Anna Maria Mandalari (University College London), Volker Stocker (Weizenbaum Institute)
The EU’s Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for products with digital elements, effectively acting as a security standard for the consumer Internet of Things (IoT). While standardization aims to reduce systemic vulnerabilities, security and privacy flaws in standardized requirements can be inherited at scale by widely deployed IoT products. In this paper, we analyze the CRA through the lens of standardized IoT security. We discuss implications for IoT standards and governance, stressing measurable security properties, automated evaluation, and supply-chain considerations. We argue that standardized IoT security cannot be treated as a purely procedural or compliance-driven exercise: regulatory ambiguity, limitations in conformity assessment scalability and harmonization, and gaps between formal compliance and real-world security outcomes risk turning standardization into a mechanism for scaling insecurity rather than mitigating it. Addressing these challenges requires sustained multidisciplinary research at the intersection of IoT standardization, security engineering, and governance, including systematic risk modeling approaches and the development of edge-centric threat models for local IoT environments.