The Cyber Resilience Act (CRA) From December 11, 2027, networked products in the EU must comply with the requirements of the Cyber Resilience Act (CRA). Cybersecurity will thus become mandatory throughout the entire product lifecycle. Our products will also meet these requirements. At the same time, we will support you in adapting your processes and enhancing the security of your systems.

Production in accordance with the Cyber Resilience Act (CRA)
Group of people icon

Der CRA unterteilt Produkte mit digitalen Elementen in insgesamt vier Risikoklassen

What does this mean for users?

The CRA enables users to benefit from products that meet higher cybersecurity standards and pose fewer risks due to hackers, security vulnerabilities, or other threats. Such products must have the CE marking, which demonstrates their conformity with the new requirements.

Manufacturers are also required to maintain the products throughout their entire lifecycle and to provide automatic security updates. Users can therefore rely on the cybersecurity guarantees of CE-marked products.

Exclamation mark icon

Die wichtigsten Meilensteine des CRA im Überblick

Schedule for implementation of the CRA

Implementation of the CRA follows a clearly defined timeline with several milestones. Following its publication in the Official Journal of the European Union, the regulation entered into force on December 10, 2024. The requirement to comply will take effect after a transition period during which manufacturers can adapt their products, processes, and documentation accordingly.

You need to be aware of these important dates:

  • December 10, 2024: Entry into force of the Cyber Resilience Act
  • June 11, 2026: Notification of conformity assessment bodies comes into effect
  • September 11, 2026: Introduction of mandatory reporting obligations for manufacturers
  • December 11, 2027: All requirements apply in full for the products concerned

Products that do not comply with the CRA requirements as of December 11, 2027, may no longer be placed on the market in the European Union. Cybersecurity is thus becoming a fundamental requirement for products.

All facts at a glance
Guide to the Cyber Resilience Act

Get a quick overview of the Cyber Resilience Act: Our white paper, “The Cyber Resilience Act – the Future of Cybersecurity for Digital Products”, summarizes the key facts and shows you how Phoenix Contact is implementing the requirements in practice.

Download the white paper now
White paper: The Cyber Resilience Act – the Future of Cybersecurity for Digital Products

CRA implementation at Phoenix Contact


CRA-ready icon

In our e-shop, the products are marked with the “CRA-ready” icon

“CRA-ready” for your planning certainty

Open and transparent communication is particularly important to us during the implementation of the CRA, so that you can benefit from long-term planning certainty for your projects. That is why we mark affected products in our e-shop with the status “CRA-ready”.

“CRA-ready” means that the product can be deployed and integrated right away. As things stand, no hardware changes are required to meet the requirements of the Cyber Resilience Act. Any necessary adjustments can be implemented via firmware or software updates. Changes can also be made to the documentation. This assessment is based on the current state of knowledge and does not constitute a legally binding statement.

The majority of the affected products are already marked accordingly in the e-shop. Further items will be added gradually so that you have as complete and transparent an overview as possible of our portfolio with regard to the CRA. If a product has not yet been assigned the “CRA-ready” status, it is currently under review. This does not mean that it will not meet the requirements. Please feel free to contact us; we will check the status for you on a case-by-case basis.

Products that do not meet future requirements will be discontinued well in advance of the CRA coming into force. In such cases, we will offer you suitable replacement or alternative products so that you can plan ahead and make the switch in a timely manner.

Significance of the CRA for your products The Cyber Resilience Act makes one thing clear above all else: Cybersecurity is becoming a fundamental requirement for networked products. Security requirements have been firmly embedded in Phoenix Contact’s product development for years, so many of our solutions already meet key security and resilience requirements. Click on the respective CRA requirements to find out more about how we implement them.

