Cyber Resilience Act Produktionsunternehmen

Cyber ​​Resilience Act – Cybersecurity for manufacturing companies

Protect your production processes from cyber threats!

Learn how, with our support, you can meet the requirements of the Cyber Resilience Act and secure your production processes.

The Cyber Resilience Act (CRA) is a legal framework proposed by the European Commission that sets horizontal cybersecurity requirements for all products with digital elements sold on the EU market. The CRA aims to improve the security of hardware and software products by obliging manufacturers to minimize vulnerabilities throughout the entire product lifecycle and to provide security updates. This is intended to curb the increasing cyber threats, reduce costs for businesses and society caused by cyberattacks, and strengthen consumer trust in digital products.

Why are manufacturing companies affected by the Cyber Resilience Act (CRA)?

Modern manufacturing companies increasingly rely on digital technologies and connected systems to enhance their efficiency and competitiveness. The Cyber Resilience Act (CRA) of the European Union applies to all companies that develop or use products with digital elements—and manufacturing companies are particularly in focus.

These products fall under the CRA

All products sold in the EU that contain “digital elements” must comply with the requirements of the CRA. This includes not only affordable consumer products but also B2B software and complex high-end industrial systems. “Products with digital elements” are defined in the CRA as products that can be connected to a device or a network and include both hardware products with connected functions (e.g., smartphones, laptops, smart home products, smartwatches, connected toys, as well as microprocessors, firewalls, and smart meters) and pure software products (e.g., accounting software, computer games, mobile apps). Non-commercial open-source software products are exempt from the CRA and therefore do not have to meet its requirements.

Quelle: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/ cyber_resilience_act_node.html Datum: 24.10.24

Examples:

Consumer electronics: Connected TVs, speakers (e.g., smart speakers with voice assistants), wearables such as smartwatches or fitness trackers.

Industry 4.0 devices: Machines and robots used in connected production environments (e.g., in automation) that transmit data to central systems.

Production control systems: Software that monitors and controls production facilities and processes.
Operating systems: Software that runs on computers, smartphones, or other digital devices.
Applications: Software used in businesses or by consumers, including cloud software and SaaS (Software-as-a-Service) platforms.
Cloud computing platforms: Services that provide storage and computing power over the internet.
Data centers: Physical devices used in data centers to store and process data.

Why it is important to act now:

  1. Connected production systems
    In Industry 4.0, production processes and machines are often interconnected. These systems offer enormous efficiency gains but are also targets of cyberattacks. The CRA requires companies to take measures to minimize vulnerabilities in their digital products and systems.
  2. Security requirements for products
    As a manufacturer or user of machines and equipment with digital elements, you are required to ensure that these products comply with cybersecurity requirements. The CRA mandates that all products be designed, developed, and regularly updated securely throughout their entire lifecycle.
  3. Supply chain protection
    Cyber threats in the supply chain can quickly impact the entire operation. A single attack can affect the whole production network. The CRA defines clear requirements to ensure the security of your entire digital supply chain.
  4. Legal requirements and compliance
    The CRA establishes binding rules for cybersecurity in the EU. Manufacturing companies must ensure that their products comply with the new regulations to avoid penalties and operational disruptions. We support you in understanding and implementing the complex requirements of the CRA.

Your advantage: With our specialized consulting, we help manufacturing companies efficiently meet the requirements of the Cyber Resilience Act while ensuring the security of their production processes.

Is implementing ISO 27001 in the company sufficient?

The ISO 27001 provides a systematic approach to identifying and managing security risks that is more comprehensive than isolated measures. Without this structured framework, certain vulnerabilities could be overlooked, such as:

  • Connections between production facilities and external networks that are vulnerable to cyberattacks.
  • Undocumented or unsecured interfaces between machines and IT systems.
  • Security vulnerabilities in older systems or devices that are not regularly updated.

Especially in open production environments, where various systems and networks work together, ISO 27001 helps to consider risks holistically and manage them systematically. Without this comprehensive security strategy, it could be more difficult to identify and effectively address all vulnerabilities.

In addition to implementing ISO 27001:2024 – or if you decide not to implement it – there are still some key measures you must fulfill to meet the requirements of the Cyber Resilience Act (CRA):

1. Identification of affected products

First, companies must identify which of their products with digital elements fall within the scope of the CRA. This concerns all hardware and software products that are connected to networks or other digital products or that process data.

2. Integrate security requirements throughout the entire product lifecycle

The CRA requires that cybersecurity be integrated throughout the entire product lifecycle:

  • Development: Security measures must be considered already in the design phase (Security by Design).
  • Production: Production must ensure that no vulnerabilities are introduced.
  • Maintenance: Security updates and regular reviews must be ensured.

3. Vulnerability Management and Handling of Vulnerabilities

The CRA requires manufacturers and providers of digital products to establish a vulnerability management system that includes the following points:

  • Identification of vulnerabilities as soon as they become known.
  • Schnelle Behebung der Schwachstellen durch Sicherheitsupdates.
  • Reporting of actively exploited vulnerabilities to the relevant authorities, such as the EU agency ENISA.
  • Customer notification about vulnerabilities and provided patches.

4. Conformity assessment

For critical products with digital elements, the CRA requires a formal conformity assessment:

  • Self-assessment: For less critical products, it is sufficient for the manufacturer to conduct a self-assessment and document that the cybersecurity requirements are met.
  • Third-party assessment: For critical products, an evaluation by a certified third party is required to ensure compliance with CRA requirements.

5. Security updates and product support

Companies must ensure that they support their products for an adequate period and provide security updates. It must also be clearly communicated how long this support is available and how security vulnerabilities are handled.

6. Documentation and Transparency

The CRA requires that all information regarding a product’s cybersecurity be transparent and documented. This includes:

  • Technical documentation of the security measures.
  • Provision of information for the safe use of the product.
  • Explanation of security support: How long and under what conditions security updates will be provided.

7. Product classification and additional measures for critical products

The CRA divides digital products into two classes:

  • Class I (lower risk): Standard cybersecurity measures are sufficient here.
  • Class II (higher risk): These products, which are used in safety-critical environments, require stricter cybersecurity controls and additional conformity assessment procedures.

8. CE marking

Products that comply with the CRA requirements must be marked with the CE marking. This indicates that the product is safe and meets the relevant EU directives.

How do I evaluate the processes?

It is not always necessary to use expensive tools to meet the requirements of the Cyber Resilience Act (CRA). Often, a thorough asset inventory is sufficient to identify vulnerabilities and risks. In many cases, existing security solutions can be optimized and available resources better utilized. Only in particularly critical areas or for specific requirements is it necessary to resort to specialized tools. Our approach focuses on ensuring maximum security with minimal additional investments and using external tools only where truly necessary.

News
Contact
Links and Login
Publications
Logos: EBF, Sachsen
KVINNE GmbH Datenschutz & Digitalberatung Reviews with ekomi.de
en_USEnglish
de_DEGerman en_USEnglish