Vulnérabilité produit : un sujet que les Product Managers ne peuvent plus ignorer
À l’ère des produits connectés, des systèmes embarqués et des nouvelles exigences réglementaires. Qu’est-ce qu’une…
The CRA directly concerns companies that select, integrate, or deploy IT equipment and industrial networks. The CRA particularly strengthens requirements related to security from the design stage, to vulnerability management, to support duration, to technical documentation, and to product tracking throughout their lifecycle.
Even though it primarily applies to products made available on the European market, its impact will be broader. It will progressively influence the choice of equipment, expectations towards suppliers, and documentation practices.
Discover below what the CRA entails, its stakes for industrial environments, and its influence on your future product choices.
Effective Date
December 10, 2024
Regulation is already active at the European level
Disclosure requirement
September 11, 2026
The obligation to report serious vulnerabilities and incidents comes into effect
All obligations
December 11, 2027
Complete application of all the rules of the CRA
The Cyber Resilience Act aims to enhance the cybersecurity of products containing digital elements marketed within the European Union.
Specifically, it requires manufacturers to integrate cybersecurity from the product design stage and to consider it throughout its entire lifecycle. It should no longer be viewed as an added option afterwards.
These requirements are directly linked to compliance assessment, technical documentation, and CE marking necessary before the market launch of the affected products.
The CRA applies particularly to connected devices, embedded systems, communication gateways, industrial PCs, Panel PCs, routers, switches, and Edge platforms integrating software functions.
For companies that select and purchase these devices, this should translate into clearer security information, defined support durations, and better vulnerability support from manufacturers.
The CRA, a prerequisite for CE marking for digital products.
The Cyber Resilience Act applies to most hardware and software products with digital elements marketed in the European Union. It concerns products whose intended or reasonably foreseeable use involves a direct or indirect connection to a device or network, whether logical or physical.
Industrial PCs, embedded computers, Panel PCs, Edge systems, industrial servers, single-board systems, and control platforms incorporating software functions.
Industrial Ethernet switches, routers, gateways, cellular routers, remote access solutions, and connected communication hardware.
Supervision software, SCADA platforms, control-command applications, equipment management software, remote maintenance solutions, configuration tools, industrial data management systems, and Edge or IoT platforms.
The obligations to anticipate depend on your role in the value chain: product selection, integration, development, marketing under your own brand or launching on the European market.
In all cases, cybersecurity, support duration, technical documentation, and vulnerability management are increasingly important in the choice of equipment and project preparation.
Your company may notably need to:
Preparing for the requirements of the Cyber Resilience Act involves carefully assessing the security level of the solutions you select, integrate, and deploy. Integral System supports you in choosing IT and network solutions with solid security foundations from their design. The goal is to facilitate their integration into your projects and better anticipate future compliance requirements.
As part of the Cyber Resilience Act, the choice of hardware and its manufacturer becomes essential. The integrated security features of the product, the duration of support, the availability of updates, and the manufacturer's ability to address vulnerabilities will have a direct impact on compliance and the sustainability of projects.
This vigilance concerns all stakeholders in the value chain: integrators, OEMs, machine builders, solution publishers, engineering firms, operators of industrial sites, or companies deploying connected equipment.
A high-performing piece of equipment from a technical standpoint is no longer sufficient. It is also necessary to verify the manufacturer's cybersecurity policy, their commitments regarding support, their vulnerability management procedures, and the documentation they will be able to provide.
That is why Integral System relies on recognized industrial partners, already engaged for several months in their preparation for the CRA. These manufacturers are particularly focused on securing their products, improving their development processes, managing updates, documenting compliance, and tracking vulnerabilities throughout the lifecycle.
Submit a Linux image for free to the Exein Analyzer. From the generated summary report, our cybersecurity experts will help you decode the results.
Integral System supports its clients in the selection of industrial PCs, Panel PCs, embedded systems, servers, gateways, routers, switches, and Edge platforms adapted to their technical, industrial, and regulatory constraints.
Our role is to help you to:
Choosing the right equipment and the right partners today helps reduce future adaptations and better prepares your projects for the CRA requirements.
Your quote is empty.