A hologram of a cyber security writing in blue. Two people can be seen blurily behind the hologram.

    Cyber Security: Your Duty – Our Solution

    In an increasingly connected world where cyberattacks are becoming more sophisticated, the European Union set new standards for cybersecurity in 2019 with the Cyber Resilience Act (CRA). 

    This regulation aims to minimize security risks and establish binding requirements for manufacturers, integrators, and operators. Companies in the automation and manufacturing industries are particularly affected, as their systems are increasingly networked and software-driven.

    The CRA came into force at the end of 2024, and many companies are already working intensively on its implementation. Full compliance is required by the end of 2027—non-compliance may result in severe penalties. But what does the CRA mean in concrete terms for the industry?

    We provide tips on how to prepare for the CRA, highlight key dates and deadlines, and explain why Hilscher is the right partner for cybersecurity.

     

    Want to learn more about secure industrial communication or have specific questions?

    Schedule a personal consultation with us now!

    CRA Comes into Force

    The Cyber Resilience Act (CRA) came into effect on December 11, 2024. This marks the beginning of the implementation phase for many companies. The CRA applies to any product with digital elements placed on the EU market.

    Article 7 implementation

    On December 11, 2025, the EU will issue an implementing act under Article 7, defining technical specifications for “important products.” Products falling under Annex III of the CRA must undergo specific conformity assessment procedures.

    Reporting obligations begin

    Article 14 of the CRA takes effect on September 11, 2026, introducing mandatory reporting obligations for manufacturers. These include reporting exploitable vulnerabilities, early warnings, and detailed reports within defined timeframes.

    CRA fully implemented

    By December 11, 2027, all affected companies must comply with the CRA. From this date, all products with digital elements—including hardware, software, and related services—must meet CRA requirements to be sold in the EU.

    Industry Security Check*
    Specific Requirements for Machinery and Plant Engineering
    What costs are involved in implementing the CRA?
    Security must be considered from the start
    Hilscher employees in a meeting.

    SPS Magazine speaks with cybersecurity expert Frank Behnke from Hilscher about the Cyber Resilience Act (CRA) and its impact on the particularly affected automation and manufacturing industry: 

    How do you assess the significance of the Cyber Resilience Act for the automation sector? What challenges do you see in implementing the CRA, and what role does ‘Usable Security’ play?

    The CRA, the NIS2 Directive, and the NIS2UmsuCG (local German law to implement NIS 2 on national level) are of enormous importance to the automation industry. In addition to stricter security requirements, liability issues and the obligation to provide regular security updates are added. In the future, there will be no secure industrial network without deeply integrated cybersecurity. 

    Opportunities lie in unified regulation and increased trust in secure products. Companies that adopt security-by-design early and follow standards such as IEC 62443 can position themselves as reliable partners in the market. Standardization will also make it easier to offer products across Europe.

    The biggest challenge is the practical implementation of the new requirements. Many companies are still at the beginning of this development and underestimate the scope of the upcoming changes. Our goal is to support with expertise—without spreading unnecessary panic.

    Usable Security plays a crucial role. Security mechanisms must be user-friendly and efficient. The best security is useless if it is difficult to implement or bypassed in daily operations. Systems with centralized patch management offer a competitive advantage here, as they automate security updates and reduce administrative effort.

    Frank Behnke
    Head of Information Systems, Hilscher 

    *Originally published in SPS Magazine 5 (May) 2025.

    Which specific CRA requirements are particularly relevant for machinery, plant engineering, and the process industry? How can these requirements be effectively implemented in products and processes? 

    The CRA brings profound changes to product development and operations. Particularly critical is the obligation to report security incidents within 24 hours, which requires effective incident management and security monitoring. Otherwise, severe penalties may apply. 

    To meet the requirements, companies must adapt their development processes by implementing security-by-design and security-by-default from the outset.

    This means:

    • Risk assessments and security audits already during the development phase
    • Sustainable update and patch strategies to keep products secure throughout their lifecycle
    • Certification compliance, as “significant changes” to existing products require re-certification 

    In practice, centralized patch management systems, robust access and authentication solutions, and clearly defined processes for regular security reviews are needed. Especially for complex automation systems, it is crucial to integrate cybersecurity in a way that does not disrupt operations while reliably meeting CRA requirements.

    Frank Behnke
    Head of Information Systems, Hilscher

    A man in a black suit and white shirt is smiling into the camera. He wears glasses and has grey hair. The environment is very bright.

    What costs and effort do you expect for implementing the CRA? Will the CRA affect the competitiveness of machinery and plant manufacturers? If so, how?

    The costs and effort for implementing the CRA cannot be generalized, as they depend heavily on how early companies have integrated security-by-design into their development processes. Companies already applying secure architectural principles will face less adjustment than those just beginning to retrofit cybersecurity.

    In terms of competitiveness, there is a clear divide: machines and devices that are not cyber-secure will face massive disadvantages in the market. Customers and operators will increasingly rely on certified, CRA-compliant products to minimize regulatory risks.

