Effects of the Cyber Resilience Act (CRA) on Industrial Equipment Manufacturing Companies
Roosa Risto, Mohit Sethi, Mika Katara
TL;DR
The paper addresses the regulatory impact of the EU Cyber Resilience Act (CRA) on industrial equipment manufacturers and investigates readiness through a targeted survey of 12 European companies. It analyzes how CRA aligns with IEC 62443, emphasizing SDL adoption, vulnerability management, and documentation, while highlighting added CRA requirements such as fixed vulnerability‑notification timelines. Key findings reveal challenges in 24‑hour exploitation notifications, mandatory security updates, SBOM management, and conformity assessment uncertainties, along with concerns surrounding open‑source software governance. The study offers practical recommendations on tooling, shift‑left training, cross‑functional governance, and standardized disclosure workflows to help industry prepare for full CRA compliance by December 2027.
Abstract
The Cyber Resilience Act (CRA) is a new European Union (EU) regulation aimed at enhancing the security of digital products and services by ensuring they meet stringent cybersecurity requirements. This paper investigates the challenges that industrial equipment manufacturing companies anticipate while preparing for compliance with CRA through a comprehensive survey. Key findings highlight significant hurdles such as implementing secure development lifecycle practices, managing vulnerability notifications within strict timelines, and addressing gaps in cybersecurity expertise. This study provides insights into these specific challenges and offers targeted recommendations on key focus areas, such as tooling improvements, to aid industrial equipment manufacturers in their preparation for CRA compliance.