The EU Cyber Resilience Act (CRA) fundamentally changes the rules for connected industrial devices. From 2027, manufacturers and component suppliers must demonstrate that products with digital elements meet defined cybersecurity requirements — or face market exclusion.
What the CRA Means for Embedded Systems
Many industrial devices — sensors, controllers, field devices, drives — fall directly within the CRA scope. This includes products that communicate via PROFInet, HART, CANopen, or Modbus. Security is no longer optional. It must be designed in, documented, and auditable.
The challenge: most embedded teams have deep Safety expertise (IEC 61508, IEC 62061) but limited experience with structured Security engineering. The CRA does not just require secure code — it requires a documented process, vulnerability management, and a Software Bill of Materials (SBOM).
Where Alsensio Helps
Alsensio supports manufacturers of industrial devices in becoming CRA-ready. Our specialists combine embedded software expertise with hands-on experience in functional safety and industrial security standards including IEC 62443.
- Gap Analysis: We assess your current product and development process against CRA requirements and identify concrete action items.
- Security Architecture: We design security concepts for your embedded system — tailored to your hardware, communication stack, and certification requirements.
- Implementation: Our engineers implement security measures directly in your codebase — secure boot, encrypted communication, access control, and more.
- SBOM and Documentation: We support the creation of audit-ready documentation including Software Bill of Materials as required by the CRA.
- Safety and Security Integration: When your product is both safety-critical (IEC 61508) and CRA-relevant, we ensure that Safety and Security measures are consistent and do not conflict.
Why Safety Experience Matters for CRA
The CRA Security Class 1 requirements share structural similarities with functional safety standards: both require documented processes, defined responsibilities, and traceable evidence. Engineers with IEC 61508 experience understand this framework — and can apply it efficiently to Security.
Alsensio’s specialists are TÜV Rheinland certified Functional Safety Engineers with direct project experience in PROFInet, PROFIsafe, and industrial fieldbus communication. This combination makes us an effective partner for CRA compliance in complex industrial environments.
Relevant Standards and Frameworks
- EU Cyber Resilience Act (CRA) — Regulation 2024/2847
- IEC 62443 — Security for Industrial Automation and Control Systems
- ETSI EN 303 645 — Cybersecurity for Consumer IoT
- IEC 61508 — Functional Safety (where applicable)
Get in Touch
If you are planning a CRA compliance project or need to assess your current exposure, we are happy to discuss your situation in a short technical call. Contact us at s.schmidt@alsensio.de.