CRA Compliance for Industrial and OT Products
The EU Cyber Resilience Act sets binding cybersecurity obligations for connected industrial and OT products — from design to end-of-life.
Product Cybersecurity: An Unresolved Challenge for the EU
For over a decade, digital products have entered the EU market with inconsistent — or nonexistent — security requirements. Many connected products, including industrial systems, still lack adequate safeguards. The EU has officially recognized cybersecurity as "one of its main challenges," with cyberattacks considered "a matter of public interest" (CRA Recital 1).
This regulatory vacuum has left the internal market fragmented and vulnerable, with significant risks to economic stability, democratic integrity, and public safety.
The Cyber Resilience Act (CRA) is the EU’s strategic response: a unified regulation designed to raise the security baseline across all digital products and ensure long-term cyber resilience.
📘 Want a quick summary? Download our CRA Compliance Cheat Sheet
What is the CRA?
The CRA introduces minimum cybersecurity standards for any product with digital functionality placed on the EU market. This includes both hardware and software capable of processing data, connecting to a network, or exchanging information.
Unlike voluntary guidelines or fragmented national laws, the CRA sets a binding, enforceable framework that applies across the full product lifecycle — from design and development to post-sale support and decommissioning.
For manufacturers of industrial and OT equipment in sectors like energy, mobility, or automation, CRA compliance means embedding security from day one — not bolting it on after launch. Non-compliance can result in fines up to €15 million, legal exposure, and reputational harm.
Which Products Fall Under the CRA?
The CRA covers a broad range of connected products — including consumer devices and complex industrial systems.
Examples:
- Consumer: smartphones, connected toys, wearables, voice assistants
- Industrial: PLCs, ICS, CNC machines, smart meters, field gateways, SCADA components
A product falls under the CRA if it:
- Contains software or firmware
- Connects to a network (directly or indirectly)
- Processes, stores, or transmits digital data
⚠️ If your product connects or communicates in any form — and is placed on the EU market — assume it is in scope and plan accordingly.
Who Is Responsible for CRA Compliance?
Manufacturers are responsible for ensuring that connected products are developed following secure-by-design principles. They must maintain up-to-date technical documentation, address cybersecurity risks throughout the product lifecycle, and manage vulnerabilities through monitoring, reporting, and patching mechanisms.
Importers must verify that any connected product brought into the EU market complies with all CRA requirements, including conformity assessments, proper documentation, and labeling before distribution.
Distributors are required to ensure that the products they make available on the market meet CRA compliance standards. This includes confirming proper documentation, verifying that products bear the correct markings, and not distributing items that pose known risks.
🧾 End users are not held legally responsible under the CRA — the full accountability for compliance lies with manufacturers, importers, and distributors throughout the supply chain.
Product Types and Compliance Classes
| Class | Description | Assessment Method |
|---|---|---|
| By default | Minimal-risk, non-critical use | Self-assessment by manufacturer |
| Class I | Low risk (e.g. non-critical consumer electronics) | Self-assessment by manufacturer |
| Class II | Medium risk (e.g. IoT devices with sensitive data or industrial uses) | Third-party conformity assessment |
| Critical | High risk (e.g. industrial control systems in energy or transport) | Notified body assessment required |
Classification affects both technical requirements and the type of evaluation process. Products that are misclassified or non-compliant may face fines and liability.
Product Conformity
Product compliance is crucial to ensure that IT products meet the quality, safety and performance standards required for effective and safe use in business and consumer environments. These will be the new requirements applied:
- Design, develop, and produce the product with an adequate level of cybersecurity, and with default security policies.
- Evaluate and document all cybersecurity risks.
- Include cybersecurity assessment in the technical documentation.
- Systematically document relevant cybersecurity aspects.
Consider changes in the development, production, and design process that may impact cybersecurity.
Why Does the CRA Matter?
The CRA brings cybersecurity to the same level as safety and EMC compliance — a non-negotiable part of product development.
Security is now a design requirement
Security can no longer be an afterthought. Protections must be built into products from the start — not added later through patches or updates.
Responsibility shifts to the supply side
End users aren't expected to assess cybersecurity. The burden now lies on manufacturers, importers, and distributors to ensure product compliance.
A unified legal framework across the EU
The CRA unifies cybersecurity rules across all EU Member States, replacing fragmented national laws with one consistent legal framework.
Vulnerability Management:
A Core Pillar of CRA Compliance
To comply with CRA, manufacturers must establish robust processes for vulnerability handling:
01.
Pre-market Phase
Manufacturers must:
– Identify and assess vulnerabilities from the design phase through testing.
– Maintain a comprehensive threat model and risk register.
02.
Post-market Phase
Manufacturers are required to:
– Address and remediate any discovered vulnerabilities.
– Follow coordinated vulnerability disclosure practices.
– Report incidents according to the following timeline:
– Initial notification: within 24 hours
– Intermediate report: within 72 hours
– Final report: within 14 days
– Notify ENISA or a designated national CSIRT.
03.
Long-term Obligations
– Provide free security updates for at least 5 years.
– Maintain technical documentation for:
– At least 10 years post-market
– The duration of support, whichever is longer.
Product Conformity: Designing for CRA Compliance
Meeting CRA obligations requires secure product architecture, rigorous documentation, and lifecycle tracking. Key expectations:
- Products must feature secure-by-default configurations and minimized attack surfaces.
- All risk-related decisions and changes should be traceable.
- Technical documentation must include threat models, system architecture, risk evaluations, and evidence of testing.
- Design and production processes should evolve in response to new vulnerabilities or implementation risks.
CRA compliance is an engineering discipline — not just a regulatory checkbox.