Beyond Cybersecurity Month

• Unlike other Smart Lock providers, personal and security-relevant data are not stored on Nuki servers.
• A transparent approach to potential security vulnerabilities: Nuki is one of the few manufacturers of electronic door locks to openly publish a large portion of its APIs.
• New EU regulations on cybersecurity and cyber resilience: The Smart Lock pioneer from Graz already meets key requirements before official entry into force.

Every year in October, the European Union Agency for Cybersecurity (ENISA) highlights the importance of cybersecurity. The aim of European Cybersecurity Month is to draw attention to risks and dangers on the Internet and to increase EU citizens’ knowledge of IT security topics. As a pioneer in Smart Locks, Nuki places great importance on taking responsibility as a company – and not just for 31 days of the year. “We want to do our part in increasing trust in the security of Smart Locks,” says Jürgen Pansy, co-founder and Chief Innovation Officer. Through various approaches and concepts, the company aims to ensure that smart door locks remain secure in an increasingly connected world.

Security and data protection have been core values at Nuki since the development of its first prototype. Jürgen Pansy explains: “The way we see it is that the safest data are the data that are never handed over.” That is why Nuki Smart Locks have been designed since the first generation so that no mandatory user account is required. Data are not stored on Nuki servers. All products – except for the Nuki Box – can be used without an account. This applies both to local use via Bluetooth and remote access. In both cases, personal and security-relevant data are only stored locally on the respective devices and not on Nuki servers. The only exception is Nuki Web, a cloud service where data is temporarily stored on Nuki servers. Activating this service is optional and, in some cases, very practical: Nuki devices can be managed easily from a PC or laptop.

A Nuki Web account is also required for integration with some cloud-based smart home systems (Google Home, Amazon Alexa). Nuki is also committed to high security standards in this area: By storing data within the European Union, hosting is subject to strict data protection regulations, ensuring a high level of protection for user data. When it comes to security, the Austrian company relies on end-to-end encryption. In end-to-end encryption, a secret key is used that is known only to the sender and the receiver. Together with strong encryption algorithms, similar to those used in online banking, and the so-called challengeresponse mechanism, it ensures that intercepting or copying and replaying locking commands to the Smart Lock is impossible.

Imposing high standards on yourself in terms of security and data protection is one thing. It’s another to have these standards reviewed by independent, external bodies. That’s why Nuki has had its electronic door locks certified as “Secure IoT Products” by the independent “AV-TEST” institute since the first generation. This certification demonstrates the consistently high level of security – most recently for the fourth generation of Smart Locks. In addition, the “Ultion Nuki,” a joint product with British partner Brisant Secure, specifically for the UK market, achieved a particularly prestigious certification. The “BSI Kitemark for the Internet of Things” certifies that this Smart Lock meets the highest standards of both physical and digital security.

The risks and threats in cybersecurity are rapidly evolving. This is where a major advantage of Smart Locks comes into play: they can receive security updates via an online connection. Users receive automated updates and can ensure that security features are always kept up to the latest technological standards. This ensures that security vulnerabilities can be patched and new threats effectively countered. The Nuki app regularly checks for available updates and proactively informs users. Jürgen Pansy explains: “With regular updates and the use of apps for security updates, our Smart Locks are a modern and secure solution. They are continuously adapted to new security requirements, offering reliable protection.”

And how transparently does Nuki deal with potential security vulnerabilities? “As one of the few Smart Lock manufacturers, we have made a significant portion of our APIs public. This allows developers to review the security architecture of our electronic door lock and eliminate vulnerabilities,” stresses Nuki's Chief Innovation Officer. This transparency ensures that the technologies we use meet current security standards and protect against potential attacks. Responsible disclosure and so-called bug bounty programs are further essential elements of Nuki’s security strategy. Security experts are thereby able to report vulnerabilities directly to Nuki before they are made public. This allows quick action to be taken to close gaps in security. A bug bounty program offers monetary incentives for finding and reporting vulnerabilities. All of these steps, in the interest of transparency, contribute significantly to the continuous improvement of security measures, according to Pansy.

The most recent milestones for the security of IoT devices within the EU are the Cyber Security Act (CSA) and the Cyber Resilience Act (CRA). These regulations were passed by the European Parliament in 2023 and 2024, respectively. The Cyber Security Act will come into force on 1 August 2025, and the Cyber Resilience Act in 2027. Both pieces of legislation aim to ensure that IoT devices in the EU become more secure and to strengthen trust in this technology. “At Nuki, we are proud to say that we already meet all key requirements of the CSA and CRA today,” concludes Jürgen Pansy.