All comparisons

Cyber Resilience Act (CRA)

VS

IEC 62443

CRA vs. IEC 62443

Mandatory EU law meets established industrial standard for industrial cybersecurity

Binding EU Law

Legal obligation with CE marking, market surveillance, and fines up to EUR 15 million — non-conformity means market ban

Voluntary International Industry Standard

Best practice for industrial cybersecurity — valuable, but no presumption of CRA conformity without a harmonized European standard

IEC 62443 is an excellent starting point but not a CRA substitute. The EU Commission has clarified: Existing IEC 62443 certifications do not automatically lead to CRA conformity.

2 Covered2 Partial6 Not covered

You have IEC 62443 certification — what else do you need for CRA?

An IEC 62443 certification provides the strongest starting position of any standard for CRA conformity. IEC 62443-4-1 (Secure Development Lifecycle) and IEC 62443-4-2 (Technical Requirements) cover 60-70% of CRA requirements. The remaining gaps are EU-specific and must be addressed deliberately.

226
CRA RequirementCoverage by IEC 62443
Secure development lifecycle (IEC 62443-4-1)
Covered

IEC 62443-4-1 defines detailed requirements for the secure development process — threat modeling, secure coding, security testing. This comprehensively covers the CRA's security by design requirement.

Technical security requirements (IEC 62443-4-2)
Covered

IEC 62443-4-2 defines technical security requirements for components (identification, access control, data integrity) that largely align with CRA Annex I Part I.

Security levels concept
Partial

The IEC 62443 Security Levels (SL 1-4) can partially map to CRA product classification (Default, Class I, Class II) — but the mapping is not 1:1.

Presumption of conformity from IEC 62443 certification
Partial

An IEC 62443 certification does not establish an automatic presumption of CRA conformity. Only harmonized European standards (hEN) published in the Official Journal of the EU establish such a presumption pursuant to Art. 27 CRA. However, IEC 62443 covers a significant portion of CRA requirements and is expected to serve as a foundation for CRA hENs.

SBOM obligation
Not covered

IEC 62443 contains no SBOM requirement. The CRA requires a machine-readable Software Bill of Materials for every product (Annex I Part II in conjunction with Art. 13).

ENISA vulnerability reporting (24h/72h)
Not covered

IEC 62443 has no external reporting obligation. The CRA requires reporting actively exploited vulnerabilities to ENISA within 24 hours — an EU-specific process.

EU Declaration of Conformity
Not covered

IEC 62443 has no EU Declaration of Conformity. The CRA requires a formal declaration per Annex V as a market access prerequisite.

CE marking
Not covered

CE marking is an EU regulatory requirement with no equivalent in IEC 62443.

Support period declaration
Not covered

IEC 62443 has no explicit support period obligation. The CRA obliges manufacturers to define and communicate a support period (minimum 5 years).

CRA-specific product classification (Annex III/IV)
Not covered

The CRA product classification (Default, Class I, Class II, Critical) determines the conformity assessment pathway and has no direct equivalent in IEC 62443.

01

Legal nature: Mandatory vs. voluntary

The CRA is binding EU law with penalties up to EUR 15M. IEC 62443 is voluntary. This distinction will partially dissolve once IEC 62443-based harmonized standards are published.

  • CRA: Non-compliance = fines, product recalls, sales bans
  • IEC 62443: Contractually or industry-motivated, not legally mandated
  • Outlook: IEC 62443-based hENs will establish presumption of CRA conformity
02

Scope and industry focus

IEC 62443 is focused on industrial automation (IACS). The CRA is horizontal and covers all products with digital elements across industries.

  • IEC 62443: Asset owners (-2-x), system integrators (-3-x), component manufacturers (-4-x)
  • CRA: Consumer IoT, software, medical devices, industrial — cross-sector
  • Greatest overlap: IEC 62443-4-1 (Secure Development Lifecycle) and -4-2 (technical security requirements)
03

Detailed requirements comparison

Significant overlap in security by design and technical requirements. IEC 62443 even exceeds the CRA with Security Levels — but EU-specific CRA obligations are missing.

