The European Union is getting serious about the cybersecurity of connected devices. The EU Cyber Resilience Act (CRA) is the most comprehensive law ever passed for the security of IoT devices – that is, connected everyday devices. And it directly affects what many of us use daily: alarm systems, surveillance cameras, smart door locks and Smart Home systems. “Your alarm system protects you from burglars – but who protects your alarm system from hackers?”
What is the EU Cyber Resilience Act?
The Cyber Resilience Act is an EU regulation that establishes binding cybersecurity requirements for all products with digital elements – that is, for every device that has a network connection. The law was adopted in October 2024 and enters into force in stages.
The core requirements of the CRA:
- Security by Design: Cybersecurity must be integrated into product development from the outset – not retrofitted afterwards.
- Mandatory security updates: Manufacturers must provide security updates throughout the entire expected product lifetime.
- Reporting obligation for vulnerabilities: Actively exploited security vulnerabilities must be reported to the EU cybersecurity agency ENISA within 24 hours.
- No default passwords: Devices may not be delivered with default passwords such as “admin/admin”.
- Transparency: Manufacturers must maintain a software bill of materials (SBOM) and publish security information.
Timeline: when does what come into force?
From 11 September 2026, all manufacturers must comply with the reporting obligation for vulnerabilities. From 11 December 2027, all products sold in the EU must meet the full CRA requirements – including Security by Design, update obligations and documentation. ENISA (European Union Agency for Cybersecurity) is the designated recipient of the 24-hour vulnerability reports.
Which devices are affected?
The CRA applies to virtually all connected devices. Particularly relevant for the security technology sector:
- Surveillance cameras (IP cameras, doorbell cameras, NVR systems)
- Alarm systems with network connection (Wi-Fi, GSM, LAN)
- Smart door locks and electronic access control systems
- Motion detectors and sensors with wireless connection
- Smart Home gateways and hubs
- Smoke detectors and water sensors with network functionality
The CRA distinguishes between “normal” and “critical” products. Alarm systems and access control systems fall into the higher category and are subject to stricter testing requirements – including external audits.
What this means for alarm systems and cameras
For consumers, the CRA is good news: going forward, you can trust that connected security devices really are cyber-secure. Specifically, the following will change:
End of “plug and pray”
Previously, manufacturers could sell cheap IP cameras with default passwords and without encryption. Such devices are a gateway for hackers – in the worst case, strangers can use your own camera against you. The CRA puts an end to this: every device must be securely configured out of the box.
Mandatory security updates
Do you know the feeling: a camera installed three years ago has not had an update for two years? That will no longer be legal in future. Manufacturers must deliver updates over the entire product lifecycle. Those who cannot or will not do so may no longer sell in the EU. We have already looked at how important regular updates are for data protection.
Transparency about the security situation
In future, manufacturers must disclose which software components are in their devices. This makes it possible for security experts and consumers to assess the actual security situation.
Cheap cameras vs. professional systems – the gap widens
The CRA will change the market. Cheap no-name cameras and alarm systems from the Far East, previously sold via online marketplaces, will have a significantly harder time. That is because the CRA requirements incur costs – for development, testing, audits and long-term provision of updates. “Cheap is not inexpensive – and certainly not secure.”
The consequence for consumers: anyone investing in an alarm system or camera system should rely on manufacturers who demonstrably meet the CRA requirements. Protexium works exclusively with European-certified manufacturers who already meet or exceed the upcoming standards today.
The CRA applies to new products placed on the market from December 2027. Already-installed devices are not affected – but may no longer receive updates if the manufacturer leaves the market. If your system is older than 5 years, a security check is worthwhile.
How Protexium already meets the CRA
For Protexium customers, little changes due to the CRA – because we already meet most of the requirements today:
- Certified systems: All Protexium installations are certified to EN 50131 and meet the highest European security standards.
- Encrypted communication: Our wireless systems use encrypted radio protocols – no open Wi-Fi, no insecure Bluetooth.
- Regular updates: Firmware updates are pushed centrally via the monitoring centre – you do not have to worry about anything.
- No default passwords: Every system is configured individually during installation – with its own credentials and two-factor authentication.
- European manufacturers: We work exclusively with manufacturers who produce in the EU and proactively implement the CRA.
“Cybersecurity is not a feature – it is a basic prerequisite. At Protexium, this has always been the case.”
Checklist: is your security technology CRA-ready?
Check your existing system with these questions:
- Were the default passwords changed during installation?
- Is the firmware up to date?
- Does the system use encrypted communication (no open Wi-Fi)?
- Is there a named manufacturer with support in the EU?
- Do you receive regular security updates?
- Is the app connection secured with two-factor authentication?
- Was the system installed and configured professionally?
If you answer more than two questions with “no” or “I do not know”, you should have your system checked. Protexium offers a free security check – also for existing systems from other providers.
Conclusion: more security for everyone – if you choose the right partners
The EU Cyber Resilience Act is an important step for the security of connected devices. It forces manufacturers to take cybersecurity seriously – and protects consumers from insecure cheap products that pose more risk than protection. “A lock that can be hacked is not a lock – it is an invitation.”
For you as a consumer this means: rely on security technology from certified providers who already meet tomorrow’s standards today. And have existing systems checked regularly – physical security and cybersecurity belong together.
