CRA Compliance for Industrial Automation: IEC 62443 Alignment and OT Security Guide

Industrial automation products face specific CRA challenges due to their critical role in manufacturing, energy, and infrastructure. Many fall into Important Class II, requiring third-party conformity assessment. Fortunately, the well-established IEC 62443 standard provides a strong foundation for CRA compliance.

This guide covers CRA compliance for industrial automation manufacturers.

Which Industrial Products Are Covered?

CRA Scope for Industrial Automation

The CRA applies to "products with digital elements" placed on the EU market. For industrial automation, this includes:

Clearly in scope:

• PLCs (Programmable Logic Controllers)
• Industrial PCs and HMIs
• SCADA software
• DCS systems
• Industrial IoT sensors and gateways
• Industrial routers and switches
• Remote access solutions
• Engineering workstations and software

Exemptions may apply:

• Products exclusively for national security
• Products designed for military use
• Custom one-off industrial systems (may qualify as "spare parts")

CRA Classification for Industrial Products

Most industrial automation products fall into Important Class I or II:

INDUSTRIAL AUTOMATION CRA CLASSIFICATION

IMPORTANT CLASS II (Third-party required):
- Firewalls for industrial use
- Industrial IDS/IPS systems
- Microcontrollers with security features
- HSMs for industrial applications
- Smart meters (energy infrastructure)
- Industrial routers in critical infrastructure

IMPORTANT CLASS I (Self-assessment possible with harmonized standards):
- PLCs and industrial controllers
- SCADA/DCS software
- Industrial IoT gateways
- Remote access/VPN solutions
- Industrial network equipment

DEFAULT CATEGORY (Self-assessment):
- Basic sensors (no network capability)
- Simple industrial peripherals
- Non-networked equipment

VERIFY WITH PRIMARY SOURCE: Classification depends on specific product capabilities. Consult CRA Annexes III and IV for definitive classification.

IEC 62443 and CRA Alignment

What Is IEC 62443?

IEC 62443 is the international standard series for Industrial Automation and Control Systems (IACS) security. It covers:

• IEC 62443-4-1: Secure development lifecycle
• IEC 62443-4-2: Component security requirements (4 Security Levels)
• IEC 62443-3-3: System security requirements
• IEC 62443-2-4: Service provider requirements

IEC 62443 ↔ CRA Mapping

IEC 62443 as Foundation, Not Equivalence

Important: IEC 62443 certification does NOT automatically mean CRA compliance.

What IEC 62443 provides:

• Strong technical security foundation
• Mature security development lifecycle
• Well-documented security capabilities
• Evidence for conformity assessment

What CRA adds beyond IEC 62443:

• SBOM requirements (new)
• Specific vulnerability reporting to ENISA (24h/72h)
• CE marking and Declaration of Conformity
• 5-year minimum support commitment
• Specific documentation format requirements
• Market surveillance coordination

Leveraging IEC 62443 for CRA

IEC 62443 → CRA COMPLIANCE APPROACH

IF you have IEC 62443-4-1 certification:
→ Reuse SDL documentation for CRA technical file
→ Demonstrate "secure development lifecycle"
→ Evidence for risk assessment approach

IF you have IEC 62443-4-2 certification:
→ Reuse security capability documentation
→ Map Security Level to CRA essential requirements
→ Evidence for security functions implementation

ADDITIONAL FOR CRA:
[ ] Add SBOM generation to your process
[ ] Implement ENISA reporting capability
[ ] Document 5-year support commitment
[ ] Prepare EU Declaration of Conformity
[ ] Apply CE marking

OT-Specific Compliance Challenges

Update and Patching Challenges

Industrial environments have unique constraints on updates:

Challenges:

• 24/7 operations with no maintenance windows
• Safety system revalidation after updates
• Legacy system integration
• Air-gapped or semi-connected environments
• Long qualification cycles

CRA Requirements Still Apply:

• Must provide security updates for 5+ years
• Must have mechanism to deliver updates
• Must fix vulnerabilities in reasonable time

Practical Approaches:

OT UPDATE STRATEGY FOR CRA

1. STAGED ROLLOUT:
   - Test environments first
   - Pilot production lines
   - Full rollout with monitoring

2. UPDATE SCHEDULING:
   - Coordinate with planned maintenance
   - Provide advance notice (weeks/months)
   - Support scheduled update cycles

3. OFFLINE DELIVERY:
   - USB-based update packages
   - Update servers within OT network
   - Secure file transfer mechanisms

4. SAFETY REVALIDATION:
   - Document update impact on safety functions
   - Provide revalidation guidance
   - Consider safety-security co-engineering

Long Product Lifecycles

Industrial products often have 15-20+ year lifecycles, but CRA requires only 5 years minimum.

