The Cyber Resilience Act is coming: Get your necessary certifications!

In order to strategically strengthen and structurally anchor cyber security in Europe, the EU Commission proposed the Cyber Resilience Act (CRA) in 2022, a regulation to improve cyber security and cyber resilience in the European Union. It includes security standards for software and hardware products with digital elements. It is expected to come into force across Europe in July 2024. This also marks the start of the implementation period of up to three years, which can be a major challenge for many companies.
The IEC 62443 ("Industrial communication networks - IT security for networks and systems") a series of standards, is highly relevant for compliance with the CRA  and already covers a large part of the CRA’s requirements. The four sections of the standard describe all relevant security aspects of control and automation systems - from development and operation to maintenance through updates.

NIS-2 and  ISO 27001

Another relevant standard is the internationally applicable ISO 27001, which defines the requirements for information security management systems (ISMS) to ensure that companies deal with the topic of information security holistically and structurally rather than just taking selective measures.

ISO 27001 is relevant in part for the CRA and to a large extent for compliance with the NIS-2 directive, which regulates the cyber and information security of companies and institutions. In contrast to the CRA, however, NIS-2 does not have to be transposed into national law by the various member states until October 2024, which in Germany will be the NIS-2 Implementation and Cyber Security Strengthening Act (NIS-2UmsuCG) drawn up by the Federal Office for Information Security (BSI).