The main obligations of the Cyber Resilience Act (CRA) are due to apply from 11th December 2027. However David Bean, Business Development Group Manager at Mitsubishi Electric – Factory Automation Systems UK, has warned that those who fail to comply with the legislation from this date will no longer be able to sell affected products to EU markets without a compliant CE mark.
First introduced by the European Union (EU) on 10 December 2024, the CRA aims to safeguard consumers and businesses across Europe when purchasing software or hardware products with a digital component. Applying to all products connected directly or indirectly to another device or network, it establishes mandatory cybersecurity requirements that manufacturers and retailers must incorporate into the planning, design, development and maintenance of their products to continue selling them across the EU.
~The introduction of the CRA is, of course, a positive development for end-users, who will benefit from improved security measures to defend against cyberattacks,” Bean explains.
“However, for many machine builders, it could mean a fundamental shift in their system design, with the cybersecurity requirements that they must meet to sell into the EU set to become far more stringent as a result.
“To ensure compliance, machine builders must make sure that the equipment they manufacture is secure by design, rather than treating cybersecurity as a mere add on. This would involve considering the potential threats to a machine, incorporating appropriate security features to minimise the attack vector and providing transparency around the implementation of these features. Finally, OEMs must ensure any products with a digital element that are part of their machine build have a certificated process for managing exposed vulnerabilities that may over time be exposed in them.”
Specifically, manufacturers must ensure that products are designed, developed and produced in line with the essential cybersecurity requirements set out in Annex I of the regulation, and also carry out a cybersecurity risk assessment to identify relevant risks, determining the actions necessary to negate them. Furthermore, machine builders will need to choose from several conformity assessment procedures to demonstrate their compliance with the requirements.
Components also fall under the CRA
Whilst machines as a whole fall under the CRA, so too do any components used within, which are classed by the CRA as products with a digital element (PDEs), such as PLCs, HMIs and drives. These components are likely to be classed in either the ‘Important’ or ‘Critical’ sections of the regulation’s framework for categorising a product’s cybersecurity risk and potential impact. Those marked as ‘Critical’ are subject to the most rigorous compliance measures due to their critical functions and potential impact on the health, security or safety of users.
Machine builders must also ensure that the PDEs they use are compliant with the CRA, obtaining appropriate documentation from the PDE’s manufacturer.
“To prepare for full implementation of the CRA, machine builders should be working with their supply chain now to ensure that they are ahead of the curve and ready to sell their products into European markets in line with the new requirements,” Bean continues. “After all, 18 months isn’t a long time at all when it comes to machine design, which is precisely why it’s so important that machine builders start planning now.
“We at Mitsubishi Electric appreciate that navigating the various requirements set out by the CRA can seem complex and daunting to many machine builders. We also recognise how important it is to work with reputable and reliable suppliers who understand the regulation and have their products certified against it.
“We are proud to offer support and assistance to achieve compliance with the CRA, with features built into our processes, such as certified product vulnerability management to IEC 62443-4-1. As such, we are in strong position to help our machine builder community on their journey to compliance with the new legislation.”
For more information on Mitsubishi Electric’s range of solutions for OEMs and machine builders, please visit: https://gb.mitsubishielectric.com/fa/solutions/industries/machine-building.
For more news, click here.
