How to minimize risks in industrial network security and to comply with the European Union Cyber Resilience Act (CRA)

Cybersecurity in industrial automation is no longer optional – it’s essential. As Industry 4.0 advances, connected systems face growing risks from cyberattacks and evolving regulations. This article explores how Festo ensures compliance and reliability in cybersecurity and product security – and why the European Union’s Cyber Resilience Act (CRA) is significant for industrial network security.

What Is OT Security and Why Is It Important in Cybersecurity?

Operational Technology (OT) security protects the systems that control industrial operations – spanning manufacturing, robotics, energy grids, and critical infrastructure. Because OT directly manages physical processes, its protection is vital for safety, reliability, and uninterrupted production.

As cyberattacks become increasingly sophisticated, product security is now crucial to ensuring OT security. A breach can halt operations, damage equipment, cause major financial and safety risks, and bring about potential loss of data. This makes tailored strategies essential for legacy systems, real-time demands, and the convergence of IT and OT networks.

Key Regulations and Standards Shaping OT Security Include:

• Cyber Resilience Act (CRA): Sets higher EU-wide security requirements for products with digital elements, especially connected devices.
• EU Machinery Regulation (EU) 2023/1230, applying from January 20, 2027, requires products to be protected against corruption and manipulation.
• EU NIS2 Directive (EU) 2022/2555, applying from Oct 18, 2024, sets higher cybersecurity requirements for essential and important entities.
• NIST SP 800-82: U.S. guide with best practices for OT architectures, threat mitigation, and response.
• A Software Bill of Materials (SBOM) listing all libraries and dependencies in a software product to improve transparency and security.
• IEC 62443: International standard for industrial control system security, from design to monitoring.
• ISA/IEC 61511: Addresses safety instrumented systems where safety and cybersecurity intersect.

What Are Industrial Control Systems (ICS) and Why Are They Critical for Cybersecurity?

Industrial Control Systems (ICS) are hardware and software solutions that monitor, control, and automate processes across industries such as manufacturing, energy, water treatment, and transportation. Key components include SCADA systems for remote oversight, Distributed Control Systems (DCS) for centralized plant control, PLCs for specific factory tasks, and HMIs that let operators visualize and manage processes. Beyond ensuring safe and efficient operations, ICS are critical for defending against cyberattacks that can disrupt essential infrastructure. The Cyber Resilience Act (CRA) highlights this urgency, and Festo will ensure product security and support customers with compliant and reliable automation solutions.

How the European Union's CRA Strengthens Cybersecurity

The EU Cyber Resilience Act is a regulation designed to ensure that all connected products with digital elements—hardware and software—are secure by design, secure by default, and secure throughout their lifecycle. It applies to manufacturers, importers, and distributors who place such products on the EU market.

The key obligations comprise:

• Risk assessments and cybersecurity evaluations before placing products on the market
• Ongoing security updates and vulnerability management
• CE (Conformité Européenne) marking to prove compliance
• Reporting of exploited vulnerabilities to ENISA starting September 11, 2026

Full compliance becomes mandatory on December 11, 2027, with penalties of up to € 15 million or 2.5% of global turnover for non-compliance.

How Does Festo Support Customers Under the Cyber Resilience Act?

Festo hardware and software with digital interfaces – such as PLCs, edge computers, valve terminals, motion controllers, engineering tools, and AI-based analytic apps – are subject to the CRA. To support compliance with CRA, Festo offers an open-source tool to create, edit, and validate CycloneDX SBOMs, helping users document used software components and detect vulnerabilities. We help machine builders, distributors, and importers manage CRA compliance on timelines, documentation, and security.

While no products are CRA-compliant yet, Festo holds IEC 62443-4-1 certification for secure development, audited by TÜV Süd, and applies Threat and Risk Analysis (TARA) methods to identify possible risks when using our products and mitigate them. We ensure that by December 2027, customers can confidently use Festo solutions in compliance with EU regulations.

Roles Under CRA and Security Contact at Festo

The CRA impacts all roles in automation: OEMs must prove machines comply, integrators are liable for secure components, operators require assurance of continuity, and procurement officers must assess suppliers for readiness. The biggest challenge is uncertainty around certification, product lifecycles, and sourcing, which we address with transparency and documented measures. Festo aligns with ISO/IEC 29147 and ISO/IEC 30111.

Vulnerabilities can be reported to our Product Security Incident Response Team (PSIRT) via contact form or email to psirt@festo.com, and on our website, we transparently publish released advisories with known and fixed vulnerabilities.

Your Step-by-Step Cybersecurity Compliance Checklist for the CRA

☑ Understand how the CRA affects machines, operations, and procurement.

☑ Confirm your suppliers’ CRA readiness now – do not wait until 2027.

☑ Use Festo’s advisories, statements, and security documentation for planning.

☑ Stay aligned with IEC 62443 and CRA requirements to avoid compliance risks.

☑ Rely on Festo as your trusted partner in product security.