![](\"https:\/\/pilz-magazine.com\/en\/wp-content\/uploads\/sites\/24\/2025\/01\/Pilz-Portrait-Kuczera-Matthias-300x300.jpg\")
<\/figure>\n\n\n\n\n\u201cWithout Secu\u00adrity, a machine with all its Safety mea\u00adsures is vul\u00adner\u00adable and unpro\u00adtected.\u201c<\/p>\nMatthias Kuczera, expert in \u201cFunc\u00adtional Safety \u2014 Stan\u00addards\u201d at Pilz GmbH & Co. KG.<\/cite><\/blockquote>\n<\/div>\n\n\n\n
Con\u00adsumer prod\u00aducts such as smart\u00adphones, lap\u00adtops, smart home devices, smart\u00adwatches and con\u00adnected toys are affected. B2B prod\u00aducts such as con\u00adtrollers and sen\u00adsors also fall under the scope of the CRA. Soft\u00adware prod\u00aducts such as oper\u00adating sys\u00adtems are also affected.<\/p>\n\n\n\n
When must the requirements of the Cyber Resilience Act be implemented?<\/h5>\n\n\n\n
The CRA is an EU Reg\u00adu\u00adla\u00adtion and not a Direc\u00adtive. So, in con\u00adtrast to the NIS\u20112 Direc\u00adtive, it is directly applic\u00adable in all EU member states and national imple\u00admen\u00adta\u00adtion is not required. How\u00adever, there is a tran\u00adsi\u00adtion period. The CRA is to be imple\u00admented in var\u00adious stages, from the end of 2024 until manda\u00adtory appli\u00adca\u00adtion from 11 December 2027. Man\u00adu\u00adfac\u00adturers\u2019 reporting oblig\u00ada\u00adtions will apply from 11 Sep\u00adtember 2026, and require\u00adments to notify con\u00adfor\u00admity assess\u00adment bodies will apply from 11 June 2026.<\/p>\n\n\n\n
What specifically is required in the legally binding CRA?<\/h5>\n\n\n\n
The new Reg\u00adu\u00adla\u00adtion is binding on man\u00adu\u00adfac\u00adturers, importers and retailers. All prod\u00aducts that con\u00adtain dig\u00adital ele\u00adments and bear the CE mark must guar\u00adantee an appro\u00adpriate level of cyber\u00adse\u00adcu\u00adrity. To sum\u00admarise, this means there are spe\u00adcific require\u00adments for risk assess\u00adment and guar\u00adantee, vul\u00adner\u00ada\u00adbility man\u00adage\u00adment, doc\u00adu\u00admen\u00adta\u00adtion and reporting oblig\u00ada\u00adtions.<\/p>\n\n\n\n
An overview of the key requirements:<\/h2>\n\n\n\n
\n\nRisk assessment and guarantee<\/h3>\n\n\n\n
\nMan\u00adu\u00adfac\u00adturers must design and develop prod\u00aducts in such a way that an appro\u00adpriate level of cyber\u00adse\u00adcu\u00adrity is guar\u00adan\u00adteed during the whole product life\u00adcycle.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\nVulnerability management<\/h3>\n\n\n\n
\nMan\u00adu\u00adfac\u00adturers must elim\u00adi\u00adnate known vul\u00adner\u00ada\u00adbil\u00adi\u00adties through free secu\u00adrity updates, unless oth\u00ader\u00adwise agreed between the man\u00adu\u00adfac\u00adturer and com\u00admer\u00adcial user with regard to a cus\u00adtomised product.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\nDocumentation<\/h3>\n\n\n\n
\nMan\u00adu\u00adfac\u00adturers must iden\u00adtify and doc\u00adu\u00adment vul\u00adner\u00ada\u00adbil\u00adi\u00adties and com\u00adpo\u00adnents in their prod\u00aducts. Part of this doc\u00adu\u00admen\u00adta\u00adtion includes the pro\u00adduc\u00adtion of a soft\u00adware bill of mate\u00adrials (SBOM) in a machine-read\u00adable format.<\/p>\n\n\n\n
The way in which secu\u00adrity gaps are han\u00addled should also be doc\u00adu\u00admented, for example, when a man\u00adu\u00adfac\u00adturer pro\u00advides secu\u00adrity updates for its product.<\/p>\n<\/div>\n<\/div>\n\n\n\n
\nReporting obligations<\/h3>\n\n\n\n
\nWithin 24 hours of becoming aware of each actively exploited vul\u00adner\u00ada\u00adbility and each serious secu\u00adrity inci\u00addent, the man\u00adu\u00adfac\u00adturer must report it via the ENISA reporting plat\u00adform (Euro\u00adpean Union Agency for Cyber\u00adse\u00adcu\u00adrity), in the form of an early warning. The man\u00adu\u00adfac\u00adturer has up to 72 hours to add fur\u00adther details. A final report must be sub\u00admitted within 14 days for each actively exploited vul\u00adner\u00ada\u00adbility or within one month for each serious secu\u00adrity inci\u00addent.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n
<\/div>\n\n\n\nDo you have any tips for machine manufacturers?<\/h5>\n\n\n\n
For decades, Pilz has been sup\u00adporting machine builders and users with the Safety of their plant and machinery \u2013 including with the new require\u00adments for Indus\u00adtrial Secu\u00adrity. Because without Secu\u00adrity, a machine with all its Safety mea\u00adsures is vul\u00adner\u00adable and unpro\u00adtected. Pre\u00adcau\u00adtionary mea\u00adsures are a must. We rec\u00adom\u00admend that machine man\u00adu\u00adfac\u00adturers address the require\u00adments of the CRA promptly, and work with com\u00adpo\u00adnent man\u00adu\u00adfac\u00adturers and oper\u00ada\u00adtors to develop coop\u00ader\u00ada\u00adtion con\u00adcepts. Typ\u00adical ques\u00adtions that need to be clar\u00adi\u00adfied between eco\u00adnomic actors include: In which net\u00adwork zone should a machine be oper\u00adated? How should soft\u00adware updates be han\u00addled? When does com\u00adpo\u00adnent sup\u00adport end? For how long can users expect to receive secu\u00adrity updates and have vul\u00adner\u00ada\u00adbil\u00adi\u00adties fixed? What con\u00adsti\u00adtutes a \u201csub\u00adstan\u00adtial mod\u00adi\u00adfi\u00adca\u00adtion\u201d to a machine?<\/p>\n\n\n\n
Only when ques\u00adtions like these are clar\u00adi\u00adfied can each eco\u00adnomic oper\u00adator fulfil its new organ\u00adi\u00adsa\u00adtional and tech\u00adnical oblig\u00ada\u00adtions. It is also helpful to always keep up to date. Sub\u00adscrip\u00adtions to newslet\u00adters and RSS feeds on eur-lex.europa.eu will keep you informed about leg\u00adisla\u00adtive changes at EU level. I also rec\u00adom\u00admend the Common Secu\u00adrity Advi\u00adsory Frame\u00adwork (CSAF) for imple\u00admen\u00adta\u00adtion of the CRA require\u00adments. It is a stan\u00addard\u00adised, open source frame\u00adwork for com\u00admu\u00adni\u00adca\u00adtion and auto\u00admated dis\u00adtri\u00adb\u00adu\u00adtion of machine-process\u00adable vul\u00adner\u00ada\u00adbility and mit\u00adi\u00adga\u00adtion infor\u00adma\u00adtion, known as Secu\u00adrity Advi\u00adsories.<\/p>\n\n\n\n