Compliance

The EU Cyber Resilience Act (CRA): What It Means for OT and Industrial Devices

July 9, 202610 min readBy Beacon Security Team

What is the EU Cyber Resilience Act?

The EU Cyber Resilience Act, formally Regulation (EU) 2024/2847 and commonly called the CRA, is a landmark piece of European legislation that introduces mandatory cybersecurity requirements for products with digital elements sold in the European Union. It is significant because it shifts responsibility for cybersecurity toward the manufacturers of products, requiring security to be built in and maintained throughout a product's lifecycle rather than left to the customer.

For the industrial world, this matters a great deal. The controllers, sensors, gateways, and software that make up an OT environment are, in the language of the CRA, products with digital elements. The Act therefore reaches directly into the industrial supply chain, setting expectations for how these products are designed, secured, and supported. For the first time, many of the product security practices that the OT community has advocated for years are becoming legal requirements backed by a major regulator.

The CRA entered into force on 10 December 2024, and its obligations phase in over the following years, which makes now the time to understand and prepare for it.

Who and What It Covers

The CRA applies to products with digital elements, a deliberately broad category covering both hardware and software that can connect to or be connected with a device or network. This includes a wide range of industrial equipment and software.

The obligations fall primarily on manufacturers, but the Act also places requirements on importers and distributors, who must ensure that the products they bring to or sell within the EU market conform. Critically, the CRA has extraterritorial reach: a manufacturer based outside the EU that sells products into the EU market is subject to its requirements. Given how global the industrial equipment supply chain is, this means the CRA effectively raises the baseline for industrial products far beyond Europe's borders.

Certain products deemed more critical face stricter conformity assessment requirements, reflecting the higher consequences of their compromise.

The Timeline

The CRA's obligations apply in stages, and understanding the sequence is essential for planning.

  • 10 December 2024: The regulation entered into force, starting the clock on the phased application of its obligations.
  • 11 September 2026: The reporting obligations begin to apply. From this date, manufacturers must notify the EU Agency for Cybersecurity (ENISA) and their relevant national authority of actively exploited vulnerabilities and severe incidents affecting their products, without undue delay and in any event within 24 hours of becoming aware.
  • 11 December 2027: The main body of obligations applies in full, including the essential cybersecurity requirements for products.

Compliance implication: The reporting obligation arriving in September 2026, ahead of the full requirements in December 2027, means manufacturers need functioning vulnerability handling and incident reporting processes well before the complete framework takes effect. The timeline rewards early preparation.

Key Obligations

The CRA establishes a set of core requirements that together define a secure product across its lifecycle.

Security by design and by default. Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity, and must be delivered with a secure configuration by default.

Vulnerability handling throughout the lifecycle. Manufacturers must identify and address vulnerabilities in their products for the duration of a defined support period, including providing security updates.

Coordinated vulnerability disclosure and reporting. Manufacturers must have processes to handle vulnerabilities and must report actively exploited vulnerabilities and severe incidents within the required timeframe.

Transparency about components. Manufacturers are expected to maintain and be able to provide information about the components in their products, reflected in the growing role of the software bill of materials as a tool for understanding what a product contains.

Conformity and CE marking. Products must undergo the appropriate conformity assessment and carry the CE marking, signaling that they meet the CRA's requirements, in the same way the marking already signals conformity with other EU product regulations.

What It Means for OT

The CRA has significant and largely positive implications for the OT community, from two perspectives.

For manufacturers of OT equipment, the CRA converts good product security practice into a legal obligation. Secure development, vulnerability handling, defined support periods, and transparency about components are now requirements for market access, not competitive differentiators. Manufacturers that have invested in standards such as IEC 62443-4-1 for secure development are well positioned, since the disciplines the CRA requires align closely with those already established in the industrial security world.

For operators and asset owners, the CRA is a welcome development, because it raises the security baseline of the products entering their environments. Over time, industrial equipment should arrive with better default security, clearer support commitments, and more transparent component information, all of which make the operator's task easier. Operators procuring equipment can also point to the CRA as a reference for what they are entitled to expect.

Regulatory implication: The CRA complements, rather than replaces, the frameworks operators already work with. It sits alongside standards such as IEC 62443 and regional requirements, strengthening the product layer of a defense that also depends on how systems are integrated and operated.

How to Prepare

For manufacturers of industrial products:

Establish or mature a secure development lifecycle. Align it with IEC 62443-4-1, which maps closely to the CRA's expectations.

Stand up vulnerability handling and reporting processes. These are needed early, because the reporting obligation applies from September 2026.

Build component transparency. Develop the ability to produce a software bill of materials for your products.

Define support periods. Commit to a support window and plan for delivering security updates across it.

For operators and buyers:

Use the CRA in procurement. Reference its requirements when specifying what products must provide.

Prioritize CRA-ready suppliers. Favor manufacturers that are visibly prepared, which is a good indicator of overall product security maturity.

The Bottom Line

The EU Cyber Resilience Act marks a turning point in how the security of industrial products is governed. By placing clear, enforceable obligations on manufacturers and reaching across the global supply chain, it raises the security baseline for the devices that make up OT environments. For manufacturers, the message is to align with secure development and vulnerability handling practices now, ahead of the phased deadlines. For operators, the CRA is an ally, steadily improving the security of the products they depend on and giving them a strong reference for what to demand.

Preparation started early is preparation done well. With reporting obligations arriving in 2026 and full requirements in 2027, the organizations that engage with the CRA now will find themselves ready, and better secured, as its requirements take full effect.


Beacon Security helps industrial manufacturers and operators understand and prepare for the EU Cyber Resilience Act, aligning product security and vulnerability handling with IEC 62443 and CRA expectations. Contact us to assess your readiness.

Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

IT security tools were not built for Modbus, OPC, or safety-rated controllers. Get a dedicated OT cybersecurity team that understands industrial protocols, control system architecture, and the operational constraints of your environment.

IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption