The European industrial automation market is undergoing structural transformation. With the adoption of the Cyber Resilience Act (CRA) — Regulation (EU) 2024/2847 — cybersecurity is becoming a mandatory component of industrial equipment architecture: not a feature to be added later, but a foundational requirement embedded from design to end-of-life.
Where industrial equipment was once evaluated primarily on reliability, performance, temperature range, and fault tolerance, today the critical evaluation criteria have expanded to include:
- Security development lifecycle — embedding secure development principles at every stage, from design to end-of-life support
- Vulnerability management — a formalised process for identifying, assessing, and remediating security risks
- Update policy — regular and predictable delivery of firmware and security patch updates
- Software component transparency — provision of an SBOM (Software Bill of Materials) and full documentation of software composition
- Compliance with international cybersecurity standards — adherence to IEC 62443 and applicable EU regulatory frameworks
Central to this transformation is IEC 62443 — the international standard for industrial cybersecurity — which is rapidly becoming the reference framework for manufacturers, integrators, auditors, and critical infrastructure operators across the European Union.
1. Why This Matters Now
Industrial networks are no longer isolated. The IT/OT convergence that has accelerated across European industry since 2020 has fundamentally changed the attack surface of operational technology environments. What once consisted of local PLC systems, isolated OT segments, and minimal external integration has today transformed into remote management, IIoT infrastructure, cloud connectivity, IT/OT convergence, and centralised monitoring.
This fundamentally changes the risk model. A modern cyberattack targeting industrial infrastructure can result not only in data loss, but in production shutdowns, logistics disruption, infrastructure failure, loss of operational control, and failures in energy and transport systems.
Key OT/ICS Threat Statistics — 2024–2025
- Ransomware attacks on the industrial sector spiked 87% year-on-year in 2024. Manufacturing was the top ransomware target for four consecutive years. (Source: Zero Networks OT Security Trends 2025)
- 60% increase in ransomware groups specifically targeting OT/ICS in 2024. 75% of OT attacks begin as IT breaches. (Source: Zero Networks 2025)
- 1,015 industrial sites experienced physical disruption from cyberattacks in 2024 — a 146% increase from 412 in 2023. Nation-state attacks with physical consequences tripled. (Source: Waterfall Security / ICS STRIVE 2025)
- Manufacturing accounted for more than two-thirds of ransomware victims in 2025. Average ransomware dwell time in OT environments: 42 days. (Source: Dragos 2026 OT/ICS Cybersecurity Report)
- 22% of industrial organisations reported a cybersecurity incident in the past year; 40% of incidents caused operational disruption. (Source: SANS Institute ICS/OT Cybersecurity Report 2025)
- 89% of NIS2-scoped organisations will need to hire additional cybersecurity staff to comply. (Source: ENISA NIS2 Investment Impact Assessment, November 2024)
2. CRA and NIS2 — Understanding the Difference
NIS2 and the Cyber Resilience Act are frequently cited together, but they regulate fundamentally different domains. The CRA regulates the security of digital products; NIS2 regulates the security of organisations and the services they provide. Together, they form a "compliance handshake": NIS2 supply chain audit requirements are simplified when procured products already carry CRA certification.
NIS2 — Regulation (EU) 2022/2555
Protection of infrastructure and operational processes. Mandatory cybersecurity obligations for operators across 18 critical sectors. Non-compliance: fines up to €10 million or 2% of global annual revenue.
CRA — Regulation (EU) 2024/2847
Product security — built-in from design, enforced across the full lifecycle. Applies to all hardware and software products with digital elements sold on the EU market.
Source: EU Cyber Resilience Act (Regulation EU 2024/2847); NIS2 Directive (EU 2022/2555). complycra.eu, 2026.
NIS2 Directive
NIS2 entered into application on 17 October 2024, replacing the original NIS Directive from 2016. It significantly expands mandatory cybersecurity obligations for operators of essential and important entities across 18 critical sectors, including energy, transport, manufacturing, healthcare, telecoms, data centres, and utilities.
Key obligations under NIS2:
- Risk management — a systematic approach to identifying and mitigating security threats
- Incident monitoring — continuous tracking of security events and anomalies
- Access control — restriction of user and system privileges based on security policies
- Security audits — regular compliance assessments against applicable standards
- Incident response — documented procedures for rapid response to cyber events
- 24-hour incident notification — mandatory reporting to national competent authorities within 24 hours of a significant incident
Cyber Resilience Act (CRA)
The Cyber Resilience Act entered into force on 10 December 2024. It applies to manufacturers of all hardware and software products with digital elements sold on the EU market. The core principle: security must be built into the product at the design stage — not retrofitted after deployment.
