The EU’s Cyber Resilience Act (CRA) and the U.S.’s forthcoming Cybersecurity Labeling Program—anchored by the U.S. Cyber Trust Mark—are both pushing for better security in connected products. While the CRA is a mandatory regulation, the U.S. program is a voluntary labeling scheme for consumer IoT devices, aiming to help buyers make safer choices and encourage manufacturers to implement security best practices.
The U.S. Cyber Trust Mark, led by the FCC with guidance from NIST, is expected to launch in 2025 and will initially cover products like smart TVs, routers, and home assistants.
Where the CRA and Cyber Trust Mark Overlap
- SBOMs / Component Transparency
- CRA: Required (Annex I, Part II)
- U.S.: Recommended in NIST’s criteria (NIST IR 8425)
- Support Periods
- CRA: Mandatory to declare (Art. 13(19))
- U.S.: Disclosure encouraged as part of the label
- Vulnerability Handling
- CRA: Must implement coordinated disclosure and patching (Annex I, Part II)
- U.S.: Manufacturers expected to document vulnerability response practices
¡
Where They Differ
- Scope: CRA covers all digital products, while the U.S. label is consumer IoT-only for now.
- Legal Weight: CRA is mandatory. The Cyber Trust Mark is voluntary (but likely to influence procurement and purchasing decisions).
- Conformity Assessment: CRA uses CE marking and risk-based conformity modules. U.S. products must pass testing by accredited labs to display the label.
If you’re shipping products globally, how are you aligning CRA compliance with U.S. labeling requirements? Any lessons or tooling you’d recommend?