The European Union has recently published the Cyber Resilience Act (CRA), which outlines mandatory cybersecurity standards for products with digital components. Companies affected by the CRA have 36 months to comply. Some specific reporting obligations must be met within 21 months.
Who Must Comply with the CRA?
Manufacturers, importers, and distributors of digital products sold in the EU must comply with the CRA.This includes B2C products like smartphones and robotic vacuums, B2B products like controllers and sensors, and software products such as operating systems.
Key Requirements for Machine Manufacturers
- Risk Management: Products must meet cybersecurity standards throughout their lifecycle, from design to end-of-life.
- Vulnerability Management: Known vulnerabilities must be fixed through free updates, unless otherwise agreed with business clients.
- Documentation: Vulnerabilities and component information must be documented.
- Reporting: Vulnerabilities must be reported to ENISA within 24 hours.
Actions Manufacturers Can Take
Pilz advises manufacturers to quickly adapt to the CRA. Collaboration with component makers and operators is essential. Issues such as network zones and software updates should be clarified early to meet new obligations. Pilz has supported manufacturers for years in ensuring machine safety and meeting industrial cybersecurity requirements. Without proper cybersecurity, machine security measures are at risk.
Practical Tips for Compliance
- Stay Updated: Subscribe to eur-lex.europa.eu for EU legislative updates.
- Use CSAF: The Common Security Advisory Framework (CSAF) enables the automated distribution of vulnerability and mitigation data.
