Jonny Tyers at IoTSF Webinar: How Threat Modelling Helps Achieve EU CRA Compliance

The IoT Security Foundation invited Jonny Tyers to present at their May 2024 monthly webinar. His talk focused on a question a lot of connected device manufacturers were grappling with at the time: how do you actually meet the EU Cyber Resilience Act's security requirements without treating it as a pure documentation exercise?

---

About the presentation

The EU CRA introduced mandatory cybersecurity requirements for products with digital elements sold into the European market. For many manufacturers, the instinct was to ask what the standard requires on paper. Jonny's argument was that threat modelling is a better starting point — it gives you a structured way to understand what can actually go wrong with your product, and the CRA's technical requirements largely follow from doing that work properly.

The session was part of IoTSF's regular monthly webinar programme, which brings together practitioners, researchers and vendors from across the IoT security community.

What the session covered

The presentation walked through how threat modelling maps to the CRA's core obligations: understanding attack surfaces, identifying what assets need protecting, and documenting the security decisions made during product development. Rather than treating compliance as a checklist, this approach produces the kind of security evidence that regulators and notified bodies are actually looking for.

Jonny also covered where organisations tend to get stuck — typically either starting too late in the product lifecycle or treating threat modelling as a one-off audit rather than an ongoing engineering practice.

About IoTSF

The IoT Security Foundation is a non-profit that works to improve security across the IoT industry through research, education and practical guidance. Their webinar series covers a wide range of topics and is open to the public.