It is July 2025. That means most IoT device manufacturers are almost completed with complying with the newly added cybersecurity requirements in the EU Radio Equipment Directive (RED) and looking at the how to get started with the next mandatory cybersecurity regulation CRA – Cyber Resilience Act. But on the other side of the Atlantic Ocean, the US FCC is gearing up with its own voluntary cybersecurity labeling scheme. How are these cybersecurity items similar to and different from each other? After all the effort to comply with the CRA, what’s the real cost—in time, money, and engineering—to get the CTM label?
Spoiler Alert: The answer is likely far less than you think. Your mandatory CRA compliance is a powerful launchpad that makes the CTM a low-effort, high-reward strategic prize.
Target Audience
This article is intended for business owners, product managers, and engineering managers who are currently working with the complexities of the CRA.
This is not another primer on what these regulations are. We have already covered in details what each of these programs mean for IoT device manufacturers. In this article, we try to:
- Do a practical gap analysis of the work you will do for the CRA versus the work that remains to secure the CTM.
- Understand the financial cost of securing the CTM label for a consumer IoT product.
The Foundation: You’ve Already Done the Heavy Lifting with CRA
Before we look at the gaps, let’s take stock of the foundational investments you’ve already made to satisfy the CRA. These are not sunk costs; they are assets. To sell in the EU, your organization has already:
Embedded a Secure-by-Design Culture: You’ve implemented rigorous risk assessments and threat modeling from the earliest stages of product development.
Mastered Vulnerability Management: You have a robust, documented process for identifying, managing, and patching vulnerabilities throughout the product lifecycle. This includes maintaining a detailed Software Bill of Materials (SBOM).
Built a Secure Update Infrastructure: You have a reliable and secure mechanism to deliver timely security updates to your products in the field.
Established Clear Communication Channels: You provide users with transparent security documentation and have a defined public channel for researchers to report vulnerabilities.
Prepared for Third-Party Audits: You’ve compiled the extensive technical documentation and evidence required to pass a CRA conformity assessment, and in some cases also potentially involved a notified body.
This is the heavy lifting. These efforts represent a fundamental shift in how a product is designed, built, and maintained. The good news is that this work directly maps to the vast majority of what the U.S. Cyber Trust Mark requires.
The Gap Analysis: From CRA-Compliant to CTM-Ready
The U.S. CTM, based on standards set by the National Institute of Standards and Technology (NIST), is designed to be a clear, at-a-glance signal of security for American consumers. Let’s break down its requirements and see how your CRA compliance stacks up.
| U.S. Cyber Trust Mark Requirement (NIST 8425) | Your Existing CRA Compliance | The “Delta” (Extra Effort Needed) |
| Asset Identification | 95% Covered. Your CRA-mandated SBOM and vulnerability management processes require robust device and software component tracking. | Minimal. Ensure your identification method is easily verifiable by the CTM testing lab. This is a documentation check, not a re-engineering task. |
| Secure Product Configuration | 100% Covered. This is a core tenet of the CRA’s “secure-by-design” essential requirements. | None |
| Data Protection | 100% Covered. Another fundamental principle of the CRA’s security requirements. | None |
| Interface Access Control | 100% Covered. Mandated by the CRA’s secure-by-design principles. | None |
| Software Updates | 100% Covered. Your CRA-compliant secure update infrastructure is precisely what the CTM requires. | None |
| Cybersecurity State Awareness | 70% Covered. Your CRA work includes monitoring and logging, but the focus is often on reporting to the manufacturer or authorities. | Low. This may require a minor feature addition to allow the device or its companion app to display its current patch level or a “you are secure” status to the end-user. For many products, this is a simple software tweak. |
| Manufacturer-Side Requirements | 90% Covered. The CRA mandates clear user documentation and a vulnerability intake process. | Low. The primary delta is formatting. The CTM program requires specific information to be readily available, such as the minimum security support period for the product. This is a policy decision and a documentation update, not an engineering challenge. |
| The QR Code & Registry | 0% Covered. This is a unique procedural requirement of the CTM program. | Medium. This is the biggest gap. You must engage with a CTM-accredited lab, formally register your product in a U.S. national database, and provide the specific data points for the QR code to link to. While this is a new process, it leverages the technical evidence you already prepared for the CRA. The effort is administrative and procedural. |
The Cost of Certification
Let’s be clear: certification has hard costs. The final in-lab testing for a program like the CTM can range from $80,000 to $200,000 per product.
To confidently pass this test, you cannot afford to gamble on unverified components. This is where using pre-certified components—such as those validated against FIPS 140 for cryptography, or certified through programs like SESIP and PSA Certified—becomes a critical strategy. While these high-assurance components carry a higher unit price than their untested counterparts, they represent a calculated investment, not just an expense. They de-risk your final certification, saving you from the far greater costs of failed lab tests and devastating go-to-market delays.
Crucially, the rigorous evidence and secure-by-design principles required for the EU CRA already incentivize this exact approach. To properly meet CRA requirements, especially for products requiring third-party assessment, you should already be using these types of robust, verifiable components. If you built your product correctly for the CRA, you have likely already absorbed the strategic cost of using a high-assurance bill of materials. The primary new line item for the CTM, then, is the lab testing fee itself—not a fundamental and costly re-engineering of your core components.
The Verdict: The Juice Is Worth the Squeeze
As the analysis shows, the path from CRA compliance to CTM certification is not another mountain to climb, but a short walk down a paved road. The incremental effort is overwhelmingly administrative and procedural, not technical or developmental. You’ve already engineered the secure product; the remaining work is about packaging that proof for a different market.
So, is it worth it? For any manufacturer with ambitions in the U.S. market, the answer is an unequivocal yes.
Market Access: While voluntary, expect major U.S. retailers to use the CTM as a procurement benchmark. Lacking the label could mean being locked out of significant sales channels.
Competitive Differentiation: In a crowded market, the CTM is a powerful and simple marketing tool. It instantly tells a consumer, “This product is secure,” building trust and driving purchasing decisions.
Reduced Sales Friction: The CTM label preemptively answers security questions from consumers, reducing friction in the sales process and enhancing brand reputation.
Your investment in CRA compliance is mandatory, but it doesn’t have to be a siloed cost center for your European business. By taking the small, additional administrative steps to secure the U.S. Cyber Trust Mark, you can leverage that initial investment into a powerful competitive advantage in the world’s largest consumer market. The question isn’t if you should pursue the CTM after the CRA, but how quickly you can get it done.
Want to know how to use certified components to get the CRA and CTM labels? Read our articles on PSA Certified for CTM, PSA Certified for CRA, and SESIP for CRA. Confused as to which certified components like MCU, connectivity SoCs are best for your next project? Watch out for our upcoming articles on. Subscribe to us on LinkedIn to read our articles as soon as they are published: https://www.linkedin.com/company/iot-regulations/
