Programmable logic controllers (PLCs), HMIs, industrial robots, CNC machines – industrial automation is becoming increasingly connected. With the Cyber Resilience Act (CRA), binding EU-wide cybersecurity requirements apply to these products for the first time. For OEMs and machine builders, this represents a fundamental shift: cybersecurity becomes an integral part of product development and the entire lifecycle.
Why Industrial Automation Is in the CRA's Crosshairs
Industrial control systems were traditionally isolated – air-gapped and physically protected. Those days are over. Modern production facilities are connected via OPC UA, MQTT, or proprietary protocols, maintained remotely, and exchange data with cloud platforms.
This connectivity creates attack surfaces that the CRA aims to address. The consequences of a successful cyberattack on industrial controllers go far beyond data loss: production outages, quality issues, and in the worst case, risks to life and limb. For this reason, the CRA classifies many industrial automation components as "important products" subject to stricter assessment procedures.
Manufacturers of industrial machinery and automation components must understand that the CRA does not only affect new installations. Retrofits and substantial updates to existing products can also trigger a CRA conformity assessment.
Product Classification in Industrial Automation
Your product classification determines the required effort for conformity assessment.
PLCs and industrial controllers with network interfaces typically qualify as important products in Class I. This means self-assessment is possible when harmonized standards are fully applied. Otherwise, a notified body must be involved.
Industrial firewalls, gateway devices, and safety controllers may fall into Class II depending on their function, mandating notified body involvement.
Sensors, actuators, and simple field devices without their own network connectivity may not fall under the CRA, provided they contain no digital elements as defined by the regulation. However, as soon as a network interface is present – whether Ethernet, WiFi, or Bluetooth – the CRA applies.
For OEMs assembling machines from various components, additional complexity arises: they must ensure CRA conformity of individual components while also considering the overall machine.
Unique Challenges for Industry
Industrial automation faces specific CRA implementation challenges that differ significantly from consumer electronics.
Long product lifecycles. Industrial controllers are deployed for 15 to 25 years. The CRA requires security updates throughout the support period. Manufacturers must define a realistic support period and communicate it transparently. For products used beyond the defined support period, end of support must be clearly documented.
Real-time requirements. Many industrial systems have hard real-time constraints. Security measures such as encryption or authenticated communication must not impact cycle times. This requires careful balancing of security and performance – and hardware that supports both.
Legacy integration. New CRA-compliant components must often communicate with existing legacy installations that do not meet current security standards. Manufacturers need concepts for operating their products securely in mixed environments – for example through network segmentation or protocol gateways.
Complex supply chains. An industrial robot contains software from numerous suppliers: the real-time operating system, motor control libraries, communication stacks, safety libraries. For the SBOM, all these components must be captured. This requires close collaboration with suppliers who may not be accustomed to providing SBOM data.
IEC 62443 as a Bridge to the CRA
Manufacturers already working with IEC 62443 have a significant head start on CRA implementation. The IEC 62443 series is the de facto standard for cybersecurity in industrial automation and covers many CRA requirements.
IEC 62443-4-1 defines requirements for the secure product development process (Secure Development Lifecycle), which directly addresses the CRA's "security by design" requirement. IEC 62443-4-2 defines technical security requirements for components that largely align with the CRA's essential requirements.
However, IEC 62443 does not cover all CRA requirements. Specifically, the SBOM obligation, specific vulnerability reporting duties, and EU declaration of conformity requirements are CRA-specific and must be addressed separately.
Harmonized standards for the CRA are expected to build on IEC 62443. Manufacturers starting with IEC 62443 today are investing in the right direction.
Practical Roadmap for OEMs
For machine builders and OEMs, a structured approach in four phases is recommended.
In the first phase, conduct an inventory: Which products fall under the CRA? Which product category applies to each? Which software components are contained in each product? Allow three to four weeks for this analysis.
In the second phase, close identified gaps: implement missing security mechanisms, build the SBOM process, and establish vulnerability management. Depending on your starting point, this phase can take six to twelve months.
In the third phase, prepare the technical documentation and conduct the conformity assessment. Plan for notified body interaction if required.
In the fourth phase, establish ongoing processes: continuous vulnerability monitoring, regular SBOM updates, incident reporting processes, and security update planning.
Kunnus provides a platform supporting all these phases – from initial gap analysis through ongoing vulnerability management to audit preparation. This keeps you organized across multiple product lines and lets you demonstrate CRA compliance efficiently.
Start with our free CRA readiness assessment and find out what steps are next for your products.