Ready for the EU Cyber Resilience Act – with Mitsubishi Electric
The Cyber Resilience Act (CRA) is an EU regulation that sets binding security requirements for products with digital elements. The aim is to embed cybersecurity in hardware and software from the outset (“security by design”) and to deal with security gaps professionally throughout the entire product life cycle. The regulation applies uniformly in all EU member states.
The background for this is clear: production systems, manufacturing facilities, and IT-supported control systems are becoming increasingly networked. As soon as machines, control systems, or components are online and interacting with other systems, there is a potential risk of cyberattacks. While many security measures were previously voluntary, the new regulation makes them mandatory throughout Europe. This ensures that cybersecurity is not only recommended, but is a mandatory component of every digital product.
For operators of automation technology, this means new requirements, but also clear opportunities to secure systems in the long term.
What is the Cyber Resilience Act (CRA)?
- First EU regulation for minimum standards in cybersecurity
- Applies to all networked products on the EU market (hardware and software)
- Uniform rules for all member states
- Implementation will take place gradually
Aim: Companies must demonstrate that products have been designed securely, tested against threats, and that documented processes for vulnerability management are in place. This creates a high level of cyber resilience, which better protects companies against attacks, failures, and manipulation. This strengthens cyber security in the EU.
Legal basis & scope of the Cyber Resilience Act
The Cyber Resilience Act is based on Regulation (EU) 2024/2847. It affects manufacturers, importers, and distributors of products with digital functions — from embedded systems and connected devices to software products and firmware. This means that the regulation affects almost all companies that provide digital products in the EU—from industrial automation manufacturers to cloud service providers.
Transparency is particularly important here: the regulation requires traceable documentation, secure software supply chains, and clearly defined reporting processes.
These standards not only increase security but also improve predictability for operators.
Period of application & transition periods of the Cyber Resilience Act
The regulation has been in force since December 11, 2024. The obligation to apply it begins after the transition period, giving manufacturers sufficient time to adapt their products, development processes, and documentation.
- November 20, 2024: Publication of the legal text in the Official Journal of the EU
The final version of the CRA appears in the European Official Journal and is thus officially published.
- December 11, 2024: Entry into force of the Cyber Resilience Act
The Cyber Resilience Act officially enters into force. The transition periods begin on this date.
- September 11, 2026: Mandatory reporting of vulnerabilities and security incidents
Companies must now report any vulnerabilities and security-related incidents in accordance with the CRA regulations.
- December 11, 2027: Mandatory full compliance with the CRA for new products
From this date, all new products placed on the market must meet all the requirements of the Cyber Resilience Act.
For manufacturers, this means:
Development, validation, and security processes should be adapted now. Operators also benefit — products developed in accordance with the Cyber Resilience Act receive security updates, patch management, and documented evidence for many years. This increases overall cyber resilience in production environments.
Which products fall under the CRA Regulation?
The regulation deliberately goes far: not only high-security products or highly critical systems, but almost all digital devices are subject to the rules. Even applications that run locally on a PC fall under the CRA requirements if they provide functions that process data, use interfaces, or can be networked. The CRA applies to almost all products with digital elements, for example:
- Hardware with embedded software,
- networked devices (e.g., IoT hardware),
- pure software products,
- cloud-based or locally executed applications.
The key point is that as soon as a product has digital functions and is made available on the EU market, the CRA regulations apply, and with them requirements for security, updates, and the handling of vulnerabilities.
What will change for you as a customer – and how Mitsubishi Electric is responding
For our CRA-compatible products, this means specifically:
The EU Cyber Resilience Act (CRA) significantly increases the security requirements for industrial products. As a manufacturer, we are preparing intensively for this – so that you, as a customer, can continue to rely on secure, compliant, and future-proof automation solutions in the future. For operators, this means greater security in everyday life. Many companies today are confronted with increasing cyberattacks – from unplanned plant downtime to manipulation or undetected data leaks. The Cyber Resilience Act raises the general level of security in the market. Products without verifiable cybersecurity will no longer be allowed to be sold in the future.
* Here you will find the European Union Vulnerability Database (EUVD), where vulnerabilities for the EU are centrally reported and documented.
CRA compatibility of our products – transparency for your planning
The EU Cyber Resilience Act sets binding security standards for industrial products. Mitsubishi Electric is actively preparing to make many of our automation products CRA-compliant.
Our product range in the CRA check: Which products will be fully compliant in the future
The EU Cyber Resilience Act (CRA) sets binding security standards for industrial products. At Mitsubishi Electric, we are actively preparing to certify a large part of our product portfolio in accordance with IEC 67442-4-2.
We will soon provide information here about which of our products meet the requirements of the standard and which we will no longer be allowed to sell in the future due to the new cybersecurity regulations.
