The CRA stipulates clear security requirements for products, including access protection, the protection of confidentiality, integrity, availability, and even a secure delivery state. In order to ensure a secure development process, these aspects must be taken into consideration above all during design, development, and manufacturing.
The Cyber Resilience Act (CRA) From December 11, 2027, networked products in the EU must comply with the requirements of the Cyber Resilience Act (CRA). Cybersecurity will thus become mandatory throughout the entire product lifecycle. Our products will also meet these requirements. At the same time, we will support you in adapting your processes and enhancing the security of your systems.
Der CRA unterteilt Produkte mit digitalen Elementen in insgesamt vier Risikoklassen
What does this mean for users?
The CRA enables users to benefit from products that meet higher cybersecurity standards and pose fewer risks due to hackers, security vulnerabilities, or other threats. Such products must have the CE marking, which demonstrates their conformity with the new requirements.
Manufacturers are also required to maintain the products throughout their entire lifecycle and to provide automatic security updates. Users can therefore rely on the cybersecurity guarantees of CE-marked products.
Die wichtigsten Meilensteine des CRA im Überblick
Schedule for implementation of the CRA
Implementation of the CRA follows a clearly defined timeline with several milestones. Following its publication in the Official Journal of the European Union, the regulation entered into force on December 10, 2024. The requirement to comply will take effect after a transition period during which manufacturers can adapt their products, processes, and documentation accordingly.
You need to be aware of these important dates:
- December 10, 2024: Entry into force of the Cyber Resilience Act
- June 11, 2026: Notification of conformity assessment bodies comes into effect
- September 11, 2026: Introduction of mandatory reporting obligations for manufacturers
- December 11, 2027: All requirements apply in full for the products concerned
Products that do not comply with the CRA requirements as of December 11, 2027, may no longer be placed on the market in the European Union. Cybersecurity is thus becoming a fundamental requirement for products.
CRA implementation at Phoenix Contact
In our e-shop, the products are marked with the “CRA-ready” icon
“CRA-ready” for your planning certainty
Open and transparent communication is particularly important to us during the implementation of the CRA, so that you can benefit from long-term planning certainty for your projects. That is why we mark affected products in our e-shop with the status “CRA-ready”.
“CRA-ready” means that the product can be deployed and integrated right away. As things stand, no hardware changes are required to meet the requirements of the Cyber Resilience Act. Any necessary adjustments can be implemented via firmware or software updates. Changes can also be made to the documentation. This assessment is based on the current state of knowledge and does not constitute a legally binding statement.
The majority of the affected products are already marked accordingly in the e-shop. Further items will be added gradually so that you have as complete and transparent an overview as possible of our portfolio with regard to the CRA. If a product has not yet been assigned the “CRA-ready” status, it is currently under review. This does not mean that it will not meet the requirements. Please feel free to contact us; we will check the status for you on a case-by-case basis.
Products that do not meet future requirements will be discontinued well in advance of the CRA coming into force. In such cases, we will offer you suitable replacement or alternative products so that you can plan ahead and make the switch in a timely manner.
Significance of the CRA for your products The Cyber Resilience Act makes one thing clear above all else: Cybersecurity is becoming a fundamental requirement for networked products. Security requirements have been firmly embedded in Phoenix Contact’s product development for years, so many of our solutions already meet key security and resilience requirements. Click on the respective CRA requirements to find out more about how we implement them.
360° security – our comprehensive range without compromises
Our comprehensive 360° security concept
Comprehensive protection for your systems and support with new directives
For us, cybersecurity is more than just secure products and regulatory requirements. We help you effectively protect your industrial networks against cyberattacks.
To do this, we take a holistic approach to industrial security. This is exactly where our 360° security approach comes in: It combines technical, organizational, and procedural measures based on established standards such as IEC 62443 and integrates them into a comprehensive, overall concept. This allows us to cover all relevant areas, from the selection and integration of secure components to the design of robust network architectures, secure operation, and a structured approach to handling security incidents.
At the same time, we provide concrete support to help you implement new regulatory requirements such as the Cyber Resilience Act, NIS 2, and the Machinery Regulation. Our experts work with you to analyze your needs and develop customized solutions to ensure that your machines and systems are set up securely.
What does this mean for manufacturers?
As part of the secure development process, manufacturers must actively scrutinize their products for vulnerabilities and also rectify them immediately. Security updates should be provided free of charge and cover a period of five years. The CRA also introduces additional reporting obligations: Manufacturers must notify the European Union Agency for Cybersecurity (ENISA) immediately if they become aware of actively exploited vulnerabilities or attacks on their products that can jeopardize security, e.g., through manipulation of download areas.
Failure to comply with the requirements of the Cyber Resilience Act can have far-reaching consequences for manufacturers. Products without a valid CE marking or without demonstrated conformity may not be placed on the market or distributed within the European Union.
In addition, companies face substantial fines of up to 15 million euros or 2.5% of their global annual turnover (whichever amount is higher).
The Cyber Resilience Act applies not only to EU manufacturers, but to all products made available on the EU market, regardless of where they are manufactured.
Products from the US or Asia, for example, must also comply with CRA requirements as soon as they are sold or placed on the market in the EU.
The CRA and the NIS 2 Directive take different approaches, but complement each other in their effects: While the CRA regulates the cybersecurity of products with digital elements and is therefore primarily aimed at manufacturers, NIS 2 focuses on the security of operators.
Under NIS 2, companies must secure their systems and processes, while the CRA ensures that the products used already meet the necessary security requirements.
LinkedIn: Industrial communication and cybersecurity Become a part of our community now!
Industrial communication networks enable us to reliably transmit data from the field, through the control level, all the way to the cloud. Our Industrial communication and cybersecurity LinkedIn page provides you with interesting information on network availability, cyber security, remote maintenance, and much more. Become a part of our community!