Lifecycle Planning:

INDUSTRIAL PRODUCT LIFECYCLE + CRA

Year 1-5:   Active sales + CRA support period (minimum)
Year 5-10:  Extended support (may continue security updates)
Year 10-15: Legacy support (limited updates, customer risk)
Year 15+:   End of life (customer responsibility)

CRA REQUIREMENTS:
- 5-year minimum from each unit's sale date
- Or longer if product lifetime expectation exceeds 5 years
- Plan support period based on reasonable product lifetime

Documentation Needs:

• Clearly communicate support period at purchase
• Provide end-of-support date
• Document customer responsibilities post-support

Safety-Security Integration

Industrial products often have safety requirements (SIL levels per IEC 61508/ISO 13849). CRA adds security requirements.

Integration Approach:

SAFETY + SECURITY CO-ENGINEERING

Safety Standards:          Security Standards:
IEC 61508 (Functional)     IEC 62443 (Industrial)
ISO 13849 (Machinery)      CRA (EU Regulation)

INTEGRATION POINTS:
1. Risk Assessment:
   - Combined safety/security threat modeling
   - Security threats to safety functions

2. Requirements:
   - Safety requirements (SIL 1-4)
   - Security requirements (SL 1-4)
   - No security measure shall compromise safety

3. Validation:
   - Safety validation
   - Security testing
   - Combined scenario testing

4. Change Management:
   - Safety revalidation for security patches
   - Security assessment for safety changes

SBOM for Industrial Systems

Component Identification Challenges

Industrial products often contain:

• Real-time operating systems (RTOS)
• Proprietary firmware
• Third-party libraries (OPC UA, MQTT, Modbus stacks)
• Hardware components with firmware

SBOM Strategy:

INDUSTRIAL SBOM APPROACH

SOFTWARE COMPONENTS:
- RTOS and kernel
- Protocol stacks (OPC UA, Modbus, EtherNet/IP, PROFINET)
- Security libraries (TLS, crypto)
- Third-party middleware
- Application software

FIRMWARE:
- Bootloader
- Device firmware
- Field-programmable components

DEPTH CONSIDERATIONS:
- Primary components: Manufacturer-controlled
- Third-party: Request SBOMs from suppliers
- Nested: Go as deep as practically possible

FORMAT:
- CycloneDX or SPDX (both acceptable)
- Include PURL identifiers where available
- Document custom/proprietary components

Supply Chain Complexity

Industrial products often have complex supply chains:

INDUSTRIAL SUPPLY CHAIN SBOM

TIER 1 (Your product):
- Your software/firmware
- Full SBOM required

TIER 2 (Direct suppliers):
- Third-party components
- Request SBOM from suppliers
- Include in your SBOM

TIER 3 (Sub-suppliers):
- Components within components
- Best effort inclusion
- Document known limitations

ACTION:
[ ] Update supplier agreements for SBOM requirements
[ ] Establish SBOM exchange format with suppliers
[ ] Create process for SBOM integration
[ ] Document supply chain limitations

Conformity Assessment for Industrial Products

Module B+C (EU-Type Examination)

For Important Class II industrial products:

MODULE B+C FOR INDUSTRIAL PRODUCTS

STEP 1: MODULE B (Type Examination)
Notified Body examines:
- Technical file completeness
- Risk assessment adequacy
- Security requirement coverage
- IEC 62443 certification (if available)
- SBOM quality
- Test results

DELIVERABLE: EU-Type Examination Certificate

STEP 2: MODULE C (Conformity to Type)
Manufacturer ensures:
- Production matches examined type
- Internal QA for production
- Documentation maintained

DELIVERABLE: Self-declaration of conformity to type

Using IEC 62443 Certification

If you have IEC 62443-4-2 certification:

IEC 62443 CERTIFICATION → CRA PROCESS

PRESENT TO NOTIFIED BODY:
- IEC 62443-4-2 certificate
- Security Level achieved (SL 1-4)
- ISASecure certificate (if applicable)
- Evaluation report

NOTIFIED BODY ASSESSMENT:
- Recognizes IEC 62443 as evidence
- Verifies coverage of CRA requirements
- Identifies any gaps
- May reduce testing scope

ADDITIONAL EVIDENCE NEEDED:
- SBOM (not covered by IEC 62443)
- ENISA reporting capability
- 5-year support commitment
- User documentation

Industry-Specific Guidance

PLCs and Controllers

PLC/CONTROLLER CRA COMPLIANCE

CLASSIFICATION: Usually Important Class I or II

KEY REQUIREMENTS:
- Secure boot capability
- Encrypted communications (optional → default)
- Strong authentication
- Audit logging
- Firmware update mechanism
- SBOM for firmware and runtime

IEC 62443 ALIGNMENT:
- Use IEC 62443-4-2 SL2+ as baseline
- Document security capabilities
- Test security functions

SPECIAL CONSIDERATIONS:
- Real-time constraints vs. security processing
- Safety function protection
- Legacy protocol support (Modbus, etc.)

