{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T10:50:08Z","timestamp":1763981408380,"version":"3.45.0"},"reference-count":57,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T00:00:00Z","timestamp":1763769600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100007801","name":"Fundaci\u00f3n S\u00e9neca\u2014Agency of Science and Technology of the Region of Murcia","doi-asserted-by":"publisher","award":["22771\/FPI\/24"],"award-info":[{"award-number":["22771\/FPI\/24"]}],"id":[{"id":"10.13039\/100007801","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Libelium"},{"name":"Spanish National Cybersecurity Institute S.M.E., M.P., S.A.","award":["CPP3-CPP001\/23"],"award-info":[{"award-number":["CPP3-CPP001\/23"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>The European Union\u2019s Cyber Resilience Act (CRA) introduces a complex set of binding lifecycle security obligations, presenting a significant compliance challenge for the Internet of Things (IoT) industry. This study addresses this challenge by developing a comprehensive CRA mapping framework specifically tailored to the IoT sector. The core contribution is a detailed lifecycle-based checklist that translates the regulation\u2019s legal mandates into an actionable blueprint for manufacturers. Beyond the checklist itself, this paper\u2019s core contribution is a transparent two-phase methodology. The first phase provides a structured pipeline to translate dense legal text (from CRA Articles 13\u201314 and its annexes) into atomic testable engineering requirements. The second phase builds a quantitative rating tree using the Analytic Hierarchy Process (AHP) to weigh these requirements, providing a consistent and evidence-based scoring rubric. By synthesizing the complex regulatory landscape and the technical state of the art, this paper operationalizes the CRA\u2019s requirements for governance, secure design, vulnerability management, and conformity assessment. The framework is validated in the TRUEDATA case, yielding a weighted readiness score and a sensitivity analysis that underpin the reliability of the findings.<\/jats:p>","DOI":"10.3390\/info16121017","type":"journal-article","created":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T09:02:07Z","timestamp":1763974927000},"page":"1017","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Integrating the CRA into the IoT Lifecycle: Challenges, Strategies, and Best Practices"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-4420-9672","authenticated-orcid":false,"given":"Miguel \u00c1ngel","family":"Ortega Vel\u00e1zquez","sequence":"first","affiliation":[{"name":"Department of Information and Communication Technologies, Universidad Polit\u00e9cnica de Cartagena (UPCT), 30202 Cartagena, Spain"},{"name":"Libelium Lab, 30562 Murcia, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0411-9300","authenticated-orcid":false,"given":"Iris","family":"Cuevas Mart\u00ednez","sequence":"additional","affiliation":[{"name":"Libelium Lab, 30562 Murcia, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2651-6684","authenticated-orcid":false,"given":"Antonio J.","family":"Jara","sequence":"additional","affiliation":[{"name":"Libelium Lab, 30562 Murcia, Spain"}]}],"member":"1968","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"ref_1","unstructured":"European Parliament and the Council (2025, September 12). Regulation (EU) 2024\/2847 on Horizontal Cybersecurity Requirements for Products with Digital Elements (Cyber Resilience Act). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2024\/2847\/oj."},{"key":"ref_2","unstructured":"Statista Research Department (2025, September 10). Internet of Things (IoT) Connected Devices Installed Base Worldwide from 2015 to 2025 (In Billions). Available online: https:\/\/www.statista.com\/statistics\/471264\/iot-number-of-connected-devices-worldwide\/."},{"key":"ref_3","unstructured":"IoT Analytics (2025, October 05). State of IoT 2024: Number of Connected IoT Devices. Available online: https:\/\/iot-analytics.com\/numberconnected-iot-devices\/."},{"key":"ref_4","unstructured":"European Parliament and the Council (2025, August 22). Directive (EU) 2016\/1148 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union (NIS). Available online: https:\/\/eur-lex.europa.eu\/eli\/dir\/2016\/1148\/oj."},{"key":"ref_5","unstructured":"European Parliament and the Council (2025, September 15). Regulation (EU) 2016\/679 (General Data Protection Regulation). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj."},{"key":"ref_6","unstructured":"European Parliament and the Council (2025, August 28). Regulation (EU) 2019\/881 on ENISA and on Information and Communications Technology Cybersecurity Certification (Cybersecurity Act). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2019\/881\/oj."},{"key":"ref_7","unstructured":"European Parliament and the Council (2025, September 02). Directive 2014\/53\/EU on the Harmonisation of the Laws of the Member States Relating to the Making Available on the Market of Radio Equipment (RED). Available online: https:\/\/eur-lex.europa.eu\/eli\/dir\/2014\/53\/oj."},{"key":"ref_8","unstructured":"European Commission (2025, September 12). Commission Delegated Regulation (EU) 2022\/30 supplementing Directive 2014\/53\/EU with regard to essential requirements in Article 3(3)(d)(e)(f). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg_del\/2022\/30\/oj."},{"key":"ref_9","unstructured":"European Commission (2025, August 18). Commission Implementing Regulation (EU) 2024\/482 Laying Down Rules for the Adoption of the European Common Criteria-Based Cybersecurity Certification Scheme (EUCC). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg_impl\/2024\/482\/oj."},{"key":"ref_10","unstructured":"European Parliament and the Council (2025, September 25). Directive (EU) 2022\/2555 on Measures for a High Common Level of Cybersecurity Across the Union (NIS2). Available online: https:\/\/eur-lex.europa.eu\/eli\/dir\/2022\/2555\/oj."},{"key":"ref_11","unstructured":"European Commission (2025, August 30). Commission Delegated Regulation (EU) 2023\/2444 Amending Delegated Regulation (EU) 2022\/30 as Regards the Date of Application of the Essential Requirements for Radio Equipment and Correcting That Regulation. Available online: https:\/\/eur-lex.europa.eu\/eli\/reg_del\/2023\/2444\/oj."},{"key":"ref_12","unstructured":"European Parliament and the Council (2025, September 14). Regulation (EU) 2023\/988 on General Product Safety (GPSR). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2023\/988\/oj."},{"key":"ref_13","unstructured":"European Parliament and the Council (2025, October 01). Regulation (EU) 2023\/2854 on Harmonised Rules on Fair Access to and Use of Data (Data Act). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2023\/2854\/oj."},{"key":"ref_14","unstructured":"European Parliament and the Council (2025, September 08). Regulation (EU) 2024\/1689 Laying Down Harmonised Rules on Artificial Intelligence (AI Act). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2024\/1689\/oj."},{"key":"ref_15","unstructured":"European Parliament and the Council (2025, August 20). Regulation (EU) 2024\/1183 on a Framework for a European Digital Identity (eIDAS 2). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2024\/1183\/oj."},{"key":"ref_16","unstructured":"European Parliament and the Council (2025, September 29). Directive (EU) 2018\/1972 Establishing the European Electronic Communications Code (EECC). Available online: https:\/\/eur-lex.europa.eu\/eli\/dir\/2018\/1972\/oj."},{"key":"ref_17","unstructured":"European Parliament and the Council (2025, September 04). Regulation (EU) 2022\/2554 on Digital Operational Resilience for the Financial Sector (DORA). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2022\/2554\/oj."},{"key":"ref_18","unstructured":"European Parliament and the Council (2025, October 06). Directive (EU) 2022\/2557 on the Resilience of Critical Entities (CER). Available online: https:\/\/eur-lex.europa.eu\/eli\/dir\/2022\/2557\/oj."},{"key":"ref_19","unstructured":"European Parliament and the Council (2025, August 11). Regulation (EU) 2017\/745 on Medical Devices (MDR). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2017\/745\/oj."},{"key":"ref_20","unstructured":"European Parliament and the Council (2025, September 19). Regulation (EU) 2023\/1230 on Machinery (Machinery Regulation). Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2023\/1230\/oj."},{"key":"ref_21","unstructured":"(2020). Cyber Security for Consumer Internet of Things: Baseline Requirements (Standard No. ETSI EN 303 645 V2.1.1). Available online: https:\/\/www.etsi.org\/deliver\/etsi_en\/303600_303699\/303645\/02.01.01_60\/en_303645v020101p.pdf."},{"key":"ref_22","unstructured":"(2018). Security for Industrial Automation and Control Systems\u2014Part 4-1: Secure Product Development Lifecycle Requirements (Standard No. IEC 62443-4-1:2018). Available online: https:\/\/webstore.iec.ch\/publication\/33615."},{"key":"ref_23","unstructured":"(2020). Foundational Cybersecurity Activities for IoT Device Manufacturers (Standard No. NIST IR 8259)."