A hologram of a cyber security writing in blue. Two people can be seen blurily behind the hologram.
Home
Landingpages
Cyber Security: Your Duty – Our Solution

Cyber Security: Your Duty – Our Solution

In an increasingly connected world where cyberattacks are becoming more sophisticated, the European Union set new standards for cybersecurity in 2019 with the Cyber Resilience Act (CRA). 

This regulation aims to minimize security risks and establish binding requirements for manufacturers, integrators, and operators. Companies in the automation and manufacturing industries are particularly affected, as their systems are increasingly networked and software-driven.

The CRA came into force at the end of 2024, and many companies are already working intensively on its implementation. Full compliance is required by the end of 2027—non-compliance may result in severe penalties. But what does the CRA mean in concrete terms for the industry?

We provide tips on how to prepare for the CRA, highlight key dates and deadlines, and explain why Hilscher is the right partner for cybersecurity.

 

Want to learn more about secure industrial communication or have specific questions?

Schedule a personal consultation with us now!

SPS Magazine speaks with cybersecurity expert Frank Behnke from Hilscher about the Cyber Resilience Act (CRA) and its impact on the particularly affected automation and manufacturing industry: 

How do you assess the significance of the Cyber Resilience Act for the automation sector? What challenges do you see in implementing the CRA, and what role does ‘Usable Security’ play?

The CRA, the NIS2 Directive, and the NIS2UmsuCG (local German law to implement NIS 2 on national level) are of enormous importance to the automation industry. In addition to stricter security requirements, liability issues and the obligation to provide regular security updates are added. In the future, there will be no secure industrial network without deeply integrated cybersecurity. 

Opportunities lie in unified regulation and increased trust in secure products. Companies that adopt security-by-design early and follow standards such as IEC 62443 can position themselves as reliable partners in the market. Standardization will also make it easier to offer products across Europe.

The biggest challenge is the practical implementation of the new requirements. Many companies are still at the beginning of this development and underestimate the scope of the upcoming changes. Our goal is to support with expertise—without spreading unnecessary panic.

Usable Security plays a crucial role. Security mechanisms must be user-friendly and efficient. The best security is useless if it is difficult to implement or bypassed in daily operations. Systems with centralized patch management offer a competitive advantage here, as they automate security updates and reduce administrative effort.

Frank Behnke
Head of Information Systems, Hilscher 

*Originally published in SPS Magazine 5 (May) 2025.

Which specific CRA requirements are particularly relevant for machinery, plant engineering, and the process industry? How can these requirements be effectively implemented in products and processes? 

The CRA brings profound changes to product development and operations. Particularly critical is the obligation to report security incidents within 24 hours, which requires effective incident management and security monitoring. Otherwise, severe penalties may apply. 

To meet the requirements, companies must adapt their development processes by implementing security-by-design and security-by-default from the outset.

This means:

  • Risk assessments and security audits already during the development phase
  • Sustainable update and patch strategies to keep products secure throughout their lifecycle
  • Certification compliance, as “significant changes” to existing products require re-certification 

In practice, centralized patch management systems, robust access and authentication solutions, and clearly defined processes for regular security reviews are needed. Especially for complex automation systems, it is crucial to integrate cybersecurity in a way that does not disrupt operations while reliably meeting CRA requirements.

Frank Behnke
Head of Information Systems, Hilscher

A man in a black suit and white shirt is smiling into the camera. He wears glasses and has grey hair. The environment is very bright.

What costs and effort do you expect for implementing the CRA? Will the CRA affect the competitiveness of machinery and plant manufacturers? If so, how?

The costs and effort for implementing the CRA cannot be generalized, as they depend heavily on how early companies have integrated security-by-design into their development processes. Companies already applying secure architectural principles will face less adjustment than those just beginning to retrofit cybersecurity.

In terms of competitiveness, there is a clear divide: machines and devices that are not cyber-secure will face massive disadvantages in the market. Customers and operators will increasingly rely on certified, CRA-compliant products to minimize regulatory risks.

One example is our netX 90 communication controller, which already integrates comprehensive security mechanisms. This enables secure communication solutions to be implemented directly—a clear advantage over older chip generations that lack or only partially support such functionality.

