The CRA Paradox: Impossible Requirements, Real Deadlines
- James W.
- 3 days ago
- 1 min read
The EU Cyber Resilience Act mandates "lifetime security updates" for connected devices.
Good regulation, impossible requirement.
Smart buildings need connected devices. Those devices last 15-20 years. Manufacturers support them for 3-5 years.
The math doesn't work.
No manufacturer can commit to 15-20 year security support and remain a viable business. But the CRA requires it anyway.
Result: All building IoT is technically non-compliant from day one.
This is a governance failure, not a technology problem.
SBCGA solves it by being realistic:
7-10 year support contracts (achievable)
Systematic vulnerability management (practical)
Distributed security responsibility (sustainable)
Device lifecycle governance (operational)
Compliance doesn't require the impossible. It requires systematic governance that acknowledges reality and manages accordingly.
CRA compliance is achievable with SBCGA. Just not with unicorn assumptions.
Read AC-146. Learn SBCGA. Make your building compliant.
Comments