Cyber Resilience Act

EU directive for more cybersecurity 

EU directive on the cyber resilience of products with digital elements

The Cyber Resilience Act is a law of the European Commission that aims to protect consumers and businesses that purchase or use hardware or software products with a digital element within the EU. It defines binding cybersecurity requirements that must be met by manufacturers, importers and distributors of such products on the European market. In the industrial sector, the following products are hereby affected in particular:

  • Class I critical products, such as browsers, password managers, routers, etc.
  • Class II critical products, such as firewalls, smart cards, smart card readers ...

The ‘Regulation on horizontal cybersecurity requirements for products with digital elements’ is part of the EU’s efforts to increase hardware and software security and strengthen trust in the digital economy. This is part of a broader EU strategy to boost cybersecurity. This also includes other initiatives such as the Directive on the Security of Network and Information Systems (NIS2 Directive) and the General Data Protection Regulation (GDPR). The aim of these efforts is to create standardised rules for the cybersecurity of products with digital elements throughout the EU. 

Our products help you fulfil the compliance requirements of the Cyber Resilience Act. We would be happy to advise you. 

Effects and challenges for companies

In principle, the following applies: All companies that manufacture, distribute or use products with digital elements within the EU internal market are affected by the Cyber Resilience Act. This also includes machine manufacturers and service providers such as system integrators, who use class I and II products. In future, they will all have to fulfil some cybersecurity requirements in order to guarantee hardware security, software security and the safety and security of machines in accordance with DIN EN ISO 12100, DIN EN ISO 13849 and the upcoming IEC62443. 


Effects on IT security, OT security and products

In the IT sector, cybersecurity guidelines must be taken into account from the outset (security by design): This includes regular updates and patches as well as maximum transparency when reporting security incidents or vulnerabilities.

In the area of OT security, where outdated technologies are used in many companies, comprehensive risk management strategies must be developed and increased security measures implemented. An industrial firewall can be a good security unit for legacy systems (old systems) to ensure the secure operation of outdated technologies. The Cyber Resilience Act also calls for a closer link between IT and OT security practices. 

In future, it must be possible to guarantee the safety of products throughout their entire life cycle and prove this at the end by means of certifications or regular safety assessments. If a product is no longer supported by the provision of security updates at some point, or if vulnerabilities are discovered in the technologies, consumers must be immediately and actively informed. ADS-TEC Industrial IT GmbH ensures this by publishing any reports in the German IT security platform CERT@VDE.

Time and financial challenges

The EU Parliament adopted the Cyber Resilience Act in March 2024. The law still has to pass the EU Council before it can enter into force. After coming into force, affected companies have 36 months to apply the requirements described in the Cyber Resilience Act.
This can result in considerable costs, particularly for small and medium-sized enterprises (SMEs), as new security methods have to be introduced. This includes the creation of new security practices and the integration of new security technologies.
For globally operating companies, the need to fulfil different cybersecurity requirements in different markets can lead to additional challenges.

Implementation deadlines of the CRA


Do you have questions about the Cyber Resilience Act or would you like advice? 


What measures companies need to take

Checking the requirements of the CRA

Organisations should understand the specific requirements of the Cyber Resilience Act, including all technical standards and compliance requirements.

Assessment of the current compliance position

Companies should assess the extent to which their current products, services and internal processes meet the requirements of the Cyber Resilience Act and where adjustments are necessary.

Development of an implementation plan

Based on the assessment, organisations should develop a detailed plan for implementing the required changes, including timeline, budget and resource allocation.

Carrying out the necessary adjustments

This may include revising product development practices, strengthening cybersecurity systems and processes, and training employees.

Monitoring and continuous adjustment

After implementation, it is important to continuously monitor compliance with CRA requirements and adapt to any changes in regulations or technological developments.

‘one-for-all’ solution for your industrial security

Industrial Router Firewalls IRF1000 & IRF3000

Protect networks and systems, recognise threats, make products and connections more secure: The requirements of the Cyber Resilience Act are clearly described and will soon be binding for everyone. And the right solution is already there: Industrial router firewalls from the IRF1000 and IRF3000 series.

Regardless of whether you opt for our entry-level IRF1000 model or our high-performance IRF3000 firewalls: In both cases, you get a ‘one--for-all’ solution for the protection of your machines, production systems and industrial components. Request your no-obligation test device today and experience the industrial router firewalls from ADS-TEC Industrial IT for yourself.