    One example is our netX 90 communication controller, which already integrates comprehensive security mechanisms. This enables secure communication solutions to be implemented directly—a clear advantage over older chip generations that lack or only partially support such functionality.

    But it’s not just products that are affected—existing network technologies must also be reconsidered. Fieldbus technologies, traditionally designed for isolated systems, are now considered inherently insecure under the new regulations and are difficult to make CRA-compliant. Companies will be forced to establish secure network architectures, such as firewall solutions, network segmentation, and strict access controls. In many cases, a complete transition to more secure, IP-based communication technologies will be necessary.

    Those who adopt secure architectures, modern security mechanisms, and upgradability early will gain a clear long-term market advantage.

    Frank Behnke
    Head of Information Systems, Hilscher 

    A black netX chip surrounded by logos of various industrial protocols such. The logos are in white and a are placed in colorful bubbles around the chip. Each bubble is connected to the netX chip with dotted lines.

    How do you plan to support your customers in complying with CRA requirements? What recommendations do you have for SMEs in the industry to prepare for the CRA?

    Our recommendation for small and medium-sized enterprises is clear: develop a plan early to systematically address CRA requirements. Cybersecurity must be integrated into product development from the very beginning—the earlier, the better.

    A key point is choosing competent security partners, as the complexity of the requirements makes isolated solutions or costly missteps uneconomical. At Hilscher, for example, we work with TÜV Rheinland and have already aligned 70% of our development processes with IEC 62443-4-1—the rest will follow shortly.

    Certifications under BSI IT-Grundschutz and ISO 27001 are planned for 2025. We actively share this knowledge with our customers to help them make their products and systems secure and CRA-compliant through our expertise and technologies.

    Companies should also engage in industry initiatives and working groups to exchange best practices and experiences. Several initiatives currently exist where companies network and develop joint solutions for CRA challenges. Organizations such as ZVEI, VDMA, and IEC 62443 working groups offer valuable platforms for exchange and practical support in implementing the new requirements.

    Frank Behnke
    Head of Information Systems, Hilscher 

    CRA – At a glance

    The Cyber Resilience Act came into force on December 10, 2024, and must be implemented by affected companies by December 11, 2027. This regulation introduces binding cybersecurity requirements for products with digital elements to protect consumers and businesses from cyber threats.

    Security Requirements

    Companies must ensure that their products and services are compliant with basic security standards.

    Risk Management

    Strategies for identification und minimization of risks need to be implemented. This affects the whole lifecycle, from the idea to the product’s end of life.

    Reporting obligations

    Companies are liable to report security incidents as well as to have a corresponding patch management system at hand. Exploitable vulnerabilities need to be disclosed to customers.

    NIS 2 – At a glance

    The abbreviation NIS 2 stands for the second Network and Information Security Directive of the European Union. This directive, officially known as Directive (EU) 2022/2555, aims to ensure a high common level of cybersecurity within the EU. The NIS 2 Directive replaces the original NIS Directive and introduces stricter cybersecurity standards, especially for companies operating critical infrastructure.

    Expanded framework

    NIS 2 applies to a wider range of sectors, including energy, transportation, banking, healthcare and digital infrastructure.

    Security requirements

    The Directive requires the implementation of appropriate technical and organizational security measures and defines minimum standards for risk management and security protocols.

    Reporting obligations

    NIS 2 includes deadlines for reporting security incidents. The incident reports must meet certain requirements and be made available to the supervisory authorities.

    Adoption into national law

    The NIS 2 Regulation will be adopted into national law by the European Member States.

    Secure Industrial Communication with Hilscher – Master CRA & NIS 2 with Hilscher Technology

    Reporting Obligations: Hilscher works closely with the TÜV Rheinland Security Operation Center (SOC). Hilscher systems are linked to the TÜV Rheinland SOC, which performs automated anomaly detection.

    Certification according to the basic protection of the Federal Office for Information Security (BSI) and ISO 27001 planned by the end of 2025.

    Protection of Hilscher production through various measures such as the introduction of asset management, a revision of access control, and the security concept of the production facility in Hattersheim.

    Already 85% of Hilscher's development processes comply with IEC 62443-4-1. This standard sets requirements for the secure development lifecycle of products in industrial automation and control systems.

    First pre-tests for products already planned for 2025 and 2026: After the EU Commission has defined the certification criteria, Hilscher will begin the first product tests for the CRA together with TÜV Rheinland. These pre-tests will then be included in action catalogs and used for final product certifications.

    Our Secure Firmware Architecture

    There are a number of hidden processes behind the addition of security features to our standard firmware, which we would be glad to explain to you in a dedicated training course or product workshop. It is important for you to be able to build your security architecture in terms of key management and lifecycle management as required for your use case. We support this with flexible handling of key generation and security handling.

    Benefit from established secure boot mechanisms, certificate management and protocol-specific data encryption for various real-time Ethernet protocols

    A graphical representation of the Hilscher Secure Firmware Architecture

      Arrange a personal consultation now

      Facing the challenge of making your communication solution CRA-compliant? Have questions about specific regulations? Need support for a particular project? Schedule a personal appointment with one of our experts today—we look forward to speaking with you!

      Make an appointment!