2FA / MFA - EU legal requirement

Hi, I've created a new post to again highlight the importance of this to Tado. Without 2 factor authentication/MFA, Tado will soon be in breach of EU law.

In 2022, the EU Commission proposed the Cybersecurity Resilience Act (CRA) which introduces mandatory cyber controls to, amongst other things, IoT devices including Tado products. The CRA is likely to be agreed before the European Parliament elections in early 2024.

The CRA forces manufacturers to ensure consumers can use products securely, and products with digital elements must comply with extensive cybersecurity requirements. Tado will have to perform a compliance assessment and implement "secure by design".

Tado will also be classed as a "high risk" product like a smart meter device, as it has potential to cause real world harm. For example, increasing the heat in a baby's room to dangerous levels, or turning off heating in an elderly person's house, both represent risk to life.

If manufacturers like Tado do not comply with the Act, the EU authority and member states can prohibit the product from being sold within the EU. In addition, fines of up to Eur15million or 2.5% of global turnover can be levied.

As a new Tado customer I expected MFA and was surprised it's not implemented. These kind of cyber controls cannot be popularity contest, voted on as part of a product feature roadmap. They are essential core secure-by-design requirements especially when a product can cause real world harm. Facebook offers 2FA, banks & Mastercard use 2FA, so the argument that it's "too complicated for users" is false.

I've created a new post because several of the previous posts have "personal want" or "power user feature" objections, and none highlighted the strong argument that the EU will be able to fine Tado and shut down your business without essential cyber controls.

Other people with cyber certifications have posted on this and I fully agree with their comments. I'm head of cyber for a global $billion tech company and regularly deal with these challenges, so please trust that this cannot be ignored. If Tado would like to informally discuss further please feel free to get in touch via my email.

6 votes

Active · Last Updated


  • Having purchased Tado products on Amazon, I have been asked by Amazon Answers 'Does the app require two factor authentication' - I have had to reply that it doesn't and I am concerned that I can see no indication that Tado intends to introduce 2FA in the near future.
  • davidlyall
    davidlyall ✭✭✭

    If it becomes law then they will have to comply. However, I'm sure there will be a grace period for companies to implement and/or sell old stock

    I'm not familiar with the requirement but if it requires changes at the device level, I suspect Tado will not implement it for existing hardware and move forward with a new generation of devices. This will leave existing installations at more risk but TBH, I don't think the EU could do much about that as I'm sure there are millions of IoT devices out there that also won't be compliant

  • rafm5
    rafm5 ✭✭✭
    edited May 31

    @cdmstr Are you referring to '2-factor authentication for payments in the EU'?