SCADA/DCS Software

SCADA/DCS SOFTWARE CRA COMPLIANCE

CLASSIFICATION: Usually Important Class I

KEY REQUIREMENTS:
- Secure architecture
- Role-based access control
- Encrypted communications
- Audit trail
- Update mechanism
- SBOM for all components

SPECIAL CONSIDERATIONS:
- Database security
- OPC UA security configuration
- Historian data protection
- Remote access security

Industrial IoT Gateways

INDUSTRIAL IoT GATEWAY CRA COMPLIANCE

CLASSIFICATION: Usually Important Class I

KEY REQUIREMENTS:
- Secure boot
- Network segmentation support
- Encrypted protocols (MQTT-TLS, etc.)
- Device authentication
- Firmware update mechanism
- SBOM

SPECIAL CONSIDERATIONS:
- Edge computing security
- Cloud connectivity security
- Protocol translation security
- Data filtering/validation

Practical Compliance Roadmap

Phase 1: Assessment (Now - Mid 2026)

INDUSTRIAL MANUFACTURER ASSESSMENT

PRODUCT INVENTORY:
[ ] List all products with digital elements
[ ] Classify per CRA categories
[ ] Identify Important Class II products

EXISTING CERTIFICATIONS:
[ ] List IEC 62443 certifications
[ ] Map to CRA requirements
[ ] Identify gaps

GAP ANALYSIS:
[ ] SBOM capability
[ ] Vulnerability reporting readiness
[ ] 5-year support planning
[ ] Documentation gaps

SUPPLIER ASSESSMENT:
[ ] Critical component suppliers
[ ] SBOM availability from suppliers
[ ] Supply chain CRA readiness

Phase 2: Preparation (Mid 2026 - Sept 2026)

PREPARATION PHASE

TECHNICAL:
[ ] Implement SBOM generation
[ ] Establish vulnerability handling process
[ ] Prepare ENISA reporting capability
[ ] Update product security baselines

DOCUMENTATION:
[ ] Technical file structure
[ ] Security documentation updates
[ ] User guidance for secure deployment
[ ] Support period communication

COMMERCIAL:
[ ] Support period definitions
[ ] Contract updates for customers
[ ] Pricing review (if compliance costs significant)

Phase 3: Compliance (Sept 2026 - Dec 2027)

COMPLIANCE PHASE

SEPTEMBER 2026:
[ ] Vulnerability reporting operational
[ ] ENISA SRP registration

THROUGH 2027:
[ ] Complete conformity assessments
[ ] Engage Notified Bodies (Important Class II)
[ ] Obtain EU-Type Examination certificates
[ ] Update all product documentation

DECEMBER 2027:
[ ] All products CRA compliant
[ ] CE marking applied
[ ] Customer communication complete

Industry Resources

Standards Bodies

RELEVANT STANDARDS ORGANIZATIONS

IEC (International Electrotechnical Commission):
IEC 62443 series
https://www.iec.ch

ISA (International Society of Automation):
ISA/IEC 62443 development
ISASecure certification program
https://www.isa.org

NAMUR (Process Industry Association):
NE recommendations for OT security
https://www.namur.net

NIST:
Cybersecurity Framework
SP 800-82 (OT security guide)
https://www.nist.gov

Industry Associations

Checklist for Industrial Automation

INDUSTRIAL AUTOMATION CRA CHECKLIST

PRODUCT CLASSIFICATION:
[ ] Classification determined (Default/Important I/Important II)
[ ] Conformity assessment path selected
[ ] Notified Body identified (if needed)

EXISTING CERTIFICATIONS:
[ ] IEC 62443-4-1 (SDL)
[ ] IEC 62443-4-2 (component security)
[ ] ISASecure certification
[ ] Mapped to CRA requirements

TECHNICAL COMPLIANCE:
[ ] Security-by-default configuration
[ ] Secure update mechanism
[ ] SBOM generation capability
[ ] Vulnerability handling process
[ ] ENISA reporting capability

DOCUMENTATION:
[ ] Technical file prepared
[ ] Risk assessment documented
[ ] Security architecture documented
[ ] User security guidance prepared

LIFECYCLE:
[ ] 5-year support period defined
[ ] Update delivery mechanism
[ ] End-of-life planning
[ ] Safety revalidation process for updates

SUPPLY CHAIN:
[ ] Supplier SBOM requirements
[ ] Component security assessment
[ ] Supply chain documentation

Related guides:

• CRA Product Classification: Is Your Product Default, Important, or Critical?
• CRA Conformity Assessment: Module A vs B+C vs H Decision Guide

How CRA Evidence Helps

CRA Evidence supports industrial automation manufacturers:

• IEC 62443 mapping: Templates aligned with IEC 62443 structure
• SBOM management: Support for industrial component tracking
• Long lifecycle support: Documentation retention for industrial timelines
• Vulnerability tracking: Industrial product vulnerability management
• Compliance evidence: Evidence collection for Notified Body submission

Start your CRA compliance at app.craevidence.com.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.