Cybersecurity for industrial systems: Strategically preparing for the Cyber Resilience Act

The Cyber Resilience Act, in conjunction with ISO/IEC 62443

The CRA introduces new obligations for all parties involved in the industrial value chain, including manufacturers, system integrators, suppliers, and operators of digital products. These parties must implement and document security requirements comprehensively throughout the entire product life cycle. Important elements such as security by design, vulnerability management and update processes will become mandatory.

ISO/IEC 62443, in turn, provides a proven technical and organisational framework for implementing these requirements in a structured manner. Particularly relevant here are parts -2-1 (security management), -3-2 (risk assessment) and -4-1 (secure development process).

What is ISO/IEC 62443?

It is an internationally recognised set of standards for the cybersecurity of industrial automation and control systems (IACS). It provides manufacturers and operators with a structured approach to securing these systems. The standard covers the entire life cycle, from system development and integration to operation and maintenance. Thanks to its modular structure, ISO/IEC 62443 enables role-based implementation by manufacturers, integrators, and operators. In the context of CRA, it provides the methodological basis for systematically and verifiably meeting legal requirements in a risk-oriented manner.

We offer consulting services for industrial systems in the field of cyber security

1. Gap analysis and risk assessment

We systematically analyse security gaps within your organisation and product portfolio. We take both CRA requirements and ISO/IEC 62443 into account. The focus is on the following, among other things:

• Security organisation according to ISO/IEC 62443-2-1;
• Risk analysis methodology according to ISO/IEC 62443-3-2;
• Development processes according to ISO/IEC 62443-4-1;
• Future CRA obligations for manufacturers and operators.

2. Standard-compliant implementation

We provide support for implementing the necessary technical and organisational measures.

• Establishment of security by design and by default;
• Segmentation strategies and network architectures;
• Vulnerability management processes;
• Certification preparations in accordance with ISO/IEC 62443;
• Harmonisation with CRA requirements for CE conformity.

3. Documentation & Verifiability

We create or revise your technical documentation with a view to legal verifiability:

• Security architecture and analyses,
• Risk and threat assessments,
• Update and patch strategies,
• Vulnerability management and reporting processes.

4. Manufacturer obligations and CE marking

We provide support for the practical implementation of the new CRA obligations, including:

• Market surveillance and reporting obligations (Article 11 of the CRA);
• CE marking based on conformity assessment;
• Documentation obligations in accordance with Annexes I and II of the CRA.

5. Integration consulting for suppliers and OEMs

We facilitate coordination along complex supply chains:

• We define roles in accordance with ISO/IEC 62443 (asset owner, system integrator and component supplier).
• Coordination of responsibilities between manufacturers and OEMs;
• Contract drafting to safeguard liability and verification issues.

The advantages of our integrated consulting services

They enable you to make optimal use of the synergies between ISO/IEC 62443 and the Cyber Resilience Act, establishing a uniform and robust cyber security strategy.

Through targeted action planning, we avoid unnecessary over-implementation while ensuring high levels of efficiency in terms of both time and costs during implementation.

Furthermore, we future-proof your organisation by integrating harmonisation with other EU digital laws, such as the NIS 2 Directive, into the strategy from the outset.

Target groups

Our services are aimed specifically at:

• Manufacturers and developers of networked industrial components and systems;
• System integrators and operators of critical infrastructures;
• OEMs responsible for product and process safety in Europe.