Manufacturer obligations under the CRA:
- Secure architecture — product design based on security-by-design principles
- Vulnerability management process — systematic control and remediation of security issues
- Update mechanism — the ability to deliver secure and regular software updates
- Software component transparency — SBOM provision and software composition documentation
- Security lifecycle support — maintaining security throughout the entire product lifecycle
Source: EU Cyber Resilience Act, Regulation (EU) 2024/2847, Article 14 and Annex I. Published in the Official Journal of the EU on 20 November 2024. digital-strategy.ec.europa.eu
3. Key Industrial Cybersecurity Terms
Secure Development Lifecycle (SDL)
The integration of security practices at every stage of product development: design (security requirements at the architectural level), development (secure coding practices), testing (vulnerability assessment and resilience verification), release (security validation), and ongoing product support (patch releases and incident response throughout the supported lifecycle).
Vulnerability Management
A formalised process covering: discovery (identifying potential vulnerabilities), analysis (assessing criticality and impact), classification (risk-based prioritisation using CVSS scoring), patch release (development and distribution of security fixes), and customer notification (disclosure of identified issues and recommended mitigations).
PSIRT (Product Security Incident Response Team)
A dedicated manufacturer team responsible for processing vulnerability reports, issuing security advisories, coordinating security response, and engaging with external security researchers through coordinated disclosure programmes.
SBOM (Software Bill of Materials)
A comprehensive, machine-readable inventory of all software components within a device — including libraries and dependencies, firmware modules, open-source components, and version information. Under the CRA, SBOM provision is a mandatory compliance element. Critically, without SBOM, manufacturers cannot systematically detect and report actively exploited vulnerabilities as required from September 2026.
RBAC (Role-Based Access Control)
Access control based on user roles, restricting critical functions to authorised roles, separating access levels across user categories, and minimising internal risk by reducing the probability of errors and privilege abuse.
Secure Boot
A hardware-enforced security mechanism that ensures only trusted and digitally signed software can be loaded at system startup, preventing the execution of modified or malicious code at the boot level.
TPM (Trusted Platform Module)
A hardware cryptographic security module used for secure storage of cryptographic keys, hardware-level data encryption, secure device authentication, and platform integrity verification.
4. The Role of IEC 62443
IEC 62443 is the foundational international standard for industrial cybersecurity, developed jointly by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). It provides a comprehensive framework applicable to all industry sectors and critical infrastructure environments, and is actively referenced by EU regulators as part of CRA harmonised standards development.
The standard is a living framework. The updated ANSI/ISA-62443-2-1-2024, published in January 2025, introduced revised Security Program Elements (SPEs) with a maturity model. In December 2025, ISA-TR62443-2-2-2025 followed, providing guidance on day-to-day security protection schemes. The 2024 updates harmonise IEC 62443 with ISO/IEC 27001, NIST SP 800-82, and the EU NIS2 Directive.
Source: International Society of Automation (ISA), January 2025. ANSI/ISA-62443-2-1-2024 publication. isa.org. Echelon Risk + Cyber, 2025.
IEC 62443-4-1: Secure Product Development Requirements
Defines requirements for the secure development process for IACS product suppliers. Covers SDL processes, secure coding practices, vulnerability management, update and patch management, and security testing methodologies. The standard includes four maturity levels and covers 47 process requirements evaluated through the CB Scheme, applicable in over 50 countries.
IEC 62443-4-2: Technical Component Security Requirements
Defines cybersecurity requirements for individual IACS components — embedded devices, network components, host components, and software applications. More than 140 specific requirements are grouped under seven Foundational Requirements (FRs): Identification and Authentication Control, Use Control, System Integrity, Data Confidentiality, Restricted Data Flow, Timely Response to Events, and Resource Availability.
Source: Security Compass, 2025. securitycompass.com. Applus+ Laboratories. appluslaboratories.com
5. Manufacturer Readiness: Market Overview
The industrial automation market is evolving unevenly. Some manufacturers have moved proactively to implement IEC 62443 and CRA requirements; others are at an early stage of adaptation. The following overview, compiled by Industrial Personal Computer 2U GmbH, assesses the cybersecurity readiness posture of key vendors available through our product portfolio.
Antaira Technologies
Antaira Technologies is actively integrating cybersecurity mechanisms into its industrial networking equipment portfolio, with primary focus on secure firmware authentication, RBAC, update and patch management, vulnerability management processes, and industrial network protection architecture. The company is aligned with IEC 62443 and maintains a vulnerability disclosure process.
