The CRA stipulates clear security requirements for products, including access protection, the protection of confidentiality, integrity, availability, and even a secure delivery state. In order to ensure a secure development process, these aspects must be taken into consideration above all during design, development, and manufacturing.
The Cyber Resilience Act (CRA) From December 11, 2027, networked products in the EU must comply with the requirements of the Cyber Resilience Act (CRA). Cybersecurity will thus become mandatory throughout the entire product lifecycle. Our products will also meet these requirements. At the same time, we will support you in adapting your processes and enhancing the security of your systems.
Der CRA unterteilt Produkte mit digitalen Elementen in insgesamt vier Risikoklassen
What does this mean for users?
The CRA enables users to benefit from products that meet higher cybersecurity standards and pose fewer risks due to hackers, security vulnerabilities, or other threats. Such products must have the CE marking, which demonstrates their conformity with the new requirements.
Manufacturers are also required to maintain the products throughout their entire lifecycle and to provide automatic security updates. Users can therefore rely on the cybersecurity guarantees of CE-marked products.
Die wichtigsten Meilensteine des CRA im Überblick
Schedule for implementation of the CRA
Implementation of the CRA follows a clearly defined timeline with several milestones. Following its publication in the Official Journal of the European Union, the regulation entered into force on December 10, 2024. The requirement to comply will take effect after a transition period during which manufacturers can adapt their products, processes, and documentation accordingly.
You need to be aware of these important dates:
- December 10, 2024: Entry into force of the Cyber Resilience Act
- June 11, 2026: Notification of conformity assessment bodies comes into effect
- September 11, 2026: Introduction of mandatory reporting obligations for manufacturers
- December 11, 2027: All requirements apply in full for the products concerned
Products that do not comply with the CRA requirements as of December 11, 2027, may no longer be placed on the market in the European Union. Cybersecurity is thus becoming a fundamental requirement for products.
CRA implementation at Phoenix Contact
Significance of the CRA for your products The Cyber Resilience Act makes one thing clear above all else: Cybersecurity is becoming a fundamental requirement for networked products. Security requirements have been firmly embedded in Phoenix Contact’s product development for years, so many of our solutions already meet key security and resilience requirements. Click on the respective CRA requirements to find out more about how we implement them.
360° security – our comprehensive range without compromises
Our comprehensive 360° security concept
Comprehensive protection for your systems and support with new directives
For us, cybersecurity is more than just secure products and regulatory requirements. We help you effectively protect your industrial networks against cyberattacks.
To do this, we take a holistic approach to industrial security. This is exactly where our 360° security approach comes in: It combines technical, organizational, and procedural measures based on established standards such as IEC 62443 and integrates them into a comprehensive, overall concept. This allows us to cover all relevant areas, from the selection and integration of secure components to the design of robust network architectures, secure operation, and a structured approach to handling security incidents.
At the same time, we provide concrete support to help you implement new regulatory requirements such as the Cyber Resilience Act, NIS 2, and the Machinery Regulation. Our experts work with you to analyze your needs and develop customized solutions to ensure that your machines and systems are set up securely.
What does this mean for manufacturers?
As part of the secure development process, manufacturers must actively scrutinize their products for vulnerabilities and also rectify them immediately. Security updates should be provided free of charge and cover a period of five years. The CRA also introduces additional reporting obligations: Manufacturers must notify the European Union Agency for Cybersecurity (ENISA) immediately if they become aware of actively exploited vulnerabilities or attacks on their products that can jeopardize security, e.g., through manipulation of download areas.
Failure to comply with the requirements of the Cyber Resilience Act can have far-reaching consequences for manufacturers. Products without a valid CE marking or without demonstrated conformity may not be placed on the market or distributed within the European Union.
In addition, companies face substantial fines of up to 15 million euros or 2.5% of their global annual turnover (whichever amount is higher).
The Cyber Resilience Act applies not only to EU manufacturers, but to all products made available on the EU market, regardless of where they are manufactured.
Products from the US or Asia, for example, must also comply with CRA requirements as soon as they are sold or placed on the market in the EU.
The CRA and the NIS 2 Directive take different approaches, but complement each other in their effects: While the CRA regulates the cybersecurity of products with digital elements and is therefore primarily aimed at manufacturers, NIS 2 focuses on the security of operators.
Under NIS 2, companies must secure their systems and processes, while the CRA ensures that the products used already meet the necessary security requirements.
LinkedIn: Industrial communication and cybersecurity Become a part of our community now!
Industrial communication networks enable us to reliably transmit data from the field, through the control level, all the way to the cloud. Our Industrial communication and cybersecurity LinkedIn page provides you with interesting information on network availability, cyber security, remote maintenance, and much more. Become a part of our community!