On October 10, the EU adopted the Cyber Resilience Act (CRA), which sets minimum requirements for the security of connected devices. Fraunhofer IEM has three tips on what companies should do now to prepare for the CRA.
In its Secure Engineering Lab in Paderborn, Fraunhofer IEM supports companies in adapting their processes and products to the new EU directives.
(Image: Fraunhofer IEM)
The Cyber Resilience Act (CRA) has long been announced, and now it's official: it was passed on October 10, 2024. As a result, starting from November 2027, a new set of EU-wide minimum security requirements will apply to a wide range of connected devices and their software, with vulnerability reporting obligations even taking effect in August 2026. Product manufacturers are particularly called upon to ensure their products meet the security criteria for the European market, with few exceptions, irrespective of the industry. For many years, the Fraunhofer IEM has been developing security measures with companies such as Adesso Mobile Solutions, Connext, Phoenix Contact, and Kraft Maschinenbau, and it offers advice on how businesses can prepare for the CRA.
"The transition period until the CRA must be fully complied with by 2027 is short. Companies need to reorganize in many areas—starting from conducting security risk analyses to short-term reporting obligations when vulnerabilities are discovered, and providing free security updates during the expected lifetime of the product. Procrastination is not an option, as non-compliance with the CRA could result in multi-million euro fines," explains Dr. Matthias Meyer, Head of Software Engineering and IT Security at Fraunhofer IEM.
The research institute recommends that companies take three actions now to begin the path towards CRA-compliant product development. "Quick response to the discovery of vulnerabilities and systematic risk analyses are essential measures to meet CRA requirements: Companies that address these measures now are well on their way. Additionally, a current state analysis in terms of products and processes provides clarity for further action," emphasizes Meyer.
1. Establish a rapid response team for emergencies
When manufacturers become aware that vulnerabilities in their products are being exploited, they will, in the future, inform the European Union Agency for Cybersecurity (ENISA): Within 24 hours they must issue an initial alert, and within 72 hours provide further details on the nature of the vulnerability, possible countermeasures, and more. Moreover, they must be continuously available for individuals wanting to report security gaps and must keep track of whether vulnerabilities become known in any software components supplied. These are among the responsibilities of a Product Security Incident Response Team (PSIRT). Manufacturers who have not yet established a PSIRT should urgently do so, as these obligations must be met by June 2026 for all products on the market, including those launched long before the CRA came into effect.
BEST OF INDUSTRY AWARD
Stimmen Sie jetzt für die Besten der Besten!
Das große Online-Voting für den Best of Industry Award 2024 hat begonnen. Stimmen Sie heute noch für die spannendsten Innovationen aus den Bereichen Fertigung und Konstruktion, Prozessindustrie sowie Labor- und Medizintechnik!
At its core, the CRA requires manufacturers to regularly analyze their products for security risks and integrate security measures tailored to these risks. Companies must firmly embed the conduct of threat and risk analyses for all products into the development process: This way, they systematically identify threats, assess the respective security risks, and derive informed and targeted protective and countermeasures. As a result, the security level of the software can be continuously and appropriately enhanced. Development teams gain a new awareness of security, and costly, yet unnecessary measures can even be avoided.
3. Overview through current state analysis
While the first two measures are important, they will not be sufficient: Companies need to understand which requirements of the CRA they meet, both in terms of their processes throughout the product lifecycle and the actual products themselves. Although there are no harmonized standards for the CRA yet, there is a consensus among experts that the existing standard for industrial cybersecurity, IEC 62443, provides very good guidance. Therefore, companies do not need to wait; they can already perform current state analyses for their processes and products, derive measures, and thus gain valuable time in the implementation of the CRA.
Collaboration with Phoenix Contact, Miele, and other companies
The expertise of Fraunhofer IEM is based on many years of project experience with companies.
In 2018, the scientists at Fraunhofer IEM helped Phoenix Contact become one of the first companies to be certified according to the cybersecurity standard IEC 62443-4-1 by developing a tailored method for threat and risk analysis specific to the company.
Since then, Fraunhofer IEM has further developed the method and applied it in numerous threat analysis workshops and training sessions, for example with Kraft Maschinenbau. "We benefit not only from a risk assessment for our products. During the workshop with Fraunhofer IEM, our employees also learned a systematic approach for future threat analyses and increased their security awareness," says Managing Director Jörg Timmermann.
To ensure that its durable products remain secure after market launch, Miele set up its own PSIRT team in 2021 in collaboration with Fraunhofer IEM. Through stakeholder interviews, they were able to build on existing company processes and create clearly defined process interfaces.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
In preparation for the industrial cybersecurity standard IEC 62443, KEB assessed the current state of its development processes. Fraunhofer IEM conducted interviews with executive managers and safety experts from the company and assisted KEB in planning further necessary activities for implementing the standard, estimating the effort required, and systematically advancing compliance with the standard.
To ensure that all employees involved in software development stay up-to-date and continuously improve their software development skills, Fraunhofer IEM also collaborates in the area of employee training, for example with Adesso Mobile Solutions and Connext. Both companies have been using Security Champions for years as multipliers for the topic of cybersecurity in their software development.
