The European Union is implementing the Cyber Resilience Act (CRA), a regulatory framework that mandates cybersecurity requirements for products with digital elements sold within the EU market. This legislation marks a shift for Operational Technology (OT), as industrial systems that once operated in isolated “offline” environments are now legally required to meet standardized security benchmarks to ensure the resilience of critical infrastructure.
Under the Cyber Resilience Act, manufacturers must ensure their products are designed, developed, and maintained in accordance with essential cybersecurity requirements. The regulation targets the entire lifecycle of a product, requiring vendors to provide security updates and report actively exploited vulnerabilities to ENISA (the European Union Agency for Cybersecurity) and national authorities.
For the industrial sector, this means the traditional “air gap”—the practice of physically isolating a control system from unsecured networks—is no longer a sufficient strategy for compliance or security. As OT converges with Information Technology (IT) through the adoption of Industrial IoT and cloud integration, the EU is treating industrial controllers, sensors, and gateways as “products with digital elements” subject to strict oversight.
Mandatory Compliance for Digital Product Providers
The CRA establishes a tiered system of obligations based on the risk profile of the product. Most digital products fall under the “default” category, requiring a self-assessment of conformity. However, “critical” products—those used in essential infrastructure or those with high potential for systemic risk—must undergo more rigorous third-party assessments or follow harmonized standards to be granted the CE mark.

According to the European Commission, the regulation aims to reduce the number of insecure IoT devices and industrial components entering the market. Manufacturers are now required to perform a risk assessment and implement a “security by design” approach. This includes managing the software bill of materials (SBOM), which allows operators to identify whether their systems contain vulnerable open-source libraries.
The regulation imposes significant penalties for non-compliance. Companies that fail to adhere to the CRA requirements can face administrative fines of up to 15 million euros or 2.5% of their total global annual turnover, whichever is higher, according to the legislative text of the Cyber Resilience Act proposal.
The End of the Offline OT Myth
Historically, Operational Technology (OT) relied on the assumption that if a machine was not connected to the internet, it was safe. This “offline” mentality is being dismantled by the reality of modern manufacturing and the legal requirements of the CRA. The integration of Industry 4.0 technologies means that PLC (Programmable Logic Controllers) and SCADA (Supervisory Control and Data Acquisition) systems are increasingly networked for data analytics and remote maintenance.

The CRA forces a transition toward “secure-by-default” configurations. This means products cannot be shipped with universal default passwords or unauthenticated administrative interfaces. For OT operators, this requires a shift in how they manage assets; they must now track the support lifecycle of every connected component to ensure security patches are applied throughout the product’s expected lifetime.
The regulation also addresses the “support period.” Manufacturers must specify the period during which they will provide security updates, typically aligned with the expected lifetime of the product. In industrial settings where machines may run for 20 years, this creates a significant long-term obligation for vendors to maintain legacy codebases against emerging threats.
Vulnerability Reporting and the Role of ENISA
A central pillar of the CRA is the requirement for mandatory vulnerability reporting. When a manufacturer becomes aware of an actively exploited vulnerability in one of their products, they must notify the EU authorities within 24 hours of becoming aware of the exploit.
These reports are routed through the European Union Agency for Cybersecurity (ENISA), which coordinates the exchange of information across member states. This mechanism is designed to prevent “silent patches,” where vendors fix a bug without notifying users, leaving those who haven’t updated their systems unaware of the risk.
This transparency requirement is particularly critical for OT environments. Because industrial downtime is costly, operators often delay updates. By mandating a centralized registry of vulnerabilities, the EU aims to provide operators with the necessary data to perform risk-based patching and implement compensating controls when immediate updates are impossible.
Comparing the CRA to the NIS2 Directive
While the Cyber Resilience Act focuses on the products themselves, the NIS2 Directive focuses on the entities using those products. The two regulations work in tandem to secure the European digital ecosystem.

| Feature | Cyber Resilience Act (CRA) | NIS2 Directive |
|---|---|---|
| Primary Target | Manufacturers/Vendors of digital products | Essential and Important Entities (Operators) |
| Focus | Product security and “Security by Design” | Organizational risk management and reporting |
| Key Requirement | CE marking and SBOM documentation | Cybersecurity audits and supply chain security |
| Enforcement | Market surveillance and product recalls | National supervisory authorities and sanctions |
For a factory operator, the NIS2 Directive requires them to manage their overall cybersecurity risk, while the CRA ensures that the hardware and software they purchase from vendors are not inherently insecure. Together, these laws move the burden of security partially back onto the manufacturer, rather than leaving the end-user to secure fundamentally flawed hardware.
Implementation Timeline and Next Steps
The Cyber Resilience Act has undergone a rigorous legislative process and was formally adopted by the European Parliament in early 2024. Most of the obligations for manufacturers will begin to apply 36 months after the regulation enters into force, although certain reporting requirements for exploited vulnerabilities may take effect sooner.
Companies currently selling digital products in the EU should begin by auditing their current product portfolios and establishing a process for creating Software Bills of Materials (SBOMs). Failure to prepare for the transition period could lead to products being barred from the EU market due to a lack of the required CE marking.
The next confirmed milestone is the continued development of the “harmonized standards” by European standardization bodies. These standards will provide the technical specifics on how to actually implement the “essential requirements” listed in the CRA, giving engineers a concrete checklist for compliance.
Do you believe the CRA will effectively secure industrial infrastructure, or will the compliance burden stifle innovation for smaller hardware vendors? Share your thoughts in the comments below.