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"616","DOI":"10.1109\/COMST.2019.2953364","article-title":"Security of the Internet of Things: Vulnerabilities, Attacks, and Countermeasures","volume":"22","author":"Butun","year":"2020","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Bakhshi, T., Ghita, B., and Kuzminykh, I. (2024). A Review of IoT Firmware Vulnerabilities and Auditing Techniques. Sensors, 24.","DOI":"10.3390\/s24020708"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1007\/s43926-023-00045-2","article-title":"A survey on IoT and embedded device firmware security: Architecture, extraction techniques, and vulnerability analysis frameworks","volume":"3","author":"Haq","year":"2023","journal-title":"Discov. Internet Things"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1109\/JAS.2022.105860","article-title":"Detecting Vulnerability on IoT Device Firmware: A Survey","volume":"10","author":"Feng","year":"2023","journal-title":"IEEE\/CAA J. Autom. Sin."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Kloeg, B., Ding, A.Y., Pellegrom, S., and Zhauniarovich, Y. (2024, January 1\u20135). Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach. Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIACCS \u201924), Singapore.","DOI":"10.1145\/3634737.3637659"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"112540","DOI":"10.1016\/j.jss.2025.112540","article-title":"On the adoption of software bill of materials in open-source software projects","volume":"230","author":"Nocera","year":"2025","journal-title":"J. Syst. Softw."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Ankerg\u00e5rd, S.F.J.J., Dushku, E., and Dragoni, N. (2021). State-of-the-Art Software-Based Remote Attestation: Opportunities and Open Issues for Internet of Things. Sensors, 21.","DOI":"10.3390\/s21051598"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"2447","DOI":"10.1109\/COMST.2020.3008879","article-title":"Collective Remote Attestation at the Internet of Things Scale: State-of-the-art and Future Challenges","volume":"22","author":"Ambrosin","year":"2020","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Ruohonen, J., Hjerppe, K., and Kang, E.-Y. (2025). A Mapping Analysis of Requirements Between the CRA and the GDPR. arXiv.","DOI":"10.1109\/REW66121.2025.00034"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"106009","DOI":"10.1016\/j.clsr.2024.106009","article-title":"Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT devices or a shot in the dark?","volume":"54","author":"Shaffique","year":"2024","journal-title":"Comput. Law Secur. Rev."},{"key":"ref_34","first-page":"299","article-title":"Complexity of IoT technologies: European regulations in progress and patterns of customer communication","volume":"2","author":"Vescovi","year":"2023","journal-title":"Media Laws"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"106152","DOI":"10.1016\/j.clsr.2025.106152","article-title":"The Internet of Forgotten Things: European cybersecurity regulation and the cessation of Internet of Things manufacturers","volume":"57","year":"2025","journal-title":"Comput. Law Secur. Rev."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Jara, A.J., Martinez, I.C., and Sanchez, J.S. (2024, January 29\u201331). CyberSecurity Resilience Act (CRA) in Practice for IoT Devices: Getting Ready for the NIS2. Proceedings of the 2024 IEEE Smart Cities Futures Summit (SCFC), Marrakech, Morocco.","DOI":"10.1109\/SCFC62024.2024.10698057"},{"key":"ref_37","unstructured":"Coppens, B., Volckaert, B., Naessens, V., and De Sutter, B. (2025). Effects of the Cyber Resilience Act (CRA) on Industrial Equipment Manufacturing Companies. Availability, Reliability and Security, Springer Nature."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"(2022). Information Security, Cybersecurity and Privacy Protection\u2014Information Security Management Systems\u2014Requirements (Standard No. ISO\/IEC 27001:2022). Available online: https:\/\/www.iso.org\/standard\/82875.html.","DOI":"10.2307\/j.ctv30qq13d"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Kempe, E., and Massey, A. Perspectives on Regulatory Compliance in Software Engineering. Proceedings of the 2021 IEEE 29th International Requirements Engineering Conference (RE), Available online: https:\/\/ieeexplore.ieee.org\/document\/9604591.","DOI":"10.1109\/RE51729.2021.00012"},{"key":"ref_40","unstructured":"Faria, J.P., Goul\u00e3o, M., Paiva, A.R., and Paiva, R.P. (2024). Systematic Mapping Study on Requirements Engineering for Regulatory Compliance of Software Systems. arXiv."},{"key":"ref_41","first-page":"606","article-title":"A Systematic Method for Acquiring Regulatory Requirements: A Frame-Based Approach","volume":"34","author":"Breaux","year":"2008","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"5450","DOI":"10.11591\/ijece.v11i6.pp5450-5457","article-title":"An overview of information extraction techniques for legal document analysis and processing","volume":"11","author":"Zadgaonkar","year":"2021","journal-title":"Int. J. Electr. Comput. Eng. (IJECE)"},{"key":"ref_43","unstructured":"UpGuard (2025, September 24). IT Security Risk Assessment Methodology: Qualitative vs. Quantitative. UpGuard Blog. Available online: https:\/\/www.upguard.com\/blog\/risk-assessment-methodology."