[{"term":"Libraries_BA","id":0,"type":"QUICKLINKS"},{"term":"Instructions","id":1,"type":"QUICKLINKS"},{"term":"WAGO-I/O-PRO","id":2,"type":"QUICKLINKS"},{"term":"Building","id":3,"type":"QUICKLINKS"},{"term":"221","id":4,"type":"QUICKLINKS"}]
[{"url":"/industries","name":"Industry Solutions","linkClass":null,"categoryCode":null},{"url":"/open-automation","name":"Open Automation","linkClass":null,"categoryCode":null},{"url":"/open-automation/cybersecurity","name":"Cybersecurity","linkClass":null,"categoryCode":null},{"url":"/open-automation/cybersecurity/cyber-resilience-act","name":"Cyber Resilience Act","linkClass":"active","categoryCode":null}]
Topics 30 September 2025

Cyber Resilience Act

New Obligations for Manufacturers, Greater Safety for Users

In an increasingly networked world, companies are facing a growing flood of cyberattacks that seriously compromise their security and operations. A successful hacker attack can paralyze networks, lead to significant data loss, or interrupt operations for weeks, causing substantial economic damage.

Cyberattacks in Germany alone have recently caused damages of around €180 billion. The European Union is responding to these threats with the Cyber Resilience Act (CRA), which aims to establish uniform cybersecurity standards for networked products within the EU and increase product-level security.

Want to Learn More?

Act now to secure a free consultation!

CRA Objectives and Requirements

As the first European regulation of its kind, the Cyber Resilience Act (CRA) sets a binding minimum level of cybersecurity for all connected products. Starting December 11, 2027, manufacturers will be required to comprehensively protect products with digital elements throughout their entire lifecycle — from development to decommissioning. These measures aim to sustainably strengthen cybersecurity in the EU, improve consumer protection and minimize economic risks. To achieve these goals, the CRA Regulation defines five core requirements:

  • Cybersecurity throughout the entire product lifecycle

Security measures are integrated from the beginning of product development. Principles like secure-by-design, implementation, and default ensure continuous protection over the entire lifecycle.

  • Vulnerability management and reporting obligations

A central reporting platform will document actively exploited vulnerabilities and security incidents. This transparency improves user responsiveness to efficiently identify and close security gaps.

  • Security updates and support

Manufacturers must provide free security updates throughout the product’s lifecycle. The support period typically spans five years and includes vulnerability management.

  • Conformity procedures and CE marking

Products must undergo risk-based conformity assessments and receive CE marking to gain EU-wide approval and guarantee necessary safety standards.

  • Consumer protection and damage prevention

Manufacturers must proactively prevent vulnerabilities and manipulation to reduce cyberattack risks. EU standards and preventive measures protect users from unsafe devices and help reduce long-term economic damage.

Impact on Users

The Cyber Resilience Act (CRA) does not impose direct obligations on end users. However, together with the NIS 2 Directive, it underscores the importance of prioritizing protective measures and choosing compliant products for both new installations and retrofits. This proactive approach is essential to fully secure systems against cyber threats and ensure long-term protection.

As a horizontal regulation, the CRA covers a wide range of product categories — from household appliances and industrial software to IoT devices — with a few exceptions such as medical technology and motor vehicles. Starting December 11, 2027, all hardware and software products must comply with CRA requirements to receive CE marking and EU market placement. Users such as planners, operators, and integrators should incorporate these requirements into their planning to ensure the conformity of newly deployed products.

Although implementation may be particularly challenging for manufacturers, these standards significantly enhance the long-term safety and reliability of systems and processes. A robust cybersecurity strategy enables rapid recovery in the event of an attack and ensures business continuity. Thanks to manufacturers’ obligation to disclose security features and potential risks, users can make informed decisions when selecting products — helping protect systems from data breaches and outages.

The Role of the IEC 62443 Standard at WAGO

Faced with increasingly complex cyberattacks, the IEC 62443 standard is a powerful tool against cyber threats. It integrates security measures, such as access controls and data encryption, throughout the entire product lifecycle and provides internationally recognized standards for industrial automation and control systems. Key principles like trust zones, defense-in-depth, and least privilege create additional layers of protection against attackers.

One major advantage of IEC 62443 is its alignment with many of the requirements of the Cyber Resilience Act (CRA), simplifying product compliance. As early as 2022, WAGO certified its development lifecycle for automation products according to IEC 62443-4-1, ensuring that both WAGO and its customers are well-prepared to meet the CRA’s new obligations.

Secure with WAGO through the Cyber Resilience Act

The Cyber Resilience Act is a milestone in product safety regulation, presenting not only challenges but also significant opportunities. Whether you're a manufacturer, integrator, or operator, WAGO Cybersecurity Consulting positions you to meet the new standards effectively.

Our experienced team supports you in implementing comprehensive security measures and continuously monitoring your systems. From planning to full implementation, our experts are by your side — ensuring your systems are not only CRA-compliant but also offer the highest level of protection.

Other Interesting Topics

Strengthening Cyber Resilience

With rising damages from cyberattacks and new EU regulations like the Cyber Resilience Act (CRA), holistic cybersecurity is becoming indispensable for businesses. Dr. Christopher Tebbe, Security Expert at WAGO, and Kilian Fröhlich, Manager in OT Security Consulting, explain how WAGO is addressing these challenges.

Full Speed Ahead for Cyber Resilience at Sea

Achieving Ship Classification with WAGO Security Consulting

No matter your industry or whether you're just starting or have already taken steps, WAGO is here to strengthen your cyber resilience and ensure compliance with legal requirements such as the Cyber Resilience Act and the NIS 2 Directive.

Additional service offerings: