LoginContact sales
EU Cyber Resilience Act

Clear guidance for industrial automation compliance

Understand what's required, when it's required, and how FLECS helps you get there. Based on official EU sources, with clear timelines and actionable steps.

Download CRA ChecklistView Requirements
Understanding the CRA

What is the EU Cyber Resilience Act?

The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for all products with digital elements sold in the European Union.

Entered into force10 December 2024
Full enforcement11 December 2027
Applies toHardware & software with network connectivity
ScopeManufacturers, importers & distributors

What's new

Unlike previous regulations, the CRA requires:

  • Security by design throughout the product lifecycle
  • Mandatory vulnerability reporting within 24 hours
  • Software Bill of Materials (SBOM) for all products
  • CE marking for cybersecurity compliance

Who's affected

Industrial automation products are explicitly in scope:

IoT devicesPLCsControllersGatewaysConnected software
Read the official EU summary
CRA Annex I

The 21 Essential Requirements

CRA Annex I defines the essential cybersecurity requirements that products with digital elements must address by December 2027. It applies to all products placed on the market after that date, including legacy products that continue to be sold.

RefRequirementSummary
I.1No known vulnerabilitiesShip without exploitable vulnerabilities
I.2Secure by defaultSecure configuration out of the box
I.3Minimal attack surfaceOnly necessary components enabled
I.4Data protectionEncrypt data at rest and in transit
I.5Secure communicationsTLS and encrypted protocols
I.6Access controlAuthentication and authorization
I.7Integrity protectionDetect unauthorized modifications
I.8Security loggingAudit trails for security events
I.9Recovery capabilityBackup and restore functions
I.10Network isolationDon't compromise other systems
I.11Minimal interfacesReduce exposed attack vectors
I.12Incident containmentLimit breach impact
I.13Monitoring opt-outUser control over telemetry
Scroll to see all 13 requirementsView Annex I
Download Requirements Checklist (PDF)
CRA Article 6 & Annexes III/IV

Product Classification

The CRA categorizes products based on cybersecurity risk. Your category determines the conformity assessment procedure required.

Default~90% of products
Article 32(1)
Conformity AssessmentSelf-assessment (Module A)

Products not listed in Annex III or IV. Manufacturers can self-declare conformity using internal control procedures.

Industrial Automation Examples
  • Basic HMI panels
  • Simple sensors
  • Data loggers
  • Industrial monitors
  • Basic edge devices
Important Class I~8% of products
Annex III, Part I
Conformity AssessmentHarmonised standards or third-party

If harmonised standards exist and are applied, self-assessment is permitted. Otherwise, third-party assessment required.

Industrial Automation Examples
  • Identity management systems
  • VPN devices & software
  • Network management systems
  • SIEM systems
  • Update/patch management tools
Important Class II~1.5% of products
Annex III, Part II
Conformity AssessmentThird-party required

Mandatory third-party conformity assessment by notified bodies. No self-assessment option regardless of standards.

Industrial Automation Examples
  • Hypervisors & container runtimes
  • Industrial firewalls
  • Intrusion detection/prevention
  • Tamper-resistant microcontrollers
  • Secure elements in machinery
Critical<0.5% of products
Annex IV
Conformity AssessmentEuropean cybersecurity certification

Products for critical infrastructure. Require certification under EU cybersecurity certification schemes (Regulation 2019/881).

Industrial Automation Examples
  • Hardware Security Modules (HSMs)
  • Smart meter gateways
  • Secure elements for critical systems
  • Smartcard readers for infrastructure

Not sure about your classification?

Take our quick assessment based on CRA Article 6 and Annexes III/IV to determine your likely product category.

View Regulation (EU) 2024/2847 full text
CRA Article 13 & Annex I

Software Bill of Materials (SBOM)

The CRA requires manufacturers to maintain an SBOM—a complete inventory of software components in your product.

CRA SBOM Requirements

Annex I, Part II (1)
Machine-readable formatSPDX, CycloneDX, or SWID tags
Top-level dependenciesMinimum requirement for component listing
Authority accessMust provide to market surveillance on request
Not publicly requiredInternal documentation, not public disclosure

Why it matters for industrial automation

Your products likely include open source components, third-party libraries, and firmware dependencies. The SBOM traces:

  • What components are included
  • What versions are deployed
  • Known vulnerabilities in those components
  • License compliance status
FLECS Platform

SBOM Capabilities

Automated component inventoryContinuous scanning and cataloging of all software dependencies
SPDX 2.3 format exportIndustry-standard format ready for regulatory submission
Vulnerability database integrationAutomatic matching against CVE and security advisories
Continuous CVE monitoringReal-time alerts when new vulnerabilities affect your components
Learn more about SBOM standards (OpenSSF)
CRA Compliance Made Simple

Ship CRA Compliant Products Faster

Integrated device management, central services, and automated compliance workflows.

