From the end of 2027, components with embedded software may only be placed on the market if they meet the specific requirements of the CRA. With the Cyber Resilience Act (CRA), the European Union has taken a groundbreaking step towards improving cyber security in the digital single market. It obliges manufacturers to implement security measures and provide updates in order to minimize potential risks for users.
From the end of 2027, digital components may only be placed on the market if they meet the basic security requirements of the CRA. In addition to increasing the resilience of digital systems to cyber threats, the regulation is also intended to help identify and close existing security gaps in devices.
Cyber security: Increased EU security standards for digital devices
Companies in the factory and process automation sector are facing the challenge of adapting their products to the new legal requirements of the CRA. Compliance with these regulations is mandatory in order to be able to continue to affix a CE marking to their products and sell them in the EU. Safety measures are not just limited to the field device, but must also take particular account of the interfaces, such as fieldbuses.
Industrial fieldbuses and the Cyber Resilience Act
For example, there are already initial measures aimed at protecting access to a system or infrastructure against unauthorized manipulation. For example, the PROFIBUS user organization PI uses security class 1 for PROFINET to ensure that devices are correctly addressed by the controller. If PROFINET security is to be increased further, additional measures are required.
All measures and information on increasing the cyber security of industrial fieldbuses can be found in our technical article.
CRA requirements: MESCO experts support you with the implementation
Our hardware and software experts provide you with technology and manufacturer-neutral support in implementing the requirements of the Cyber Resilience Act – from the initial analysis, through software and hardware adaptations, to supporting the declaration of conformity for your products.
MESCO’s services in consulting and implementing the CRA requirements include:
- Selection of the appropriate conformity assessment procedure: As a rule, the assessment is carried out as part of a self-declaration for non-critical products.
- Performing risk assessments and minimizing attack surfaces to reduce potential security risks.
- Integration of protection mechanisms including measures for data integrity, confidentiality and other relevant security aspects.
- Consulting and development of (cyber)secure fieldbus communication: PROFINET, EtherCAT, IO-Link as well as functionally secure protocols such as PROFIsafe, FSoE, IO-Link Safety.
- Creation of a software bill of materials (SBOM) in accordance with the technical guidelines to ensure transparent traceability of software components
- Support in the identification and handling of vulnerabilities based on proven safety standards.
- Detailed documentation according to CRA specifications to ensure compliance with regulatory requirements and support the declaration of conformity.
You can find an overview of all of MESCO’s services in the area of cyber security on the website https://mesco-engineering.com/en/services/.
