CRA Compliance for Industrial and OT Products

The EU Cyber Resilience Act sets binding cybersecurity obligations for connected industrial and OT products — from design to end-of-life.

Product Cybersecurity: An Unresolved Challenge for the EU

For over a decade, digital products have entered the EU market with inconsistent — or nonexistent — security requirements. Many connected products, including industrial systems, still lack adequate safeguards. The EU has officially recognized cybersecurity as "one of its main challenges," with cyberattacks considered "a matter of public interest" (CRA Recital 1).

This regulatory vacuum has left the internal market fragmented and vulnerable, with significant risks to economic stability, democratic integrity, and public safety.

The Cyber Resilience Act (CRA) is the EU’s strategic response: a unified regulation designed to raise the security baseline across all digital products and ensure long-term cyber resilience.

📘 Want a quick summary? Download our CRA Compliance Cheat Sheet

What is the CRA?

The CRA introduces minimum cybersecurity standards for any product with digital functionality placed on the EU market. This includes both hardware and software capable of processing data, connecting to a network, or exchanging information.

Unlike voluntary guidelines or fragmented national laws, the CRA sets a binding, enforceable framework that applies across the full product lifecycle — from design and development to post-sale support and decommissioning.

For manufacturers of industrial and OT equipment in sectors like energy, mobility, or automation, CRA compliance means embedding security from day one — not bolting it on after launch. Non-compliance can result in fines up to €15 million, legal exposure, and reputational harm.

Which Products Fall Under the CRA?

The CRA covers a broad range of connected products — including consumer devices and complex industrial systems.

Examples:

  • Consumer: smartphones, connected toys, wearables, voice assistants
  • Industrial: PLCs, ICS, CNC machines, smart meters, field gateways, SCADA components

A product falls under the CRA if it:

  • Contains software or firmware
  • Connects to a network (directly or indirectly)
  • Processes, stores, or transmits digital data

If your product connects or communicates in any form — and is placed on the EU market — assume it is in scope and plan accordingly.

Who Is Responsible for CRA Compliance?

Manufacturers are responsible for ensuring that connected products are developed following secure-by-design principles. They must maintain up-to-date technical documentation, address cybersecurity risks throughout the product lifecycle, and manage vulnerabilities through monitoring, reporting, and patching mechanisms.

Importers must verify that any connected product brought into the EU market complies with all CRA requirements, including conformity assessments, proper documentation, and labeling before distribution.

Distributors are required to ensure that the products they make available on the market meet CRA compliance standards. This includes confirming proper documentation, verifying that products bear the correct markings, and not distributing items that pose known risks.

🧾 End users are not held legally responsible under the CRA — the full accountability for compliance lies with manufacturers, importers, and distributors throughout the supply chain.

Product Types and Compliance Classes

Class Description Assessment Method
By default
Minimal-risk, non-critical use
Self-assessment by manufacturer
Class I
Low risk (e.g. non-critical consumer electronics)
Self-assessment by manufacturer
Class II
Medium risk (e.g. IoT devices with sensitive data or industrial uses)
Third-party conformity assessment
Critical
High risk (e.g. industrial control systems in energy or transport)
Notified body assessment required

Classification affects both technical requirements and the type of evaluation process. Products that are misclassified or non-compliant may face fines and liability.

Product Conformity

Product compliance is crucial to ensure that IT products meet the quality, safety and performance standards required for effective and safe use in business and consumer environments. These will be the new requirements applied:

  • Design, develop, and produce the product with an adequate level of cybersecurity, and with default security policies.
  • Evaluate and document all cybersecurity risks.
  • Include cybersecurity assessment in the technical documentation.
  • Systematically document relevant cybersecurity aspects.
  • Consider changes in the development, production, and design process that may impact cybersecurity.

Why Does the CRA Matter?

The CRA brings cybersecurity to the same level as safety and EMC compliance — a non-negotiable part of product development.

Security is now a design requirement

Security can no longer be an afterthought. Protections must be built into products from the start — not added later through patches or updates.

Responsibility shifts to the supply side

End users aren't expected to assess cybersecurity. The burden now lies on manufacturers, importers, and distributors to ensure product compliance.

A unified legal framework across the EU

The CRA unifies cybersecurity rules across all EU Member States, replacing fragmented national laws with one consistent legal framework.

Vulnerability Management:

A Core Pillar of CRA Compliance

To comply with CRA, manufacturers must establish robust processes for vulnerability handling:

01.

Pre-market Phase

Manufacturers must:

– Identify and assess vulnerabilities from the design phase through testing.

– Maintain a comprehensive threat model and risk register.

02.

Post-market Phase

Manufacturers are required to:

– Address and remediate any discovered vulnerabilities.

– Follow coordinated vulnerability disclosure practices.

– Report incidents according to the following timeline:

– Initial notification: within 24 hours

– Intermediate report: within 72 hours

– Final report: within 14 days

– Notify ENISA or a designated national CSIRT.

03.

Long-term Obligations

– Provide free security updates for at least 5 years.

– Maintain technical documentation for:

– At least 10 years post-market

– The duration of support, whichever is longer.

Product Conformity: Designing for CRA Compliance

Meeting CRA obligations requires secure product architecture, rigorous documentation, and lifecycle tracking. Key expectations:

  • Products must feature secure-by-default configurations and minimized attack surfaces.
  • All risk-related decisions and changes should be traceable.
  • Technical documentation must include threat models, system architecture, risk evaluations, and evidence of testing.
  • Design and production processes should evolve in response to new vulnerabilities or implementation risks.

CRA compliance is an engineering discipline — not just a regulatory checkbox.

Recommended adoption timeline

In force since December 2024

Full enforcement of the regulation: December 11, 2027

The Commission will periodically review the Cyber Resilience Act and report on its functioning

Vulnerability reporting becomes mandatory: September 2026

Ready to Take Action?

CRA compliance is complex — but you’re not alone.