But it’s not just products that are affected—existing network technologies must also be reconsidered. Fieldbus technologies, traditionally designed for isolated systems, are now considered inherently insecure under the new regulations and are difficult to make CRA-compliant. Companies will be forced to establish secure network architectures, such as firewall solutions, network segmentation, and strict access controls. In many cases, a complete transition to more secure, IP-based communication technologies will be necessary.

Those who adopt secure architectures, modern security mechanisms, and upgradability early will gain a clear long-term market advantage.

Frank Behnke
Head of Information Systems, Hilscher 

A black netX chip surrounded by logos of various industrial protocols. The logos are in white and a are placed in colorful bubbles around the chip. Each bubble is connected to the netX chip with dotted lines.

How do you plan to support your customers in complying with CRA requirements? What recommendations do you have for SMEs in the industry to prepare for the CRA?

Our recommendation for small and medium-sized enterprises is clear: develop a plan early to systematically address CRA requirements. Cybersecurity must be integrated into product development from the very beginning—the earlier, the better.

A key point is choosing competent security partners, as the complexity of the requirements makes isolated solutions or costly missteps uneconomical. At Hilscher, for example, we work with TÜV Rheinland and have already aligned 70% of our development processes with IEC 62443-4-1—the rest will follow shortly.

Certifications under BSI IT-Grundschutz and ISO 27001 are planned for 2025. We actively share this knowledge with our customers to help them make their products and systems secure and CRA-compliant through our expertise and technologies.

Companies should also engage in industry initiatives and working groups to exchange best practices and experiences. Several initiatives currently exist where companies network and develop joint solutions for CRA challenges. Organizations such as ZVEI, VDMA, and IEC 62443 working groups offer valuable platforms for exchange and practical support in implementing the new requirements.

Frank Behnke
Head of Information Systems, Hilscher 

CRA – At a glance

The Cyber Resilience Act came into force on December 10, 2024, and must be implemented by affected companies by December 11, 2027. This regulation introduces binding cybersecurity requirements for products with digital elements to protect consumers and businesses from cyber threats.

Security Requirements

Companies must ensure that their products and services are compliant with basic security standards.

An exclamation mark within an octagon.

Risk Management

Strategies for identification und minimization of risks need to be implemented. This affects the whole lifecycle, from the idea to the product’s end of life.

A stylized bell icon.

Reporting obligations

Companies are liable to report security incidents as well as to have a corresponding patch management system at hand. Exploitable vulnerabilities need to be disclosed to customers.

NIS 2 – At a glance

The abbreviation NIS 2 stands for the second Network and Information Security Directive of the European Union. This directive, officially known as Directive (EU) 2022/2555, aims to ensure a high common level of cybersecurity within the EU. The NIS 2 Directive replaces the original NIS Directive and introduces stricter cybersecurity standards, especially for companies operating critical infrastructure.

An icon of two puzzle pieces.

Expanded framework

NIS 2 applies to a wider range of sectors, including energy, transportation, banking, healthcare and digital infrastructure.

Security requirements

The Directive requires the implementation of appropriate technical and organizational security measures and defines minimum standards for risk management and security protocols.

A stylized bell icon.

Reporting obligations

NIS 2 includes deadlines for reporting security incidents. The incident reports must meet certain requirements and be made available to the supervisory authorities.

Two boxes encircled by two half circles with arrows at the opposite ends.

Adoption into national law

The NIS 2 Regulation will be adopted into national law by the European Member States.

Secure Industrial Communication with Hilscher – Master CRA & NIS 2 with Hilscher Technology

A graphical representation of the Hilscher Secure Firmware Architecture

Our Secure Firmware Architecture

There are a number of hidden processes behind the addition of security features to our standard firmware, which we would be glad to explain to you in a dedicated training course or product workshop. It is important for you to be able to build your security architecture in terms of key management and lifecycle management as required for your use case. We support this with flexible handling of key generation and security handling.

Benefit from established secure boot mechanisms, certificate management and protocol-specific data encryption for various real-time Ethernet protocols

Arrange a personal consultation now

Facing the challenge of making your communication solution CRA-compliant? Have questions about specific regulations? Need support for a particular project? Schedule a personal appointment with one of our experts today—we look forward to speaking with you!

Make an appointment!