As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.
Sign In

Cyber Resilience Act (CRA)

Leading the Way: Our Commitment to CRA Compliance

We Are Committed to CRA Compliance

For over 35 years, Moxa has built solutions for the world's most mission-critical and demanding industrial environments. Long before the Cyber Resilience Act (CRA), we were already committed to cybersecurity practices and were among the first leading providers to obtain the IEC 62443-4-1 certification—the standard for industrial cybersecurity. This foundation shows that our focus on secure, reliable, and resilient products has always been by design, not driven by new legislation.

Systemic Security
Systematic Security

Our IEC 62443-4-1 certified SDLC aligns with the CRA requirements.

Verified Trust
Verified Trust

Providing customers with proper security updates and vulnerability management.

Futureproofed Solutions
Futureproof Solutions

Proactively aligning with regulatory mandates and evolving EU standards.​

Our Strategic Understanding of the Cyber Resilience Act

The Cyber Resilience Act (CRA), defined by Regulation (EU) 2024/2847, is a landmark piece of EU legislation that establishes horizontal cybersecurity requirements for products with digital elements (PwDE) placed on the EU market. Globally, these products are now universally mandated to meet cybersecurity requirements.

Diagram showing that Cyber Resilience Act compliance is required for a product to receive the CE marking in the EU.

CRA in a Nutshell

The CRA establishes clear, horizontal cybersecurity requirements for products with digital elements (PwDE) across their entire life cycle. Manufacturers must comply with these security requirements to obtain the coveted CE marking, without which they cannot place products on the EU market.

In a nutshell, the main goals of the CRA include:​

  • Building the resilience of the European digital market.​
  • Increasing the transparency of cybersecurity for users.​
  • Ensuring digital products (PwDE) have fewer vulnerabilities.​​
Flowchart illustrating the Cyber Resilience Act's core cybersecurity requirements, which are broken down into four key pillars: secure-by-design, lifecycle security, vulnerability management, and compliance documentation.

An In-depth Look at CRA Requirements

Essential Cybersecurity Requirements set out in Annex I: 

A. Essential Requirements for Product Properties (Part I): From the design process to production, manufacturers must ensure adequate cybersecurity based on identified risks. Key requirements include Secure by Design/Default and Access Control. 

B. Essential Requirements for Vulnerability Handling (Part II): Manufacturers must ensure that vulnerabilities are handled effectively throughout the support period, which is defined as the time the product is expected to be in use.

Timeline of the Cyber Resilience Act showing three key dates: December 10, 2024 - Regulation enters into force. September 11, 2026 - Mandatory vulnerability reporting begins. December 11, 2027 - Full CRA compliance required.

CRA Timeline and Deadlines

The CRA is being implemented in phases to give manufacturers time to adapt. As of December 10, 2024, the regulation was active, beginning a multi-year phase-in. A key interim deadline is September 11, 2026, when vulnerability reports become mandatoryA critical date for compliance is December 11, 2027, by which all in-scope products (PwDE) placed on the EU market must fulfill all CRA requirements.

Leveraging Our OT Expertise and Secure-by-design Practices to Build CRA Foundation

Our robust groundwork is built upon several foundational pillars designed to meet the essential security requirements of the CRA, leveraging our existing expertise, including the IEC 62443 framework.

An image symbolizing the EU Cyber Resilience Act, where a judge

Leveraging International Standards

We recognize that regulatory compliance is best achieved by using recognized international frameworks. Our strategy is built on the foundational requirements of the Cyber Resilience Act (CRA) and harmonised European standards.
•    IEC 62443 Alignment: Our secure development process and functional specifications align with IEC 62443-4-1 and 4-2, covering fundamental security requirements.
•    Harmonised Standards: We actively align with European organizations (CEN/CENELEC/ETSI) to adopt horizontal standards for general cyber-resilience and vertical standards for specific products.

A circular diagram illustrating the Moxa Secure Development Life Cycle process. It shows a continuous cycle with core stages, continuous improvements and security update management.

