Cyber Resilience Act (CRA):
Cybersecurity for connected products
Cyber Resilience Act (CRA):
With the Cyber Resilience Act (CRA), binding cybersecurity requirements for ‘products with digital elements’ will come into force across the EU from December 2027. The new requirements are designed to ensure cybersecurity throughout the entire product lifecycle and to promote the spread of secure technologies, protect consumers and strengthen trust in digital products. INSYS icom supports companies in the early and sustainable implementation of regulatory requirements.
Page navigation:
Definition CRA
Target group
Requirements
Whitepaper
Our offer
Security & Compliance
FAQ
With the Cyber Resilience Act (CRA), the European Union is creating its first horizontally applicable security regulation for digital products. The aim is to establish a uniform minimum level of cybersecurity throughout the internal market. Almost all networked products are affected, from industrial routers to IoT components. In future, manufacturers will be obliged to meet comprehensive requirements for secure product development, vulnerability management and the provision of security updates. Importers and distributors will also be included in the regulatory responsibility.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) expands the existing CE marking, which was previously focused primarily on functional safety, to include mandatory cybersecurity requirements. In future, products will not only be assessed for mechanical or electrical risks, but also for whether they are adequately protected against cyber attacks.
The regulation applies to all networked products with digital elements. This includes both hardware with network functions, such as industrial routers, and pure software products. The aim of the CRA is to increase the cybersecurity of hardware and software solutions, create greater transparency regarding implemented security mechanisms, and make manufacturers more accountable for continuous vulnerability management.
Who is affected?
The requirements of the Cyber Resilience Act affect a broad group of players throughout the life cycle of digital products. In particular, the following target groups must adapt to the new cybersecurity requirements:
Relevant sectors: critical infrastructures, industrial communication technology, remote control technology, utilities, public institutions, and mechanical and plant engineering
Meet CRA requirements securely with INSYS icom
Cyber-secure solutions and a CRA-compliant product portfolio for your requirements.
Request offer now
What does the CRA actually mean?
The Cyber Resilience Act requires manufacturers to ensure a minimum level of cybersecurity for all connected products with digital elements. The implementation of these requirements must be clearly documented and demonstrated. Specifically, this means:
Security by Design
Connected products must be designed to be cyber secure from the outset, e.g. through encrypted firmware.
Security by Default
Secure default settings such as automatic security updates or the avoidance of default passwords are mandatory.
Declaration of conformity
Manufacturers must prove that their product meets all CRA requirements, for example through harmonised standards or equivalent internal procedures with corresponding auditability.
Vulnerability management
Identified vulnerabilities must be reported, documented and remedied throughout the entire product life cycle.
Software Bill of Materials (SBOM)
An SBOM (‘ingredients list’ of all software components) must be created during the development phase. Publication is not required.
Security Updates
Security updates must be provided throughout the entire support period.
What needs to be done and by when?
The regulation came into force in December 2024 and must be implemented by 11 December 2027. New products placed on the market must meet all requirements by this date.
Due to the complexity of the requirements, early action is necessary. Companies in critical infrastructures and industrial applications should already be aligning their product strategy, security architecture and maintenance processes with the requirements of the Cyber Resilience Act in order to avoid subsequent conversion costs, delivery delays and regulatory risks.
Timeline Cyber Resilience Act
11th of December 2024
CRA comes into force
11th of June 2026
CAB* can assess compliance with CRA requirements
11th of September 2026
Mandatory reporting of vulnerabilities and incidents
11th of Dezember 2027
Effective date of CRA requirements
*CAB = conformity assessment bodies
What are the penalties?
Failure to comply with the requirements of the Cyber Resilience Act can lead to serious consequences:
Free whitepaper:
„Secure introduction of VPN-based remote maintenance:
How INSYS icom supports machine manufacturers
with the Cyber Resilience Act“
» Secure introduction of VPN-based remote maintenance: How INSYS icom supports machine manufacturers with the Cyber Resilience Act «
Contents
- Secure remote maintenance in an increasingly networked industry
- Cyber Resilience Act
- Future viability through secure connectivity
- Increasing requirements due to regulations and their implementation
- Effects of the CRA for machine manufacturers
- Practical measures and investments in cyber security
- Secure solutions for CRA compliance
- Increased network security with icom OS
- Secure remote access with icom Connectivity Suite (iCS)
- Centralised device management with icom Router Management (iRM)
- Cyber Resilience Act – an opportunity for secure machine connectivity and new remote maintenance solutions
Request whitepaper now!
INSYS icom solution expertise
Secure device architecture
CRA-compliant router architectures with secure firmware.
Security updates
Automated security updates with audit-proof logging via icom Router Management.
Logging
Central documentation of all configuration changes and accesses.
VPN-Service
VPN service with strong authentication and encrypted data transmission.
Secure Development
Application of security-related IEC 62443-4-1 processes in software development and maintenance.
CVE monitoring
Support for vulnerability management through systematic CVE monitoring.
INSYS icom solutions offer a technically secure product architecture and automated processes for updating, logging and verification. This creates clear advantages in terms of auditability, operational reliability and regulatory compliance in the European single market.
Security & Compliance
Here you will find relevant evidence and documents regarding CRA compliance, certified development processes and IT security measures at INSYS icom.
Cyber Resilience Act – Frequently asked questions
Which products are affected by the Cyber Resilience Act?
The CRA affects almost all digital products with a direct or indirect network connection. These include networked industrial components, software products, IoT devices and communications hardware. The decisive factor is that the product contains digital elements and can communicate with other systems or networks in some form.
How does INSYS icom support the implementation of the Cyber Resilience Act?
INSYS icom offers secure device architectures, automated update management and audit-proof documentation of technical security functions. This provides companies with a solid foundation for meeting CRA requirements during ongoing operations.
What obligations do operators of critical infrastructures have under the CRA?
Although the CRA is primarily aimed at manufacturers, operators of critical infrastructure are obliged to use only compliant devices. They must also ensure that available security updates and patches are installed promptly in order to comply with operational safety and legal requirements.
Does the CRA also apply to software solutions without a physical product?
Yes, standalone software that is directly or indirectly network-compatible is also covered by the regulation.
What role does vulnerability management play in the Cyber Resilience Act?
The CRA requires manufacturers to continuously identify, assess and remedy vulnerabilities. In addition, security-related vulnerabilities must be reported to central EU platforms. Vulnerability management thus becomes a central component of the security process throughout the entire product lifecycle.
What is the significance of the Cyber Resilience Act when considering IT security in close connection with OT security?
The groundbreaking EU regulation aims to improve cybersecurity for a wide range of connected devices and eliminate vulnerabilities in the increasingly digitised and connected industrial landscape. In this context, the Cyber Resilience Act requires manufacturers to consider cybersecurity requirements as early as the development phase and to comply with them throughout the entire product life cycle. INSYS icom provides proof of this with, among other things, certification according to the international standard IEC 62443-4-1.
We have summarised further measures and, above all, opportunities in connection with the cyber security standard in our white paper ‘Secure introduction of VPN-based remote maintenance: How INSYS icom supports machine manufacturers with the Cyber Resilience Act’.
INSYS icom also meets these cybersecurity requirements
NIS 2
The NIS 2 Directive (Network and Information Security) sets out binding cybersecurity requirements for critical infrastructures.
Radio Equipment Directive (RED)
The extended RED Directive sets out binding cybersecurity requirements for internet-connected radio equipment such as routers and IoT devices.
Learn more about our secure products
VPN-Service
Centralised management for updates, configurations and documentation
Any questions left? We will be happy to assist you!