Interactive image map: Overview of the CRA requirements
Security over the entire lifecycle
We already incorporate cybersecurity throughout the entire lifecycle of our products – from planning, design, and development through to production, delivery, and maintenance. The focus here is on the protection objectives of confidentiality, integrity, and availability, as well as effective protection against unauthorized access.
Security over the entire lifecycle
Practical documentation
This is supplemented by comprehensive and easy-to-understand documentation. You will receive all the information you need to install, integrate, operate, and, if necessary, decommission our products safely and securely. This lays the groundwork for you to operate your systems not only efficiently, but also safely, securely, and sustainably.
Practical documentation
Structured vulnerability management
In addition to documentation, transparent communication is crucial for systematic vulnerability management. We already provide you with targeted and reliable information about relevant vulnerabilities and available measures. Visit our PSIRT web page or subscribe to our PSIRT newsletter (in English) to stay up to date on the latest information.
Further information about our Product Security Incident Response Team (PSIRT)
Structured vulnerability management
Long-term security
We also provide security updates over the long term, giving you the certainty you need to plan your applications and investments. At the same time, we ensure that all necessary documentation can be provided to demonstrate compliance with security requirements, such as for CE marking.
Long-term security
Documentation of security risks
For our products, this means that cybersecurity risks are systematically identified, assessed, and documented. We take potential threats into consideration right from the development stage and maintain up-to-date and transparent records of the results throughout the entire lifecycle.
Documentation of security risks
Using our products safely
We continuously monitor and address security vulnerabilities and provide you with updates and recommendations for at least five years. For you, this means one thing above all else: long-term planning certainty for the products you use.
Using our products safely
White paper: A practical guide to IEC 62443
IEC 62443 as the success factor for security concepts

How can cybersecurity be reconciled with EU requirements such as NIS 2, the CRA, and the Machinery Regulation? Our white paper explains how IEC 62443 supports this process and provides an overview of how to implement cybersecurity in automation.

Download the white paper now
IEC 62443-certified products

360° security – our comprehensive range without compromises


Implementation of IEC 62443 – 360° security

Our comprehensive 360° security concept

Comprehensive protection for your systems and support with new directives

For us, cybersecurity is more than just secure products and regulatory requirements. We help you effectively protect your industrial networks against cyberattacks.
To do this, we take a holistic approach to industrial security. This is exactly where our 360° security approach comes in: It combines technical, organizational, and procedural measures based on established standards such as IEC 62443 and integrates them into a comprehensive, overall concept. This allows us to cover all relevant areas, from the selection and integration of secure components to the design of robust network architectures, secure operation, and a structured approach to handling security incidents.

At the same time, we provide concrete support to help you implement new regulatory requirements such as the Cyber Resilience Act, NIS 2, and the Machinery Regulation. Our experts work with you to analyze your needs and develop customized solutions to ensure that your machines and systems are set up securely.

What does this mean for manufacturers?

mGuard icon with security lock
Production icon
Non-compliance with the CRA
What does the CRA mean for products outside the EU?
The difference between NIS 2 and the CRA
mGuard icon with security lock

The CRA stipulates clear security requirements for products, including access protection, the protection of confidentiality, integrity, availability, and even a secure delivery state. In order to ensure a secure development process, these aspects must be taken into consideration above all during design, development, and manufacturing.

Production icon

As part of the secure development process, manufacturers must actively scrutinize their products for vulnerabilities and also rectify them immediately. Security updates should be provided free of charge and cover a period of five years. The CRA also introduces additional reporting obligations: Manufacturers must notify the European Union Agency for Cybersecurity (ENISA) immediately if they become aware of actively exploited vulnerabilities or attacks on their products that can jeopardize security, e.g., through manipulation of download areas.

Non-compliance with the CRA

Failure to comply with the requirements of the Cyber Resilience Act can have far-reaching consequences for manufacturers. Products without a valid CE marking or without demonstrated conformity may not be placed on the market or distributed within the European Union.

In addition, companies face substantial fines of up to 15 million euros or 2.5% of their global annual turnover (whichever amount is higher).

What does the CRA mean for products outside the EU?

The Cyber Resilience Act applies not only to EU manufacturers, but to all products made available on the EU market, regardless of where they are manufactured.

Products from the US or Asia, for example, must also comply with CRA requirements as soon as they are sold or placed on the market in the EU.

The difference between NIS 2 and the CRA

The CRA and the NIS 2 Directive take different approaches, but complement each other in their effects: While the CRA regulates the cybersecurity of products with digital elements and is therefore primarily aimed at manufacturers, NIS 2 focuses on the security of operators.

Under NIS 2, companies must secure their systems and processes, while the CRA ensures that the products used already meet the necessary security requirements.

LinkedIn logo

LinkedIn: Industrial communication and cybersecurity Become a part of our community now!

Industrial communication networks enable us to reliably transmit data from the field, through the control level, all the way to the cloud. Our Industrial communication and cybersecurity LinkedIn page provides you with interesting information on network availability, cyber security, remote maintenance, and much more. Become a part of our community!