  • Alignment: IEC 62443-4-1 (threat modeling, secure coding, penetration testing) maps to CRA security by design
  • IEC 62443 goes further: Security Levels SL1-SL4 provide granular tiering the CRA lacks
  • CRA gaps in IEC 62443: SBOM, ENISA reporting (24h/72h), EU Declaration of Conformity, product classification (Default/Class I/II/Critical)
04

IEC 62443 as a basis for harmonized CRA standards

CEN and CENELEC are developing CRA harmonized standards expected to build on IEC 62443. Until publication (earliest late 2026), direct demonstration against Annex I is required.

  • Presumption of conformity: Applying the hEN establishes the presumption that CRA requirements are met
  • Until then: Demonstrate CRA conformity directly against Annex I
  • Advantage: Companies with IEC 62443 certification start with a significant head start
05

No Automatic Presumption of Conformity from IEC 62443

The EU Commission has clarified: IEC 62443 does not automatically establish a presumption of CRA conformity. Only harmonized European standards (hEN) in the EU Official Journal establish this per Art. 27 CRA.

  • Currently: IEC 62443 is an international standard (IEC/ISO), not a European hEN
  • In development: CEN/CENELEC developing hENs based on IEC 62443, ISO 27001, and ETSI EN 303 645
  • Until then: Demonstrate CRA conformity directly against Annex I — IEC 62443 as valuable foundation, but not sufficient alone
06

Strategic recommendation for companies

IEC 62443-certified companies already cover an estimated 60-70% of CRA requirements. The remaining gaps can be closed systematically.

  • Step 1: Gap analysis between IEC 62443 implementation and CRA Annex I
  • Step 2: Implement SBOM processes (no IEC 62443 equivalent)
  • Step 3: Establish ENISA reporting processes (24h/72h deadlines)
  • Step 4: Prepare EU Declaration of Conformity and CRA product classification

Synergies Between CRA and IEC 62443

IEC 62443 provides an excellent foundation for CRA conformity — with targeted supplements, the gap can be efficiently closed.

60–70% Coverage

A comprehensive IEC 62443 implementation already covers the majority of CRA requirements.

Presumption of Conformity

IEC 62443-based harmonized standards are expected to establish a CRA presumption of conformity.

Global Advantage

IEC 62443 is globally recognized — companies benefit from certification beyond the EU market.

Your Next Steps

1High priority

Integrate SBOM into existing processes

Add automated SBOM generation to your IEC 62443-4-1-compliant development process. Your existing software configuration management provides a solid foundation.

2High priority

Implement ENISA reporting process

Extend your existing vulnerability handling (IEC 62443-4-1 SM-6/SM-13) with the CRA-specific reporting channel to ENISA with 24h/72h deadlines.

3Medium priority

Prepare EU Declaration of Conformity

Create the CRA Declaration of Conformity per Annex V. Leverage your existing IEC 62443 documentation as evidence for the technical requirements.

4Medium priority

Determine CRA product classification

Check whether your products fall under CRA Annex III (Class I/II) or Annex IV (Critical) and plan the corresponding conformity assessment pathway.