Mitsubishi Electric products that will not be CRA compliant
Not all existing product series will be fully CRA-compliant. One reason for this is technical limitations—in particular, hardware and design limitations of older generations. These cannot always be adapted to the new security requirements. For these series, we offer clear migration paths and long-term support so that you can modernize your systems in a timely and predictable manner.
There are no disadvantages for operators. Spare parts remain available and service processes continue. In addition, solutions are offered to gradually update systems and ensure the security of the equipment. The Cyber Resilience Act does not force the market to make abrupt replacements, but rather creates a long-term and predictable transition.
Why the CRA is relevant for manufacturers and suppliers
Cyberattacks on industrial companies have increased significantly in recent years. Many attacks are not directed at the network itself, but at software, firmware, or other components of the supply chain.
This is precisely why the EU regulation on cybersecurity sets clear guidelines that suppliers and manufacturers must comply with.
The Cyber Resilience Act not only influences technical product design, but also market position, liability risks, and cooperation within the supply chain.
Companies that act early secure advantages over their competitors and reduce future costs.
Market and competitive implications
With the CRA, cybersecurity is becoming a mandatory quality criterion for products with digital elements.
The mandatory security standards are making the market more transparent. Companies that invest early on build trust and increase their competitiveness. Operators prefer products that are proven to be secure and contain active cybersecurity mechanisms.
For manufacturers and suppliers, this means:
- Products that are not CRA-compliant may lose their market access or be certified late.
- Customers prefer products with verifiable security and clear documentation.
- Companies that invest early in secure development and update processes increase their competitiveness and reduce time-to-market risks.
Risk, liability, and supply chain aspects
The supply chain is an essential part of modern production. Software libraries, open-source packages, or external modules may contain vulnerabilities. With the Cyber Resilience Act, manufacturers must document which components are used and how they are protected. These requirements increase the cyber resilience of the entire industrial value chain.
The CRA therefore requires:
- clear responsibilities and reporting channels for vulnerabilities,
- secure updates,
- technical documentation, and transparency about the components used.
Manufacturers and suppliers who do not meet these requirements risk:
- security incidents,
- recall or repair costs,
- reputational damage,
- and liability consequences.
Benefits of proactive implementation of CRA guidelines
Early preparation reduces effort and costs in the product life cycle. This increases product quality, plant safety, and operational predictability. Companies that implement CRA-compliant solutions before 2027 will benefit from long-term stability, higher security, and lower risk of failure.
Companies benefit from:
- automated processes for SBOM maintenance,
- clear guidelines for suppliers and external developers,
- faster certifications,
- better auditability for customer requirements.
In addition, a robust security architecture strengthens the trust of business partners and facilitates access to tenders or regulated industries.
FAQ
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU regulation that introduces mandatory cybersecurity requirements for products with digital elements.
Manufacturers must consider security early on in the development process (“security by design”), provide secure updates, handle vulnerabilities responsibly, maintain a software bill of materials (SBOM), and keep technical documentation on hand. The goal is to make products in the EU more secure in the long term and protect users from cyber risks.
Has the Cyber Resilience Act already been passed?
Yes.
The Cyber Resilience Act was formally adopted and has been in force since December 11, 2024. It is therefore legally binding EU law.
What is the difference between NIS2 and the Cyber Resilience Act?
NIS2:
- Directive for operators of essential or important services (e.g., energy, health, transportation, administration).
- Focus: organizational IT security, risk management, incident reporting, supply chain security.
- Applies to companies that operate critical or important services.
Cyber Resilience Act:
- Regulation for manufacturers, importers, and distributors of products with digital elements, including software, IoT devices, or embedded systems.
- Focus: secure product development, SBOM, vulnerability management, secure updates, technical documentation.
- Applies to products provided on the EU market.
In short:
- NIS2 regulates organizations,
- the CRA regulates the products they use, manufacture, or distribute.
When does the Cyber Resilience Act have to be applied?
The regulation has been in force since December 11, 2024.
The specific application obligation begins after a transition period so that manufacturers can adapt their products, development processes, and documentation to the new requirements.
From September 11, 2026, there will be a mandatory reporting requirement for vulnerabilities and security incidents.
Products made available on the EU market from December 11, 2027, must comply with the CRA requirements.
We are happy to advise you personally!
The Cyber Resilience Act is a milestone for European industry. It defines clear standards for cyber security, ensures transparency in supply chains, protects operators, and strengthens the security of networked production systems. With secure development processes, state-of-the-art product architecture, and a strong focus on software quality, Mitsubishi Electric is consistently preparing its solutions for CRA compliance.
Cyberattacks will remain a threat. But with modern security, secure software, and consistent implementation of the Cyber Resilience Act, industrial plants can be operated in a stable, reliable, and resilient manner.