On the Device

Active
Managed Operating SystemMaintained, update-capable OS with defined update channels
App Lifecycle ManagementInstallation & maintenance of apps with fully automated lifecycle management
Security by DesignRBAC & certificate-based communication built into FLECS Core
App EcosystemAccess to 60+ standard apps for rapid controller extension

Central Service Portal

Active
Download PortalTools, drivers & firmware for all systems
License ManagementLicense provisioning & activation
Order ManagementCentralized procurement & fulfillment
Structured DistributionSupport for existing update processes
Automated ReleaseTest & release apps with fully automated CI/CD pipeline

Compliance Management

In Development
SBOM IntegrationUse of customer-side Software Bills of Materials
CVE ScanningAutomated vulnerability scanning & risk analysis
Update NotificationsAlerts & controlled update processes via central profiles

CRA Annex I Requirements

How FLECS addresses each requirement
RefRequirementSummary
FLECS
I.1No known vulnerabilitiesShip without exploitable vulnerabilitiesComing soonCVE scanning planned
I.2aSecure by defaultSecure configuration out of the boxCovered
I.2bMinimal attack surfaceOnly necessary components enabledCovered
I.2cData protectionProtect stored data appropriatelyCovered
I.2dSecure communicationsEncrypted data in transitCovered
I.2eAccess controlAuthentication and authorizationCovered
I.2fIntegrity protectionDetect unauthorized modificationsComing soon
I.2gSecurity loggingAudit trails for security eventsBetaNearly complete
I.2hRecovery capabilityBackup and restore functionsCovered
I.2iNetwork isolationDon't compromise other systemsCovered
I.2jMinimal interfacesReduce exposed attack vectorsCovered
I.2kIncident containmentLimit breach impactCovered
I.2lMonitoring opt-outUser control over telemetryCovered
II.1SBOM documentationMachine-readable component inventoryComing soonSBOM integration planned
II.2Separate security patchesDecouple security from featuresCovered
II.3Security testingRegular pentests and assessmentsComing soon
II.4Vulnerability disclosurePublish fixed vulnerabilitiesComing soon
II.5Disclosure policyProcess for security reportsComing soon
II.6ENISA communication24h reporting to EU agencyComing soon
II.7Signed updatesCryptographic verificationComing soon
II.8Free security updatesNo charge for patchesCovered
12 of 21 requirements covered
Full CRA Coverage by December 2027

End-to-End Compliance Infrastructure

From device-level security to central management and automated compliance. Focus your engineering time on building great products while FLECS handles compliance.

Get StartedLearn more
Free Resources

Everything You Need to Understand the CRA

Curated resources from official EU sources, the Linux Foundation, and industry standards bodies.

From FLECS

CRA Requirements Checklist

All 21 essential requirements from Annex I in a clear, actionable format. Track your compliance progress step by step.

Download Checklist

Product Classification Quiz

Answer 5 quick questions to determine your product category and required conformity assessment procedure.

Take the Quiz

CRA Compliance Whitepaper

Deep-dive into compliance strategies, timelines, and best practices from industry experts.

Read the Whitepaper

Community & Official Resources

Trusted sources from the open source security community
Understanding the EU CRA
Linux FoundationLFEL1001

Official 90-minute training covering CRA requirements and compliance strategies.

Free Course
Open Regulatory Compliance WG
OpenSSF

Community resources, standards inventory, and collaborative compliance tools.

Community
SBOM Standards Catalog
OpenSSF

Comprehensive guide to SBOM formats, tools, and implementation best practices.

Reference
Referenced StandardsView full CRA text
IEC 62443Industrial Automation SecurityAnnex I alignment
SPDX / CycloneDXSBOM FormatsPart II (1) requirement
BSI TR-03183German SBOM GuidelineImplementation
ENISA MappingStandards AlignmentVerification
FAQ

CRA Compliance Questions

Answers to the most common questions about the Cyber Resilience Act and how it applies to your products.

Insights into CRA compliance readiness

Learn what it takes to achieve Cyber Resilience Act conformity for industrial automation products in this comprehensive guide based on official EU requirements and industry best practices.

Ready to learn more?

See how FLECS simplifies CRA compliance for industrial automation manufacturers with built-in security updates, automated vulnerability tracking, and ready-to-use conformity documentation.

Professional services

Discover how FLECS Integration experts can help you launch new industrial automation solutions quickly and effectively.