What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is a European regulation that imposes requirements on Cybersecurity in hardware and software products placed on the EU market. The aim is to ensure that digital products are designed, developed, sold and maintained securely throughout their entire lifecycle.
For OT, this means that suppliers of products such as PLCs, industrial routers, HMIs or Industrial Internet of Things devices are required to develop and maintain their products securely β including updates and vulnerability management.
π§ What does the Cyber Resilience Act cover?
- Security by Design β security must be built in from the start of product development
- Vulnerability management β suppliers must follow up and remediate disclosed vulnerabilities
- Notification duty β exploits or serious weaknesses must be reported to ENISA within 24 hours
- Update obligation β security updates must be provided in a timely manner and at no extra cost
- User information β products must be supplied with clear information on security and support duration
π¦ Scope in OT
| Example component | CRA application |
|---|---|
| PLC or RTU | Firmware must be secure, updates traceable and verified |
| Industrial router | Must offer secure default configuration and an update process |
| SCADA software | Supplier must publish and patch vulnerabilities |
| Sensor with network interface | Counts as a βconnected deviceβ, so subject to the CRA |
| Engineering software | Subject to documentation, logging and update requirements |
The CRA also applies to IT components used indirectly in OT, such as embedded operating systems, databases and update agents.
β Key obligations for vendors
| Requirement | Impact for industrial vendors |
|---|---|
| Secure default settings | Products may not ship with insecure default passwords |
| Minimum support period | Vendors must provide updates for a defined period |
| Vulnerability documentation | Products must be supplied with their known security risks |
| Logging and audit trail | For certain classes, the product must support basic logging functions |
| Maintenance and patch process | Update mechanisms must be secure, controlled and transparent |
π Relationship to other regulations
| Regulation / standard | Relationship to the CRA |
|---|---|
| NIS2 | The CRA supports NIS2 objectives for secure production chains |
| IEC 62443 | IEC 62443 overlaps with the design principles of the CRA |
| CE marking | The CRA becomes part of CE conformity for digital products |
| ENISA vulnerability database | Vendors must register known vulnerabilities there |
The CRA goes hand in hand with existing OT security standards but imposes legally binding requirements on product security.
π In summary
The Cyber Resilience Act requires vendors of digital products to embed Cybersecurity structurally. For OT, this means that all networked components β from field sensor to SCADA server β must meet requirements for secure development, vulnerability management and long-term maintenance.