The Cyber Resilience Act (CRA) is an initiative of the European Union that mandates cybersecurity requirements for products with digital components.
It defines binding obligations for manufacturers of digital products, in particular the implementation of security by design. Eckelmann is an experienced partner and provides concrete answers on how to implement the CRA in practice!
Cyberattacks are among the most significant risks companies face today. The financial damage caused by stolen data, paralyzed IT infrastructures, halted production, as well as the loss of trust among customers and partners, can be existential. Cyberattacks have long since crossed national borders.
The CRA requires concrete preventive measures:
- Comprehensive analysis and risk assessment for software and products
- Proof of CRA compliance via CE marking
- A mandatory to-do list for protection against vulnerabilities
- Industrial security: process management for security gaps (vulnerability management)
- Provision of security updates
- Mandatory incident reporting to the EU agency ENISA within 24 hours
- Mandatory (customer) communication
The mandatory CRA was introduced at the end of 2024 to protect consumers and businesses across the EU from cyberattacks. As a result, transparency for products with digital components is now mandatory.
There are transition periods:
- Incident reporting and vulnerability handling obligations apply 21 months after entry into force (from September 11, 2026).
- All other obligations, including CE conformity under the CRA, apply 36 months after entry into force (no later than December 11, 2027).
At Eckelmann, CRA implementation applies to:
- Software, especially cloud-based software
- Industrial control technology and network-connected embedded systems
- Networked components such as controllers, drives, and sensors
- Machines and systems that use these components
- Firmware and operating systems
- Machine software that establishes network connectivity
- Plant and system software
- Vision AI (image processing systems)
Digital Security Across the Entire Lifecycle of Machines and Systems
Advancing digitalization and industrial automation for companies, for example through software development, artificial intelligence (AI), and operational technology (OT), is a core mission of Eckelmann.
For decades, Eckelmann’s expert teams have supported machine builders and operators in securing their machines and systems, including continuous vulnerability assessments and maintaining digital security throughout the entire lifecycle.
We actively support our customers in meeting CRA requirements:
- With our hardened software framework featuring a high degree of standardization, ensuring timely patches for all products. Jump/link to section “Digital Security Across the Entire Lifecycle of Machines and Systems”
- Eckelmann software follows a build process with automatic cross-checking against known vulnerability databases. Jump/link to “Build Infrastructure: CRA Considered Holistically”
- Our software bills of materials (SBOMs) are reviewed at regular intervals for known vulnerabilities. Jump/link to “Querying Enterprise Interfaces – Reporting Attacks”
- Eckelmann solutions for industrial control technology are accompanied by a 360° risk assessment. For this purpose, we have developed an in-house AI-based risk assessment solution.
- Encryption and authentication (MFA) are standard features of Eckelmann solutions. Jump/link to “CRA Preparation: Security by Design & Default”
Our custom software solutions already include business logic. Without security measures, automated machines and systems would be vulnerable to attack. Recurring standard components from Eckelmann include:
- Authentication
- Logging (monitoring and recording events, status messages, or errors within our software)
- Databases & documentation
- Encryption
- Communication
- UI visualization / user-friendly HMI solutions
With the goal of consumer protection, the CRA has for the first time introduced binding cybersecurity requirements for manufacturers and system integrators like Eckelmann, as well as importers and distributors. Eckelmann’s standard components already provide the necessary prerequisites for CRA compliance.
CRA Preparation: Security by Design & Default
Software development is our daily business. Accordingly, our security approach of “Security by Design & Default” is a given. This means that from the very first planning step, preventive security is at the center of our IT development: risk analyses and security concepts including threat analysis, secure architectural decisions, protected update mechanisms, and the protection of stored and transmitted data.
As part of CRA preparation, our expert team begins with a comprehensive risk analysis including a gap analysis to close potential security gaps.
Vulnerabilities are identified cyclically, their relevance assessed, and appropriate measures initiated. For us, CRA implementation does not end with CE certification. It also includes technical documentation and ongoing lifecycle management.
Build Infrastructure: CRA Considered Holistically
Creating digital security is a commitment. Together, by fulfilling the CRA, we can help shape a secure digital era. Throughout the entire IT development process, the CRA specifies essential aspects such as access protection, confidentiality, integrity, and availability.
This applies to the build infrastructure as an overall system consisting of software, hardware, and services that automate software build processes.
The required security applies for the expected product lifecycle. The CRA mandates security updates for the anticipated period of use, typically around five years. Updates must be clearly communicated, integrated, and deployed in a user-friendly manner (“secure by default”).
Querying Enterprise Interfaces – Reporting Attacks
Eckelmann positions itself as a partner in fulfilling the CRA to strengthen trust in the digital infrastructure of the European Union.
The CRA obligates manufacturers to report security incidents and actively exploited vulnerabilities within 24 hours of becoming aware of them. Significant fines may apply.
In Germany, the Federal Office for Information Security (BSI) is the enforcing authority for the CRA and holds market surveillance responsibilities.
Documentation & Updates
Security risks must be documented by the manufacturer, and clear user instructions must be provided. Documentation of product design and processes includes automated SBOM checks (Software Bill of Materials), the implementation of vulnerability management, and regular updates along with documentation for end users.
Security vulnerabilities must be resolved throughout the entire product lifecycle or a defined support period (at least every five years), and updates must be documented.
“A challenging task with high expectations – this is where we can demonstrate our CRA expertise and our conscientious commitment. Whenever customers define tight timelines, we rise to the occasion!”
Dr. Marco Münchhof, Member of the Board, Eckelmann AGThe Key CRA Questions at a Glance
The EU-wide mandatory regulation, the Cyber Resilience Act (CRA), entered into force on December 10, 2024. The most important obligations required by the CRA apply from December 11, 2027.
Cybersecurity threats are often cross-border and can therefore impact multiple countries. Centralized EU-wide oversight also improves information exchange and promotes cooperation between EU member states.
Both aim to strengthen cybersecurity across the EU, but with different focuses. The CRA addresses products with digital elements by defining binding security requirements for hardware and software and applies to products manufactured, imported, or sold in the EU.
The NIS2 Directive focuses on the cybersecurity of digital services such as networks and information systems. Together, the NIS2 Directive and the CRA complement each other.
Responsibility for cybersecurity lies with manufacturers. The CRA includes a wide range of requirements for manufacturers, importers, and distributors of products with digital elements that can communicate with other products. This includes hardware and software products such as those developed and produced by Eckelmann, for example controllers, sensors, or operating systems.
The CRA applies to all companies and system integrators that buy and sell products with digital elements, regardless of the manufacturer’s location. They must ensure that products introduced into, procured for, or sold in the EU market comply with CRA requirements.
This applies in particular to conformity assessments and CE marking, as well as contact details on imported products.
A foundation for rapid response to cyberattacks: With the introduction of the CRA, all companies across the EU are required to report cybersecurity incidents and actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of them. To meet this extremely tight deadline, affected companies must establish appropriate processes and reporting channels at an early stage.
The CRA makes inadequate IT security legally enforceable. For various violations of the CRA, manufacturers may face fines of up to €15 million or up to 2.5% of their annual global turnover.
The Cyber Resilience Act improves cybersecurity standards for all products that contain a digital component. Eckelmann ensures IT security both at the time of product release and throughout the entire lifecycle, including planning, development, production, installation, and service.
Note: The information provided on this website does not constitute legal advice.
Do you have questions?
Oliver Elias Sebastian
Head of Sales Automation Products
Email: o.sebastian@eckelmann.de