Frequently Asked Questions

Does IEC 62443 replace CRA conformity?
No. IEC 62443 is a voluntary international standard and cannot replace the mandatory EU regulation. However, IEC 62443 is expected to serve as a basis for harmonized CRA standards. Once a harmonized standard based on IEC 62443 is published in the Official Journal of the EU, its application establishes a presumption of conformity with the CRA. Until then, IEC 62443 conformity alone is not sufficient as CRA evidence.
Is an existing IEC 62443 certification sufficient for the CRA?
Not fully, but it provides an excellent starting point. IEC 62443-4-1 (Secure Development Lifecycle) and IEC 62443-4-2 (Technical Security Requirements) cover an estimated 60–70% of CRA requirements. However, specific gaps remain: the CRA additionally requires a machine-readable SBOM, reporting obligations to ENISA (24h/72h), an EU Declaration of Conformity with CE marking, and product classification per CRA Annex III/IV. These gaps must be closed through supplementary measures.
Which CRA requirements does IEC 62443 not cover?
Four central CRA requirements are not contained in IEC 62443: (1) Machine-readable SBOM — IEC 62443 does not require a formal software bill of materials. (2) ENISA reporting obligations — the CRA requires reporting of actively exploited vulnerabilities within 24 hours and severe incidents within 72 hours; IEC 62443 has no such reporting requirement. (3) EU Declaration of Conformity with CE marking — this exists only in the CRA regulatory context. (4) CRA product classification — the categorization into Default/Class I/Class II/Critical with different conformity requirements has no equivalent in IEC 62443.
When will harmonized CRA standards based on IEC 62443 be available?
CEN and CENELEC are working on harmonized standards for the CRA, with IEC 62443 serving as an important foundation for the industrial domain. Publication of the first harmonized standards is expected no earlier than late 2026. Referencing in the Official Journal of the EU — necessary for the presumption of conformity — may take additional months. Manufacturers should not wait for harmonized standards but should implement CRA requirements from Annex I now. An existing IEC 62443 implementation significantly facilitates this process.
What advantages does IEC 62443 have over the CRA?
IEC 62443 offers greater depth of detail in certain areas than the CRA: The Security Level concept (SL1–SL4) enables granular tiering of security requirements based on the threat landscape — the CRA has no comparable tiering. The standard series addresses the entire IACS ecosystem (asset owners, integrators, component manufacturers) with specific requirements for each. IEC 62443-4-1 provides a detailed process framework for secure product development that goes beyond the general CRA requirements. Additionally, IEC 62443 is internationally recognized — including outside the EU, which is an advantage for globally operating manufacturers.
How should companies without IEC 62443 experience proceed?
Companies without prior IEC 62443 experience can still use the standard series strategically. Recommended approach: Use IEC 62443-4-1 as a practical guide for implementing a Secure Development Lifecycle — this simultaneously covers the CRA 'security by design' requirement. Reference IEC 62443-4-2 for technical security requirements for components. In parallel, implement CRA-specific requirements: establish SBOM processes, prepare ENISA reporting channels, conduct product classification, and prepare the EU Declaration of Conformity. Formal IEC 62443 certification is not required for CRA conformity but can strengthen market positioning.
What is the current status of harmonized standards for the CRA?
As of March 2026, the harmonized European standards for the CRA are still under development. CEN/CENELEC and ETSI have been mandated to develop them. Until publication in the Official Journal of the EU, existing standards such as IEC 62443 can support conformity but do not establish a presumption of conformity.
Which products are exempt from the CRA?
Not all products with digital elements fall under the CRA. Explicitly exempt are: medical devices and in vitro diagnostics (MDR/IVDR), motor vehicles and their type-approval (UN ECE R155/R156), aviation products, products for national security or defense, and certain open-source software not made available in the course of a commercial activity. If your product falls under one of these exemptions, the respective sector-specific cybersecurity requirements apply instead of the CRA.

Further Reading

Official Sources

CRA Full Text (EUR-Lex)

Regulation (EU) 2024/2847 — Cyber Resilience Act in the Official Journal of the EU

IEC 62443 — Standard Series

IEC overview page on the IEC 62443 cybersecurity standard series for industrial automation

ISA/IEC 62443 Standards

ISA overview of the IEC 62443 standard series with descriptions of all parts

More on Kunnus

CRA Knowledge Base

All CRA articles, recitals, and annexes in full text with search functionality

Industrial Machinery & Automation

CRA requirements for PLCs, CNC machines, and robotics with embedded software

Industrial Components

CRA compliance for embedded controllers, sensors, and drive systems

CRA Annex I — Essential Requirements

Full text of the essential cybersecurity requirements of the CRA

CRA vs. ISO 27001

Legal obligation vs. voluntary standard: How CRA and ISO 27001 work together

CRA vs. Radio Equipment Directive (RED)

How the CRA replaces the cybersecurity requirements of the Radio Equipment Directive

From IEC 62443 to CRA conformity

Kunnus bridges the gap between IEC 62443 certification and CRA compliance. SBOM management, ENISA reporting processes, and conformity documentation — all in one platform.

Learn more