June 4, 2025
7 MIN.
In this article
Manufacturers must prepare for the CRA now
Overview: CRA fines and sanctions
Targeted measures for industrial companies
- 1. Complete risk analysis: a look in the mirror
- 2. Build security skills: Knowledge is defense
- 3. Establish an Incident Response Team: Speed is a survival strategy
Reach your goal with the experts: Trust those who live security
Mastering CRA compliance: For a strong manufacturing industry
In 2025, we have reached a watershed moment. The EU is getting serious about cybersecurity. With the Cyber Resilience Act (CRA), the EU forces industrial companies to reinvent themselves—more secure and resilient, boldly facing the future. It is no longer about recommendations, but about obligations and responsibility. Now is the time to act.
Manufacturers must prepare for the CRA now
In 2025, cybersecurity is no longer a buzzword. It is a reality. And it is mandatory, especially in the EU. With the implementation of the NIS 2 Directive and the 2024 enacted Cyber Resilience Act (CRA), the EU Commission is compelling many sectors of the economy to take comprehensive measures at an organizational level and in product development and design. In comparison to previous regulatory agreements, the CRA increases the sanctioning powers of the respective authorities significantly, up to and including personal liability of the management. One thing is clear— cyber resilience is no longer a nice-to-have, but a central building block of the EU’s future operational capability.
What does this mean for your company? In our previous article on the CRA, we explored the requirements that products with digital components manufactured or distributed in the EU will have to meet throughout their entire life cycle. In this article, we’ll take a closer look at the consequences of non-compliance with the incoming regulations, and how you can position your company to address the new business risks. These changes are particularly relevant to the manufacturing sector, which typically prioritizes production efficiency and machine availability over cybersecurity.
Overview: CRA fines and sanctions
We covered the extensive legal consequences of the CRA and NIS-2 in our previous articles. A brief overview is enough to see that the EU is getting serious and forcing companies to act.
Violations of the regulations can result in fines of up to €15 million or 2.5% of the previous year’s global turnover, whichever is higher.
Providing incorrect or incomplete information to market surveillance authorities can result in fines of up to €5 million or 1% of the previous year’s global turnover, whichever is higher.
The authorities can also demand updates from companies as quickly as possible when security risks are identified or—in the worst-case scenario—even the withdrawal of the product from the market.
The NIS 2 Directive explicitly defines the personal liability of the company management for negligence. However, as compliance with the CRA will, in the future, fall under the company managements’ general duty of care, personal claims may also be asserted for violations.
Targeted measures for industrial companies
Products with digital components must meet all requirements of the CRA by December 11, 2027. However, there are numerous deadlines that your company must meet before then, which increases the urgency to act now. To ensure that you are ready for the new regulations, we recommend that manufacturers undertake the following three measures.
1. Complete risk analysis: a look in the mirror
1. Complete risk analysis: a look in the mirrorStart with a gap analysis to gain an overview of the current status of your product environment. What security requirements do your products already meet? What still needs to be done? The IEC 62443 industry standard, which covers key aspects of the CRA, provides key guidance.
The product classification in each CRA risk class also influences the individual risk analysis. The difference between the four categories relates more to how proof of compliance with the recommendation is provided than to which safety measures must be implemented.
- Standard products: For low-risk products, a self-assessment by the manufacturer is sufficient.
- Critical Product Class I: A self-assessment can also be carried out for products in Class II, but must be done in accordance with unified standards that are currently under development. Class I products include those with VPN function, routers, and microcontrollers.
- Critical Product Class II: Certification of Class II products must be done by a designated body. These products include firewalls and container runtime systems.
- Critical Products: Critical products are subject to mandatory certification according to an EU-wide standard, which is also currently under development. This primarily includes hardware devices with security boxes, smart meter gateways, and chip cards.
You can find lists of product examples in Annex III and IV of the CRA document. Starting June 11, 2026 , the conformity assessment bodies will be able to assess compliance with the requirements. These bodies have yet to be appointed, but it is most likely to be the TÜV in Germany. However, the transition period for the implementing all requirements lasts until the end of 2027.
2. Build security skills: Knowledge is defense
2. Build security skills: Knowledge is defenseMost of the products manufactured by industrial companies fall into the lowest risk category of the Cyber Resilience Act, allowing manufacturers to rely on self-assessment to demonstrate they have taken appropriate and adequate security precautions. But, if a security incident occurs during the use of a product, the self-assessment itself may then be closely examined.
Each product carries unique risks, and requires a customized level of safety. Recognized standards—such as the IEC 62443 standard for industrial control systems, or the EN 18031 standard for cybersecurity of radio systems—offer guidance for CRA implementation.
With enhanced risk management, security engineering, and incident response capabilities, you can ensure that your products are adequately protected against cyber risks throughout their lifecycle. By embedding threat analyses, and corresponding countermeasures, directly into the development process (Security by Design), companies can increase security awareness in the product team and throughout the entire organization. Because security does not start with the firewall, but with the design. When you abide by security by design, you can integrate protective measures into the development process right from the start. Not as an add-on, but as a principle.
3. Establish an Incident Response Team: Speed is a survival strategy
3. Establish an Incident Response Team: Speed is a survival strategyOver a year before all CRA requirements must be met, on September 11, 2026, organizations must meet the reporting requirements for serious security incidents and actively exploited vulnerabilities. This must be done via a Single Reporting Platform, which is still under development. Early warnings must be issued within 24 hours, followed by a detailed report following within 72 hours.
Most companies are advised to set up an incident report to team to monitor their product range, if they have not already done so. Security specialists should continually monitor all software components for known vulnerabilities and must always be available for users to report a security problem.
Reach your goal with the experts: Trust those who live security
All EU companies will have to build data security and cybersecurity expertise. By taking advantage of specialized support in the development process, you can conserve resources during the transition process, and ensure long-term business success.
With our Custom Software Solutions, we offer a flexible development solution for industrial companies, that we adapt to your individual needs. Whether you need individual software modules or a complete development project, our expert team can develop your product software components. Our software development lifecycle processes are certified in accordance with IEC 62443-4-1, meaning they already meet the Cyber Resilience Act security standards. Alternatively, we can provide temporary, highly qualified support to reinforce your teams. Meet with us to learn more.
Author: René Janz
René Janz is an industrial engineer with extensive knowledge of the shop floor. He has been with TRIOVEGA GmbH since 2023, and as Director Business Development, René is responsible for the strategic expansion of OT security and digitalization in the production industry.
You want to know more about our products
and solutions?
edge.SHIELDOR
Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs
service.factoryINSIGHTS
Discover potential and optimize production processes effectively with our data science expertise
This might also interest you:
- Mastering CRA compliance: For a strong manufacturing industryIn 2025, we have reached a watershed moment. The EU is getting serious about cybersecurity. With the Cyber Resilience Act (CRA), the EU forces industrial companies to reinvent themselves—more secure and resilient, boldly facing the future. It is no longer about recommendations, but about obligations and responsibility. Now is the time to act.
- Cyber Resilience Act – new challenges in the development of connected productsWhile the NIS-2 regulations are concerned with cybersecurity in Europe at an organizational and procedural level, the recently enacted Cyber Resilience Act (CRA) focuses on the end products.
- CIA triad in the manufacturing practice: Balancing IT and OT securityAs IT experts know, in information technology, CIA refers not to the American intelligence agency, but to the three pillars of the CIA triad – Confidentiality, Integrity, Availability. The importance of these principles is becoming more apparent in the OT sector.
