EU Cyber Resilience Act (CRA)

The EU Cyber Resilience Act (CRA) is a landmark regulation introducing mandatory cybersecurity requirements for all "products with digital elements"—essentially any hardware or software that connects to a network or contains software. Formally adopted in 2024, its requirements will become fully enforceable by late 2027.

The goal is to move away from cybersecurity as an afterthought. Instead, products must adhere to the principles of Security by Design and Security by Default from the very beginning of their development.

Who is Affected by the CRA?

The CRA applies to all manufacturers, importers, and distributors of digital products placed on the EU market. This includes:

• Industrial control systems (ICS).
• IoT devices and connected sensors.
• Machine components with network interfaces.
• Software products and embedded systems.

For the manufacturing industry, this means anyone producing or selling networked machinery or industrial software in the EU must comply. Operators are also indirectly affected: compliance becomes a critical procurement criterion, as suppliers must provide proof of CRA conformity before a sale.

Core Requirements of the CRA

The regulation defines obligations across the entire product lifecycle:

• Development (Security by Design): Products must feature a minimized attack surface, secure default configurations, protection against unauthorized access, and encrypted sensitive data.
• Operations & Vulnerability Management: Manufacturers must actively manage flaws. Security gaps must be reported to ENISA within 24 hours. Patches must be provided for a support period of at least five years (or the expected lifetime of the product).
• Conformity Assessment: Before receiving a CE mark, products must undergo an assessment. Critical products require third-party verification by a "Notified Body."

Product Categories: Standard vs. Critical

The CRA distinguishes between products based on their risk level:

1. Standard Products: Most digital products fall here and can demonstrate compliance via self-assessment.
2. Critical Products Class I: Includes industrial firewalls, remote maintenance software, and network management tools. These require adherence to harmonized standards or independent testing.
3. Critical Products Class II: Includes industrial automation and control systems (IACS) and operating systems for critical infrastructure. These must be audited by an independent Notified Body.

Impact on MES and Connected Production

For operators of smart factories, the CRA has two immediate consequences:

• Supplier Qualification: Buying a Cloud MES or an OT gateway now requires proof of CRA compliance. Like NIS2, this will become a non-negotiable part of the bidding process.
• Security Transparency (SBOM): Suppliers must provide a Software Bill of Materials (SBOM). This machine-readable list of all software components (including open-source libraries) allows for rapid identification of vulnerabilities.

Cloud-native MES platforms designed with API-first architectures, automated security updates, and documented vulnerability management are structurally better positioned to meet CRA requirements than legacy on-premise solutions that require manual hardening.

Timeline: Key Dates

• October 2024: Publication in the EU Official Journal.
• September 2026: Reporting obligations for vulnerabilities take effect.
• December 2027: Full compliance required for all products on the market.

FAQ

Does the CRA apply to Software-as-a-Service (SaaS)? Pure SaaS solutions without local software components are currently not the primary focus of the CRA (which focuses on tangible goods). However, hybrid products—local software with a cloud backend—are likely affected. The specific boundary depends on the individual product's architecture.

What is an SBOM and why does it matter? A Software Bill of Materials (SBOM) is a digital "ingredient list" of every software component in a product. The CRA makes it mandatory so that if a specific open-source library has a vulnerability, manufacturers and users can identify it instantly and apply a patch.

What are the penalties for non-compliance? Fines can reach up to €15 million or 2.5% of global annual turnover, whichever is higher. Additionally, non-compliant products can be ordered off the market.

How does the CRA relate to NIS2? They are two sides of the same coin. NIS2 regulates the operators of critical systems (how they run their business), while the CRA regulates the products (how they are built). NIS2 tells you how to operate safely; the CRA ensures the tools you use are inherently secure.