CTC Union — Networking Solutions for Extreme Conditions
CTC Union Technologies focuses on an engineering-oriented approach to security and incident management. Key focus areas include vulnerability disclosure policy, incident response procedures, and secure maintenance, with a phased IEC 62443 migration roadmap in progress.
ICP DAS
ICP DAS has developed a comprehensive approach to industrial system protection, with PSIRT implementation, secure controller architecture, IEC 62443-4-1 readiness, and ISO/IEC 27001-aligned processes across its controllers, remote I/O, and IoT gateway product lines.
NEXCOM — Industrial IoT & Edge Computing Solutions
NEXCOM International specialises in secure industrial computing platforms and edge computing solutions for critical infrastructure. Security features include Secure Boot, TPM 2.0, Hardware Root of Trust, and secure BIOS protection across its industrial edge computers and cybersecurity appliances.
PLANET Technology
PLANET Technology offers a broad range of industrial networking solutions with a developing CRA readiness posture. Focus areas include industrial network protection, foundational network security, access management, and managed security functions, with a CRA readiness roadmap in development.
6. Implications for Real Projects
Equipment selection decisions made today carry long-term regulatory consequences. Industrial equipment typically has a service life of 10–15 years, meaning products selected now must remain compliant throughout their operational lifespan — extending well into the 2030s.
If Equipment Lacks CRA Readiness
Where a manufacturer has no transparent vulnerability management process, no security update policy, and cannot confirm lifecycle security posture, the consequences may include: compliance failures during mandatory CRA audits, forced infrastructure modernisation ahead of schedule, additional unplanned costs, and supply restrictions for the EU market from December 2027.
If the Manufacturer Is Moving Toward IEC 62443 and CRA
Where a manufacturer provides a clear compliance roadmap aligned to IEC 62443 and CRA requirements: a predictable compliance path reduces planning uncertainty, lifecycle risks are reduced, audits are simplified, and long-term infrastructure stability is enhanced.
Source: Keysight SBOM Manager Analysis, September 2025; EU CRA Article 69(3).
7. Practical Equipment Selection Checklist
When evaluating industrial equipment for EU deployment, certification alone is insufficient. The following criteria should be assessed for each vendor and product:
| Criterion | What to Verify |
|---|---|
| Secure Development Lifecycle | Does the manufacturer document and certify their SDL process? |
| PSIRT | Is there a dedicated Product Security Incident Response Team with a published contact? |
| SBOM Support | Can the manufacturer provide a current SBOM for each product version? |
| Vulnerability Disclosure Process | Is there a published, structured vulnerability disclosure policy with clear timelines? |
| Patch Management | Are security patches released on a regular, predictable schedule? |
| CRA Roadmap | Does the manufacturer have a documented plan for full CRA compliance by December 2027? |
| IEC 62443 Strategy | What is the manufacturer's IEC 62443 certification status or roadmap? |
| Firmware Update Policy | How are firmware updates signed, delivered, and verified? |
8. EU Regulatory Timeline
- 17 Oct 2024 NIS2 Directive became fully applicable across all EU Member States.
- 10 Dec 2024 CRA entered into force (Regulation EU 2024/2847). Published in the Official Journal of the EU on 20 November 2024.
- 11 Jun 2026 Member States must complete establishment of Notified Bodies — conformity assessment bodies authorised to certify high-risk products.
- 11 Sep 2026 Manufacturer reporting obligations begin. Mandatory notification of actively exploited vulnerabilities and severe security incidents to ENISA and designated national CSIRTs via the CRA Single Reporting Platform. Deadlines: 24-hour early warning, 72-hour full notification, 14-day final report. Applies to ALL in-scope products on the EU market, including legacy products placed before December 2027.
- 11 Dec 2026 Member States required to have ensured sufficient Notified Bodies to avoid certification bottlenecks.
- 11 Dec 2027 Full CRA implementation. All digital products placed on the EU market must meet the complete set of essential cybersecurity requirements and carry CE marking. Self-assessment for ~90% of products; mandatory third-party certification for critical/important products.
Sources: European Commission digital-strategy.ec.europa.eu; BSI bsi.bund.de; Hogan Lovells CRA 2026 analysis; Cycode CRA Complete Guide.
Industrial equipment typically has a service life of 10–15 years. Equipment selected in 2025–2026 must therefore maintain security compliance throughout its full operational lifespan — well into the 2030s.
9. How Industrial Personal Computer 2U GmbH Supports Your Compliance
Industrial Personal Computer 2U GmbH (IPC2U) supports customers across Europe in adapting to the requirements of industrial cybersecurity regulation, including the Cyber Resilience Act and NIS2 Directive. IPC2U supports projects in industrial automation, Industrial IoT (IIoT), energy infrastructure, transport systems, industrial Ethernet, and critical infrastructure environments.
