There are many ways for hackers to gain access to corporate IT – and thus open the virtual gates to sabotage, data theft and industrial espionage. Cyber risks from generative artificial intelligence have long been an everyday threat. Reason enough for the Eckelmann Group to include targeted cyber security measures in its risk management. For Stefan Becker, Head of Business Unit Automation Project Production I Logistics I Digital Solutions and member of the Executive Board at Eckelmann, the European Union’s Cyber Resilience Act (CRA) is an important step towards security.
Mr. Becker, how do you assess the need for the Cyber Resilience Act, or CRA for short?
The CRA provides guidance to anyone who wants to protect their digital assets in our interconnected world. I consider the Cyber Resilience Act to be a groundbreaking initiative which, on the one hand, sets out the central necessity of cyber security and compliance and, on the other hand, enables EU-wide strength through cyber prevention.
How does Eckelmann design a sustainably networked world?
At Eckelmann, 200 engineers, computer scientists and natural scientists work and research on the design of a sustainable and networked world! Digital data is our working tool. Eckelmann is a full-service provider for industrial automation and digitalization. As a specialist for the requirements of machine manufacturers and system integrators, Eckelmann creates exquisite and exclusive solutions in a trustworthy partnership, the uniqueness of which protects the customer’s intellectual property (IP).
It is also important to secure customer data in the long term. That is why we offer services to comply with the Cyber Resilience Act alongside our solutions. The regulation recently published in the Official Journal of the EU contains requirements for the cyber security of products with digital elements. Affected companies now have 36 months to implement the requirements contained in the CRA. Certain reporting obligations must already be fulfilled in the next 21 months.
What is the CRA – and what does it mean for development at Eckelmann?
The CRA is a regulation issued by the European Union. Due to the fact that the CRA is a regulation, it does not have to be transposed into national law by means of implementing legislation.
As we at Eckelmann have long-term projects, it is very important for us to know the requirements today, to evaluate them and to develop our products accordingly.
The CRA comes into force in two stages, with Article 14 Duty to notify coming into force first. The entire regulation will follow later.
What does the reporting obligation that comes into force on September 11, 2026 mean?
An exploited vulnerability must be reported by the manufacturer via the ENISA (European Union Agency for Cybersecurity) platform within 24 hours of becoming known. This applies to all products with digital elements that are active in the field, regardless of when these products were developed.
What does the general application of the CRA mean as of December 11, 2027?
From December 11, 2027, all products covered by the CRA must comply with it in full. Only if these products meet the essential requirements of the CRA may they bear a CE marking and be placed on the market in the European Union.
This also applies to products that are already under development today and will not be placed on the market until after December 11, 2027.
Can you give us an example from practice that shows how necessary the binding nature of the CRA is?
Attacks on industrial plants are not just fiction for us. We actually support customers whose entire IT infrastructure has been attacked from outside. In one specific case, our service succeeded in maintaining production despite a completely corrupted infrastructure. Our system controls were adequately protected and well decoupled from the rest of the networks. This enabled us to continue supplying our customers’ production with orders – and avert considerable economic damage.
How does the CRA differ from the Network and Information Security Guideline, or NIS2 for short?
While the CRA focuses on the security of digital elements, the NIS2 directive targets the security of critical infrastructure and particularly important facilities, while the CRA focuses on the security of products with digital elements. Eckelmann also falls under the NIS2 directive.
It defines requirements for securing a company’s own IT. From December 2027, companies that purchase products with digital elements will be able to rely on the manufacturer’s CE declaration regarding the cyber security of the products.
To which hardware or software products does the CRA apply?
The CRA is a cross-industry regulation. The focus is on the entire supply chain – all products with digital elements that can communicate. From cell phones and smart home refrigerators to the industrial components we produce. These include, for example, industrial controls, remotely maintainable machines, control systems, basically everything that our customer solutions contain.
Our specialists take on the risk analysis and are always informed about changes to legislation at EU level. In an effort to relieve our customers of some of the work involved in the context of the CRA.
Is risk management a new topic for Eckelmann?
No, risk management is an essential part of our corporate culture. We have established a risk management system that deals with the risks and opportunities of both the Group and the individual projects and products. This has already been confirmed by various stakeholders.
What does this look like in practice?
In close cooperation with the customer’s specialists, we examine the existing cyber resilience strategy in order to make any necessary adjustments and to identify and close any weak points in the network. Based on the resulting risk assessment, we design and develop cyber security functions for the entire product life cycle.
At Eckelmann, we place a particularly high value on this vulnerability management. Depending on the contract, we can guarantee ideal protection between the manufacturer and commercial user with security updates.
The addition of automated and digital documentation is a matter of course, as the CRA requires the identification and documentation of vulnerabilities in products and components.