Adopting Secure Life-cycle Management

We employ a process-agnostic, risk-based approach to ensure "Secure by Design" is applied throughout the entire product life cycle.
•    Continuous Assessment: Products undergo documented cybersecurity risk assessments during the planning, design, production, and maintenance phases.
•    Supply-chain Security: We exercise strict due diligence when integrating third-party and open-source components to prevent compromise.
•    Sustainable Support: We ensure secure update mechanisms are in place, providing users with security updates without delay for the defined support period.

Flowchart showing the Moxa PSIRT coordinating vulnerability information between security researchers, government CERT organizations, and its customers.

Responsive Vulnerability Handling

To meet the rapid incident reporting requirements of the CRA, we have a dedicated Product Security Incident Response Team (PSIRT) focused on the long-term reality of industrial equipment.
•    Global Frameworks: Our operations follow ISO 29147 (Disclosure) and ISO 30111 (Handling), the same reference frameworks adopted by the CRA.
•    Coordinated Response: We use the FIRST Service Framework to reliably handle reported vulnerabilities and issue advisories.
•    Long-term Focus: Our processes support industrial equipment that are expected to operate securely for decades.

A security shield with the Moxa logo, illustrating three core security features: secure default configurations, robust authentication mechanisms, and tools for timely patch deployment and management.

Security Controls and Documentation

We maintain robust, audit-ready evidence of our security posture while ensuring our products are designed with features that enable secure operation for our customers.
•    User Transparency: Products include clear information on intended use, support end-dates, and contact points for vulnerability reporting.
•    Built-in Defense: Devices feature robust authentication, secure default configurations, and tools for timely patch deployment.

Frequently Asked Questions

The EU Cyber Resilience Act (CRA) is a European Union regulation that establishes mandatory cybersecurity requirements for all products with digital elements (including both hardware and software) sold in the EU market. It aims to ensure these products maintain a high level of security throughout their entire life cycle.

The CRA applies to all products with digital elements, including connected hardware (e.g., smartphones, IoT devices, routers) and software (e.g., operating systems, applications, software libraries), as long as they can connect directly or indirectly to a device or network. The scope excludes certain products already covered by other regulations, such as medical devices and automobiles, and also open-source software developed for non-commercial purposes. Moxa’s portfolio of industrial communication devices falls within the scope of the CRA, covering key categories such as industrial secure routers, Ethernet switches, serial device servers, and network management software.

Manufacturers must conduct a cybersecurity risk assessment before placing a product on the market, ensure the product meets essential cybersecurity requirements, and provide security updates and vulnerability handling throughout the product‘s life cycle. They are also required to prepare technical documentation, perform a conformity assessment, affix the CE marking, and report exploited vulnerabilities or serious incidents to the relevant authorities.

CRA harmonised standards are European standards developed by recognized European Standardization Organizations (ESOs) (CEN, CENELEC, and ETSI), specifically following a request from the European Commission. These standards are crucial for implementing the Cyber Resilience Act (CRA) because they translate the essential cybersecurity requirements set out in the Regulation into detailed technical specifications. The standardization work is in  progress, building on existing international and European standards. The availability of the horizontal standards is expected by August 2026, and the vertical standards by October 2026.  (Source: www.cencenelec.eu)

Manufacturers must report vulnerabilities and incidents from September 11, 2026, and all other CRA requirements (including pre-market compliance) come into effect December 11, 2027.

Companies might be fined heavily if they fail to adhere to the CRA. For the most serious infringements, penalties can be up to €15 million or 2.5% of the company's total worldwide annual turnover—whichever is higher. Lower fines are in place for other violations.

The CRA and NIS2 Directive both aim to improve cybersecurity in Europe, but their focuses differ. NIS2 emphasizes network and information system security for critical infrastructure and essential service providers. The CRA focuses on ensuring the security of the digital products themselves, incorporating security considerations from the design phase onward.

An SBOM (Software Bill of Materials) is like an ingredients list for software, detailing all the software components and libraries used in a product. The CRA requires manufacturers to create an SBOM to facilitate vulnerability handling, but it does not currently mandate that it be made public. The full SBOM must be made available to the notified bodies and market surveillance authorities upon request to facilitate regulatory enforcement.

Resources

White Paper

Enhancing Cybersecurity Resilience Through the ISA/IEC 62443 Standard

White Paper

Securing Industrial Networks: Three Architecture Strategies Aligned With IEC 62443
 
 
Added To Bag

View Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback