights on the most recent technological advancements.

About

We help businesses maximize their potential by understanding the precious data hidden in their processes and assets.

Contact us
contact@cthings.co

Aleja Niepodległości 18,
02-653 Warsaw, Poland

Data Protection Officer:
Tomasz Ochocki
iod@cthings.co

Compliance

Data Privacy Policy

Terms & Conditions

Cookie Settings

© 2025 | CTHINGS.CO sp. z o.o.

Aleja Niepodległości 18, 02-653 Warsaw, Poland
VAT: PL8212656459 | REGON: 369493577 | KRS: 0000718829
Kapitał zakładowy: 1 866 600,00 PLN