Industrial firms struggle to meet Cyber Resilience Act’s security demands

A newly published study has revealed significant challenges facing industrial equipment manufacturers as they prepare for compliance with the European Union’s Cyber Resilience Act (CRA), which aims to tighten cybersecurity standards for products with digital elements. The research, titled “Effects of the Cyber Resilience Act (CRA) on Industrial Equipment Manufacturing Companies” and published on arXiv on May 20, 2025, provides an in-depth analysis of how the CRA is expected to impact manufacturers’ workflows, security protocols, and product lifecycles.

The study, based on a detailed survey of twelve companies in the sector, exposes organizational, technical, and regulatory readiness gaps across various areas - from secure development lifecycle management to vulnerability disclosure and user documentation requirements. Despite general awareness of the CRA and relevant IEC 62443 standards, most participants acknowledged substantial hurdles in implementing the regulation’s stringent requirements within the short transition timeline set by the EU.

What makes CRA compliance difficult for manufacturers?

The CRA imposes a sweeping set of cybersecurity mandates on manufacturers of digital products, including industrial equipment. These requirements span secure-by-design development practices, automated security updates, vulnerability notification to EU authorities, technical documentation, and conformity assessment procedures. All requirements must be in place by December 2027, with vulnerability reporting obligations coming into force by September 2026.

Survey participants highlighted three practices as particularly burdensome: security management, secure-by-design development, and security update management. Security management involves the integration of cybersecurity measures across the organization, from development teams to upper management, and demands coordination that many firms find difficult to enforce. Secure-by-design challenges stem primarily from a shortage of cybersecurity-experienced professionals capable of implementing best practices such as least privilege access, secure boot processes, and defense-in-depth frameworks. Update management proved difficult due to the reliance on embedded software in industrial equipment, which typically lacks internet connectivity or user capacity for manual updates.

Participants also cited organizational issues, including misalignment between team roles and CRA-mandated structures, limited cybersecurity knowledge at management levels, and communication gaps between development, security, and quality assurance units. This lack of alignment hinders not just execution but planning for CRA compliance.

How are vulnerability management and conformity requirements compounding the problem?

Another set of hurdles centers on vulnerability reporting and conformity assessment. Under Articles 14 and 15 of the CRA, manufacturers must notify the European Union Agency for Cybersecurity (ENISA) and national CSIRTs within 24 hours of detecting an actively exploited vulnerability, and submit follow-up and final reports within strict deadlines. For many companies surveyed, this timeline seemed impractical given their limited ability to detect and verify live exploits in real time.

Vulnerability management expectations, including software bill of materials (SBOM) generation and real-time patch readiness, further complicate compliance. Companies expressed concern over their current tooling and process maturity for tracking vulnerabilities across complex product stacks, particularly when using open-source software. The CRA’s demand for transparent, machine-readable SBOMs and proactive security disclosures makes this task even more daunting.

In addition, many respondents expressed confusion over the CRA’s conformity assessment requirements. Uncertainty persists around when a product must undergo third-party evaluation versus self-declaration. Quality assurance teams responsible for CE markings may lack the expertise needed for cybersecurity conformity checks, raising fears of noncompliance or faulty assessments.

Interestingly, technical requirements such as ensuring data confidentiality and implementing encryption were not widely seen as problematic. These appear to be better understood and already partially implemented by most manufacturers surveyed.

What strategies and solutions does the study recommend?

To support the industry’s transition to CRA compliance, the study outlines strategic recommendations in three critical areas: workforce development, organizational communication, and tooling.

The shortage of cybersecurity professionals is recognized as a long-term challenge. While the CRA encourages EU-wide initiatives to expand the talent pool, the study urges manufacturers to invest immediately in internal training, adopt shift-left development strategies, and embed security responsibilities across functional teams rather than relying solely on security departments.

Clear communication was identified as another essential enabler of compliance. Participants frequently reported disconnects between cybersecurity teams and top leadership, as well as between developers and quality assurance units. The study recommends regular cross-functional meetings, defined roles and responsibilities, and targeted workshops to align internal stakeholders. It also calls on ENISA and national CSIRTs to establish standardized procedures and tools for coordinated vulnerability disclosure, easing the burden on individual companies.

On the tooling front, participants emphasized the need for robust DevSecOps platforms that integrate with current development pipelines. Tools for threat modeling, code scanning, SBOM tracking, and risk analysis were seen as vital. Additionally, incident response systems that use structured protocols like STIX and CVRF were recommended to streamline CRA’s complex reporting processes.

Governance Risk and Compliance (GRC) tools were noted as potentially useful but insufficient on their own. Instead, the study recommends that companies prioritize the establishment of a comprehensive Cybersecurity Management System (CSMS) grounded in IEC 62443 standards, and then use tools to operationalize this framework.

Participants also expressed concern about the regulation’s impact on the use of open-source software. Increased scrutiny and traceability requirements mean organizations must enhance component vetting, vulnerability monitoring, and legal due diligence around open-source integration.