Cyber Resilience Act: What companies should consider now

“The transition period until CRA 2027 must be fully complied with is short. Companies will have to reposition themselves in many areas – from carrying out security risk analyses and short-term reporting obligations when vulnerabilities become known to free security updates during the expected service life of the product. And postponement is not an option, because failure to comply with the CRA could result in fines in the millions,” explains Dr. Matthias Meyer, Head of Software Engineering and IT Security at Fraunhofer IEM, who is also involved in the it’s OWL project ‘IoT Security through Cyclical, Precisely Interlocked Threat Analysis and Attack Detection (IoT-ScuBa)’.

The research institute recommends that companies take three measures now to start on the path to CRA-compliant product development. “Reacting quickly when vulnerabilities become known and conducting systematic risk analyses are essential measures for meeting CRA requirements: Companies that tackle these measures now are already well on their way. In addition, an analysis of the current status with regard to products and processes provides clarity for the next steps,” emphasizes Dr. Meyer.

First: Setting up a rapid response team for emergencies

If manufacturers become aware that vulnerabilities in their products are being exploited, they must in future inform the European Union Agency for Cybersecurity (ENISA) immediately: They must give an initial warning within 24 hours and provide further details on the nature of the vulnerability, possible countermeasures and more within 72 hours. Apart from this, they must be available at all times for people who want to report security vulnerabilities and keep an eye on whether vulnerabilities become known in a supplied software component. This is one of the tasks of a Product Security Incident Response Team (PSIRT): manufacturers who have not yet established a PSIRT should urgently address this, as the above-mentioned obligations must be fulfilled from June 2026 for all products on the market, including those launched long before the CRA comes into force.

Secondly: Threat and risk analyses as a central instrument

Essentially, the CRA requires manufacturers to regularly analyze their products for security risks and integrate security measures adapted to these risks. Companies must firmly integrate the performance of threat and risk analyses for all products into the development process: In this way, they systematically identify threats, assess the respective security risk and derive informed and targeted protective and countermeasures. The security level of the software can thus be continuously and, above all, appropriately increased. Developers gain a new level of security awareness and expensive but actually unnecessary measures are even avoided.

Thirdly: Overview through analysis of the current situation

The first two measures are important, but will not be enough: Companies need to get an idea of which CRA requirements they meet, both in terms of their processes in the product life cycle and the specific products. Even if there are no harmonized standards on CRA yet, the unanimous opinion of experts is that the existing standard for industrial cyber security IEC 62443 provides very good guidance. This means that companies do not have to wait, but can already carry out status quo analyses for their processes and products and derive measures, thus gaining valuable time when implementing the CRA.

Cooperation with Phoenix Contact, Miele and other companies

Fraunhofer IEM’s expertise is based on many years of project experience with companies.

• Back in 2018, the scientists helped Phoenix Contact to become one of the first companies to be certified in accordance with the IEC 62443-4-1 cyber security standard by developing a threat and risk analysis method tailored to Phoenix Contact.
• Since then, Fraunhofer IEM has continuously developed the method and applied it in numerous threat analysis workshops and training courses, e.g. with Kraft Maschinenbau. “We not only benefit from a risk assessment for our products. In the workshop with Fraunhofer IEM, our employees also learned a systematic approach for future threat analyses and increased their security awareness,” says Managing Director Jörg Timmermann.
• To ensure that its long-lasting products remain safe even after market launch, Miele set up its own PSIRT team with the Fraunhofer IEM back in 2021. Stakeholder interviews made it possible to build on existing company processes and create clearly defined process interfaces.
• In preparation for the IEC 62443 standard for industrial cyber security, KEB determined the current status of its development processes. Fraunhofer IEM conducted interviews with the company’s managers and safety experts and helped KEB to plan further activities required to implement the standard, estimate the effort involved and systematically drive forward the implementation of the standard.
• To ensure that all employees involved in software development stay up to date and constantly improve their software development, Fraunhofer IEM also works together with adesso mobile solutions and Connext, for example, in the area of employee training. Both companies have been using Security Champions as multipliers for the topic of cybersecurity in their software development for many years.