This article critically examines the UK’s Cyber Resilience Test (CRT) as a cybersecurity labelling initiative aimed at building consumer trust in connected devices. While affirming CRT’s importance, it highlights the need for clearer value propositions, stakeholder alignment, and behavioural insights to ensure meaningful adoption. Drawing on global examples like Singapore’s CLS and the EU’s CE mark, it argues that CRT must evolve from a technical standard to a culturally embedded trust signal. The piece advocates for a dynamic playbook that supports SMEs, educates consumers, aligns with procurement policy, and adapts over time — turning CRT into a living, ecosystem-wide standard.

Wayne Horkan | Cyber Tzar, West Midlands Cyber Hub, Psyber Inc.

“To be useful, trust needs a proxy. The Cyber Resilience Test (CRT) aims to be that proxy — but to succeed, it must evolve, be understood, and be demanded by those who matter most.”

Wayne Horkan, WM Cyber Working Group, Cyber Tzar, Psyber Inc.

Contents

Introduction: CRT and the Architecture of Trust

The ambition behind the Cyber Resilience Test (CRT) is not in question. It aims to accomplish a challenging yet crucial task: making cybersecurity visible and actionable at the point of purchase. Like the food hygiene stickers on a restaurant window or the A+ energy rating on your new fridge, CRT is a signal — a shorthand for safety, assurance, and regulatory credibility.

But cybersecurity is a more elusive target. It is technical, dynamic, and invisible — and unlike hygiene or efficiency, its failures are often systemic rather than individual. So far, CRT’s uptake has been tentative. And that hesitation tells us something important: that we need to better understand not just what CRT is, but what it needs to become.

This article does not reject CRT. Quite the opposite: it defends its core logic. But it does so with a critical eye — because successful standards do not emerge by decree; they evolve through iteration, market validation, and honest feedback.

CRT uptake has been inconsistent due to a range of industry and consumer barriers. This blog builds on recent reporting that outlined the importance of CRT adoption, assessed existing international labelling efforts, and proposed a structured approach for businesses and consumers to integrate CRT into their decision-making processes.

CRT: The Right Idea — But for Whom, and When?

The CRT’s underlying premise is sound. In theory, it benefits:

• Consumers, by offering clarity in a confusing digital landscape;
• Manufacturers, by providing a recognised benchmark and potential competitive advantage;
• Retailers, by reducing reputational risk;
• Regulators, by establishing a non-legislative lever for supply chain security.

And yet adoption remains low. Why?

Because, as with all standards, value must be perceived before it is realised. In its current form, CRT sits in a credibility gap: too new to be demanded, too underused to be trusted, and too narrowly framed to feel universal.

There is a risk here — that CRT becomes another well-intentioned initiative parked in the “voluntary but forgotten” category. To avoid that fate, we must interrogate the assumptions beneath its rollout and explore how the scheme must mature, differentiate, and prove its worth.

CRT adoption is essential for fostering consumer confidence, establishing a uniform security baseline across industries, and mitigating cybersecurity risks associated with unverified consumer devices. In an increasingly interconnected digital landscape, ensuring that devices adhere to robust security standards is not just a regulatory concern but a fundamental requirement for digital safety. CRT provides manufacturers with a framework to improve product security while assuring consumers that their devices meet established benchmarks. Despite its potential, CRT adoption faces significant challenges, including cost concerns, lack of consumer awareness, and resistance from manufacturers hesitant to integrate new compliance measures.

What the CRT Is (and What It Isn’t — Yet)

CRT is often misunderstood. It does not claim to make a device “secure” in any absolute sense. It indicates that a product has met a minimum standard for resilience: things like patchability, known vulnerability management, and secure configuration.

But the depth and visibility of that standard are still unclear to many stakeholders. In conversations across the sector, we’ve seen three common pain points:

1. Opaque criteria — Many manufacturers do not know what exactly is required, or how it differs from other frameworks like ETSI EN 303 645 or the US Cyber Trust Mark.
2. Unclear benefits — There is little public data on how CRT-certified products perform in the market, or whether they influence procurement.
3. Limited differentiation — Without a tiered or graded model, CRT risks being seen as a binary checkbox rather than a signal of excellence.

Security labelling initiatives, while beneficial, often struggle with market adoption. One of the key issues is the lack of consumer awareness and prioritisation of security when making purchasing decisions. Many consumers assume security is inherently built into devices without verifying manufacturer claims, leading to low demand for security certifications like CRT. Market fragmentation and differing security standards across regions further create inconsistencies, making it difficult for a single labelling scheme to gain widespread traction. Cost remains another major barrier, particularly for small and medium-sized enterprises (SMEs). Additionally, cybersecurity threats evolve rapidly, necessitating continuous updates to certification criteria to maintain relevance and effectiveness.

