“The approval of the Cyber Resilience Regulation (CRA) by the European Union marks a turning point in the security of products with digital elements. It is a historic step towards a safer, more transparent, and more robust market. But it also raises an essential question for our ecosystem: Can a regulation be directly applied to operational technologies whose lifecycle, operational constraints, and risks are completely different?
At CCI, we believe the answer is clear: no. And that is precisely the motivation behind the new CRA Industrial Position Paper.
Why the industry needs an adapted CRA
Operational technology environments are not an extension of IT. They are critical systems that have been in operation for decades, with lifecycles of 15 to 30 years, highly customized integrations, and one non-negotiable requirement: operational availability is sacred. That is why, at CCI, we uphold a key idea:
without a specific adaptation for OT, the CRA cannot be applied effectively, efficiently, or fairly in the industry.
What does CCI propose with the multisectoral Industrial CRA
The Position Paper proposes a structured, pragmatic adaptation aligned with European principles, based on key pillars:
-
An approach based on real industrial risk
CCI’s Industrial CRA proposes classifying products according to their level of threat and operational impact (Class I, II, or Critical), taking into account not only digital vulnerabilities but also physical security, service continuity, and the sector-specific regulatory environment.
-
Balance between cybersecurity and availability
The goal is not to impose unfeasible requirements, but to ensure that any measure strengthens security without jeopardizing operations. For this reason, the concept of compensatory security plans is promoted, a key element in OT.
-
Gradualness and orderly transition
The proposal sets out a realistic roadmap:
- Start of Industrial CRA in 2026
- Obligation for new products in 2027
- Transition until 2032 for already operational products
-
Shared responsibility (manufacturer–integrator–operator)
For the first time, a distributed compliance model is articulated that recognizes OT cybersecurity depends on the ecosystem, not just the manufacturer. This includes coordinated vulnerability management, commissioning validation, and continuous monitoring
-
Adaptation of Common Criteria to the OT world
The document proposes concrete changes to EUCC and Common Criteria to make them viable in OT:
- Protection profiles for PLCs, RTUs, IEDs, SCADA, or industrial gateways
- Modular evaluations
- Inclusion of real physical and operational threats
- Integration with safety and sectoral regulations (IEC 61508, 61511…)
The ultimate goal: a multisectoral guide for the entire industry
The Position Paper is the first step towards an Industrial CRA applied to sectors such as electricity, water, transport, chemicals, oil & gas, food, healthcare, metallurgy, or manufacturing. It is a guide that will enable each stakeholder—manufacturer, integrator, and operator—to understand what is expected of them, how to comply, and how to do so without disruptions. The approach incorporates experiences from existing frameworks, such as the ‘substantial modification’ mechanisms used in the railway or healthcare sectors, where technical and economic feasibility is part of the regulatory analysis.