},{"key":"ref_44","unstructured":"CyberSaint (2025, October 05). Level Up Your Cybersecurity: A Guide to Quantitative Risk Frameworks. CyberSaint Blog. Available online: https:\/\/www.cybersaint.io\/blog\/guide-to-quantitative-risk-frameworks."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Moreira, F.R., Canedo, E.D., Nunes, R.R., Serrano, A.L.M., Abbas, C., Pereira Junior, M.L., and de Mendon\u00e7a, F.L. (2025, January 4\u20136). Cybersecurity Risk Assessment Through Analytic Hierarchy Process: Integrating Multicriteria and Sensitivity Analysis. Proceedings of the 27th International Conference on Enterprise Information Systems (ICEIS), Porto, Portugal. Available online: https:\/\/www.researchgate.net\/publication\/390643114_Cybersecurity_Risk_Assessment_Through_Analytic_Hierarchy_Process_Integrating_Multicriteria_and_Sensitivity_Analysis.","DOI":"10.5220\/0013197300003929"},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"012036","DOI":"10.1088\/1757-899X\/710\/1\/012036","article-title":"Information security risk assessment using the AHP method","volume":"710","author":"Zaburko","year":"2019","journal-title":"IOP Conf. Ser. Mater. Sci. Eng."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"108895","DOI":"10.1016\/j.eneco.2025.108895","article-title":"AI-driven hypergraph neural network for predicting gasoline price trends","volume":"151","author":"Zhu","year":"2025","journal-title":"Energy Econ."},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"102763","DOI":"10.1016\/j.phycom.2025.102763","article-title":"Robust and adaptive semantic noise for complex secure communication networks","volume":"72","author":"Cai","year":"2025","journal-title":"Phys. Commun."},{"key":"ref_49","unstructured":"Breaux, T.D., and Ant\u00f3n, A.I. (2007, January 15\u201319). Analyzing Regulatory Rules for Ambiguity and Conflict. Proceedings of the 15th IEEE International Requirements Engineering Conference (RE\u201907), New Delhi, India."},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1016\/0377-2217(90)90057-I","article-title":"How to make a decision: The analytic hierarchy process","volume":"48","author":"Saaty","year":"1990","journal-title":"Eur. J. Oper. Res."},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Saaty, T.L., and Vargas, L.G. (2001). Models, Methods, Concepts & Applications of the Analytic Hierarchy Process, Springer.","DOI":"10.1007\/978-1-4615-1665-1"},{"key":"ref_52","unstructured":"Adams, W. (July, January 19). ANP Row Sensitivity and the Resulting Influence Analysis. Proceedings of the International Symposium on the Analytic Hierarchy Process, Washington, DC, USA. Available online: https:\/\/www.isahp.org\/uploads\/p744093.pdf."},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"948","DOI":"10.1016\/j.mcm.2007.03.016","article-title":"Criticisms of the Analytic Hierarchy Process: Why AHP Is Not a Reliable Method for Complex Decisions","volume":"46","author":"Whitaker","year":"2007","journal-title":"Math. Comput. Model."},{"key":"ref_54","first-page":"1785","article-title":"Analytic hierarchy process rank reversals: Causes and solutions","volume":"346","author":"Tu","year":"2023","journal-title":"J. Enterp. Inf. Manag."},{"key":"ref_55","first-page":"56","article-title":"An Analysis of Multi-Criteria Decision Making Methods","volume":"10","author":"Velasquez","year":"2013","journal-title":"Int. J. Oper. Res."},{"key":"ref_56","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1007\/s42979-022-01228-4","article-title":"From Legal Contracts to Formal Specifications: A Systematic Literature Review","volume":"3","author":"Soavi","year":"2022","journal-title":"SN Comput. Sci."},{"key":"ref_57","unstructured":"OpenSSF (2025, October 23). SBOMs in the Era of the CRA: Toward a Unified and Actionable Framework. OpenSSF Blog. Available online: https:\/\/openssf.org\/blog\/2025\/10\/22\/sboms-in-the-era-of-the-cra-toward-a-unified-and-actionable-framework\/."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/12\/1017\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T10:46:54Z","timestamp":1763981214000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/12\/1017"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,22]]},"references-count":57,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2025,12]]}},"alternative-id":["info16121017"],"URL":"https:\/\/doi.org\/10.3390\/info16121017","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2025,11,22]]}}}