Comparative Case Studies: Lessons from Elsewhere

We don’t have to start from scratch. Other countries and sectors have wrestled with these same problems — and some have found partial solutions.

• Singapore’s CLS embedded its labelling scheme into both consumer education and retailer engagement. QR codes link to product-specific security information. Government incentives helped early adopters, and over 200 products now carry the mark.
• NIST’s IoT labelling framework in the US emphasised transparency and flexibility, enabling market adaptation while still grounding expectations.
• The CE Mark in Europe shows what happens when certification becomes a procurement gatekeeper — uptake becomes inevitable, not optional.
• UK energy labelling, though technically unrelated, offers behavioural insight: when simple visuals (like colour bands and A–G ratings) are made visible at the point of purchase, they change buyer behaviour measurably over time.

These examples illustrate how government-backed schemes, when paired with strong communications strategies, in-store visibility, and stakeholder buy-in, can shift market norms and consumer expectations.

CRT’s Stakeholders: Friction and Fit

If CRT is to evolve meaningfully, we must design not just for function, but for fit. Each stakeholder engages with CRT for different reasons:

• SMEs may see it as an early-market differentiator — but only if the scheme is accessible and affordable.
• Retailers may support it — but only if CRT materials reduce confusion and boost consumer trust.
• Consumers may value it — but only if it is intelligible, comparable, and salient at the point of sale.
• Large enterprises and government buyers may adopt it — but only if it integrates with procurement frameworks and aligns with existing cyber assurance models.

Manufacturers and retailers play a pivotal role in CRT adoption. Compliance with security labelling schemes not only helps reduce vulnerabilities in the supply chain but also demonstrates proactive risk management to regulatory bodies and customers. For businesses, CRT offers a competitive advantage by differentiating certified products in the marketplace, increasing brand trust, and potentially reducing liability and insurance costs. However, without clear incentives and an effective communication strategy, many may remain reluctant to adopt it.

Consumers, meanwhile, are often unaware of the security risks associated with devices or assume that “secure” means invulnerable. Transparency, simplicity, and widespread education are crucial for CRT to gain traction as a meaningful trust signal.

The Evolution of CRT’s Value Proposition

One of the most underappreciated aspects of CRT is that its value is not static. It shifts as awareness grows and network effects emerge.

• Early adopters — typically SMEs and cybersecurity-forward firms — may gain reputational and procurement advantages by being first.
• Mid-stage adopters will join once the scheme gains traction in procurement and consumer preference.
• Late adopters may have no choice — when CRT becomes a procurement requirement or a regulatory proxy, compliance becomes mandatory.

This is how most successful standards evolve: from optional to expected to essential. But that curve only works if early value is clearly demonstrated and communicated.

Recommendations: Towards a Smarter CRT Playbook

What’s needed now is a shift in focus — from implementation to ecosystem building. The CRT Playbook should not just describe how to get certified. It must articulate why it matters, to whom, and under what circumstances.

Key elements should include:

• Clear guidance for manufacturers on eligibility, application processes, and integration with existing compliance frameworks (e.g. NCSC, ETSI).
• Retailer-facing materials to support in-store promotion, staff training, and customer engagement.
• Consumer education campaigns, modelled on past successes in food hygiene and energy labelling.
• Tiered models — allowing entry-level and advanced certifications.
• Public metrics — sharing adoption statistics, consumer research, and impact evaluations to build trust and momentum.
• Policy alignment tools — especially for public sector procurement.

Conclusion: CRT Is Necessary, But Not Yet Sufficient

CRT has the potential to become a linchpin in the UK’s consumer cybersecurity ecosystem. But that potential will only be realised if we treat it as a living standard — one that evolves, adapts, and listens.

At this stage, CRT is neither widely adopted nor well understood. That’s not a failure — it’s a beginning. Every successful trust mark, from organic food to energy performance, went through a period of negotiation, iteration, and cultural embedding.

We are in that phase now.

Our collective task — across industry, academia, government, and civil society — is to ensure that CRT doesn’t just sit on packaging, but sits in minds. That it becomes not just a symbol, but a standard. Not just a badge, but a behaviour.

Because if we want trust in the digital marketplace, we need to build the scaffolding that sustains it. CRT can be that scaffolding — but only if we build it openly, critically, and together.