IPC2U helps customers to:
- Assess infrastructure readiness against CRA and NIS2 requirements
- Select CRA-ready solutions with verified vendor compliance postures
- Reduce audit risks through documentation and vendor qualification support
- Develop long-term modernisation strategies aligned to the EU regulatory timeline
10. Conclusion
Industrial equipment selection today is no longer solely a question of performance. The regulatory environment established by the EU Cyber Resilience Act and NIS2 Directive has made cybersecurity a non-negotiable procurement criterion for any organisation operating in or supplying to the EU market.
The critical factors are now:
- CRA readiness — verified by documented processes, not just declarations
- Transparency of security processes — PSIRT, SBOM, vulnerability disclosure
- IEC 62443 compliance — as a framework, roadmap, or certified achievement
- Manufacturer's ability to support the product across its full lifecycle
These factors will determine the resilience of industrial infrastructure in 2026–2027 and beyond. Organisations that begin their compliance preparation now — verifying vendor readiness, implementing SBOM-based vulnerability tracking, and establishing incident response workflows — will be positioned for a controlled compliance path. Those that wait for December 2027 risk being non-compliant from September 2026.
11. Frequently Asked Questions
What is the EU Cyber Resilience Act (CRA)?
The EU Cyber Resilience Act (Regulation EU 2024/2847) is a mandatory cybersecurity regulation that requires all manufacturers of hardware and software products with digital elements sold on the EU market to implement security by design, maintain vulnerability management processes, provide software transparency (SBOM), and support security updates throughout the product lifecycle. It entered into force on 10 December 2024 and applies in full from 11 December 2027.
When does the Cyber Resilience Act apply?
The CRA entered into force on 10 December 2024. Two obligations apply earlier than full implementation: manufacturer vulnerability and incident reporting (Article 14) begins on 11 September 2026, and the framework for Notified Bodies applies from 11 June 2026. Full compliance, including CE marking for all digital products, is required by 11 December 2027.
What is the difference between NIS2 and the CRA?
NIS2 regulates organisations — requiring essential and important entities (energy, transport, manufacturing, healthcare, etc.) to implement cybersecurity risk management and report incidents. The CRA regulates products — requiring manufacturers of digital products to embed security from design through end-of-life. NIS2 applies to operators; the CRA applies to manufacturers. Both entered into application in 2024.
What is IEC 62443 and how does it relate to the CRA?
IEC 62443 is the international standard for industrial automation and control system (IACS) cybersecurity, developed by ISA and IEC. It provides technical requirements for secure product development (IEC 62443-4-1) and component security (IEC 62443-4-2). The European Commission is developing harmonised standards based on IEC 62443 as part of CRA implementation. Manufacturers certified under IEC 62443-4-1 are well-positioned to demonstrate CRA compliance.
What is an SBOM and why is it required under the CRA?
An SBOM (Software Bill of Materials) is a machine-readable inventory of all software components in a product — libraries, firmware modules, open-source components, and version numbers. The CRA requires manufacturers to provide SBOMs as part of product transparency obligations. Critically, SBOM readiness is operationally required by September 2026 (not just December 2027), because manufacturers must track and report actively exploited vulnerabilities starting on 11 September 2026.
What industrial equipment is subject to the CRA?
The CRA applies to all products with digital elements placed on the EU market — including industrial switches, PLCs, IoT gateways, edge computers, industrial routers, SCADA components, and any hardware or software with a direct or indirect network connection. Approximately 90% of products fall into a default category requiring self-assessment; critical and important products require third-party certification by a Notified Body.
What happens if industrial equipment does not comply with the CRA by December 2027?
Products that do not meet CRA requirements cannot be legally placed on the EU market from 11 December 2027. Manufacturers face potential market access restrictions, mandatory product recalls, and regulatory penalties. For industrial buyers, procuring non-compliant equipment creates audit risks, forced modernisation costs, and potential supply disruptions. Products already on the market before December 2027 are not retroactively removed — but are subject to vulnerability reporting obligations from September 2026.
How should industrial equipment buyers prepare for CRA compliance today?
Industrial buyers should: (1) audit their current equipment inventory against CRA scope criteria; (2) require vendors to provide SBOM and vulnerability disclosure documentation; (3) verify that shortlisted manufacturers have a PSIRT and a published CRA compliance roadmap; (4) prioritise products with IEC 62443-4-1 or 4-2 certification or a credible roadmap toward it; (5) establish internal incident response workflows capable of meeting the 24-hour reporting deadline to ENISA from September 2026.
