The European Union has recently published new regulations in its official gazette: the Network Resilience Act (CRA). This law sets out the cybersecurity standards that products containing digital elements must adhere to. Under this act, all affected companies have 36 months to ensure compliance with CRA’s requirements. Additionally, for certain specific reporting obligations, companies must complete them within the next 21 months.

Who Needs to Comply with the CRA?

The short answer is: all manufacturers, importers, and distributors selling products with digital elements on the EU market must comply with these regulations. This includes B2C products such as smartphones and robotic vacuum cleaners, B2B products like controllers and sensors, as well as pure software products, such as operating systems.

Key Requirements for Machinery Manufacturers to Focus On

• Risk Assessment and Safeguards: Manufacturers must ensure their products meet appropriate cybersecurity levels throughout their lifecycle, starting from the design and development stages.

• Vulnerability Management: Manufacturers must address known vulnerabilities by providing free security updates, unless other agreements are made with commercial users.

• Documentation: Manufacturers must identify and record any vulnerabilities and component details in their products.

• Reporting Obligations: If vulnerabilities are discovered, manufacturers must report them within 24 hours via the EU Agency for Cybersecurity (ENISA) reporting platform.

Actions Machinery Manufacturers Can Take

As experts in automation safety, PILZ advises machinery manufacturers to adapt to the CRA requirements in a timely manner and collaborate with component manufacturers and operators to develop cooperative concepts. This includes determining which network areas machines will operate in and how to handle software updates, among other considerations. By addressing these issues upfront, each economic operator can fulfill their new organizational and technical responsibilities.

For years, PILZ has supported machinery manufacturers and users with device and machine safety, including compliance with new industrial cybersecurity standards. Without adequate security, all safety measures in machinery are vulnerable, making it essential to take preventive actions.