:quality(80)/p7i.vogel.de/wcms/37/9f/379f62914fcef347331e271270e3f755/ad1i8940-4368x2456v1.jpeg "(Source: SIMTOS)")
:quality(80)/p7i.vogel.de/wcms/a4/3c/a43c87e306c4b61c9afc01beec500296/-bcm8149-3936x2213v1.jpeg "(Source: TMBA)")
:quality(80)/p7i.vogel.de/wcms/10/11/1011a37522d84917f003e58d93b5aa58/0129426354v1.jpeg "Producing hydrogen where the raw material is available in vast quantities: In the sea! Researchers at Bremerhaven University of Applied Sciences now want to get this off the ground. They believe that offshore hydrogen production is more favorable than on land ... (Picture: ©Shawn Hempel - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/68/4b/684b0fdf046c2ce50f85f2962e4a5c4e/0128861342v1.jpeg "Consistent pricing is a prerequisite for success in the retrofit business. (Picture: ©bakhtiarzein - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/ec/78/ec78a17c244d3aed1f27b95af980c490/0129438580v1.jpeg "According to the Microsoft study, 29 percent of employees use AI agents without the approval of their IT department or superiors. (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/8a/1e/8a1e6f65e2a0233007e1308a0bc42891/org-blobs-user-response-file-output-3964257d-ad39-4188-854f-cb9f073d1d06-plugin-output-call-xpdfkdgybtu3axwxtgikmroc-1536x864v1.png "(Source: AI-generated)")
:quality(80)/p7i.vogel.de/wcms/f8/f1/f8f13c6a36ecc58af66cdcd16733b262/pexels-googledeepmind-17485706-1920x1079v1.jpeg "(Source: Google DeepMind)")
:quality(80)/p7i.vogel.de/wcms/c5/c2/c5c2fbe38a551a5ac9e8201aa3044e95/0129369094v1.jpeg "The big tech companies are outbidding each other with triple-digit billion investments in AI development. (Picture: ©Shuo - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/a7/34/a73475e9638e032c32288f53006abab7/newsimage417867-2665x1500v1v1.jpeg "Combination of a model from a scanning electron microscope image (left) with a section of the underlying crystal structure of a studied MXene with precisely controlled surface terminations. (Image:B. Schröder/HZDR)")
:quality(80)/p7i.vogel.de/wcms/d2/1a/d21a9b3e1333f306ffd6421e84f9e3d0/semiconductor-20image-20courtesy-20of-20gelest-3000x1688v1.jpeg "In a new collaboration, IBM will test the performance of Gelest precursor materials for dry resist EUV lithography, generating results that aim to guide Gelest on materials research and speed innovation toward smaller devices. (Source: Gelest)")
:quality(80)/p7i.vogel.de/wcms/f5/c6/f5c6cefa374d48138dc702821d41c7c6/greenspeed-visual-home-1500x843v1v1.jpeg "The EU Green Speed project is laying the foundations for cleaner and more competitive production of lithium-ion batteries in Europe. (Image:greenSPEED Consortium / VIRTUAL VEHICLE)")
:quality(80)/p7i.vogel.de/wcms/ba/d0/bad011e604599660b5b2cdd50eb44755/stefanie-arnold-152236-4500x2530v1v1.jpeg "Materials researcher Stefanie Arnold wants to make energy storage more environmentally friendly with the help of hollow carbon spheres. (Image:Saarland University)")
:quality(80)/p7i.vogel.de/wcms/e7/01/e701127d385ceffd0f86b3294f2a3c6d/0129354681v1.jpeg "Parking towers can be a space-saving solution, as the Munich-based company VePa Vertical Parking shows. The start-up has implemented an automated paternoster parking system in Munich's Werksviertel district. (Image:SEW-Eurodrive)")
:quality(80)/p7i.vogel.de/wcms/04/5c/045cb66bca1a642c56fc405ab96213dd/0129353500v1.jpeg "CATL's new sodium-ion battery is to be used in future car models of various Changan brands. They underwent rigorous testing in Yakeshi. (Image:Changan)")
:quality(80)/p7i.vogel.de/wcms/ce/ce/cecefd66fe6478ab996f9e975779b9e0/0129426378v1.jpeg "Electrifying losses! Ford, like so many other car companies, has miscalculated its electric car strategy. Now the US car manufacturer has to accept losses in the 2-digit billion range and is therefore setting a new course ... (Image:Ford)")
:quality(80)/p7i.vogel.de/wcms/89/e2/89e2226e826f23fb666222b66c737531/0129393966v1.jpeg "Chinese car manufacturers and suppliers want to produce small batches of brake-by-wire systems this year. (Image:Chery)")
:quality(80)/p7i.vogel.de/wcms/72/e8/72e82e7be7eb9c7f3fe6e7bd6442b95d/0129427931v1.jpeg "Strategic: EPC licenses eGaN technology to Renesas (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/7b/73/7b736ec0a4a0f7298b65edadc633bb97/0129365186v1.jpeg "Old form factor, new technologies: Ahmed Shihab, Chief Product Officer at Western Digital, shows the physical drive, which is designed to hold up to 140 TB, at Innovation Day. (Image:Western Digital)")
:quality(80)/p7i.vogel.de/wcms/de/30/de30109024cc88d5a9f546a881542789/0129416855v1.jpeg "Starting signal for sub-2nm innovation made in Europe: The Belgian research institute Imec has announced the launch of the European NanoIC pilot line with a clean room expansion of 2000 square meters. (Image:imec)")
:quality(80)/p7i.vogel.de/wcms/02/50/02507ce2e6225bb6816c8805bd98da71/0129407664v1.jpeg "Thanks to a new type of sensor, hydrogen can also be reliably detected in humid environments. (Image:freely licensed)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/49/29/4929e9145217933764207c891eab9024/0126622587v1.jpeg "In the future, companies must establish effective risk management focused on network security, access control, and incident response. (Image:Softing Industrial)")
:quality(80)/p7i.vogel.de/wcms/18/fe/18fea5d28ddb2900571729dc660c7c6f/0124187813v1.jpeg "Companies should act now and make cyber security an integral part of their strategy. (Image:Johannes - stock.adobe.com / AI-generated)")