With the Cyber Resilience Act (CRA), cybersecurity becomes a legal obligation. Only products with CE marking may be placed on the market and starting in 2027, this requires verifiable security measures throughout the entire product lifecycle. For manufacturers, this means: processes and products must be put to the test.
But how can this complexity be managed? The answer lies in an international standard that has proven itself in practice: IEC 62443. Even though the CRA does not yet specify harmonized standards, one thing is clear: those who align with IEC 62443 today are on the right track and acting with foresight.
CRA Is Coming – IEC 62443 Shows You the Way
The CRA introduces binding requirements for products with digital elements – covering the entire lifecycle, from development and operation to decommissioning. IEC 62443 provides a structured and internationally recognized framework for exactly this purpose. It defines clear requirements for secure development processes, product functionality, and organizational measures.
The standard series is modular and addresses manufacturers, integrators, and operators alike. Particularly relevant for CRA readiness are:
- IEC 62443-4-1: Secure development lifecycle requirements
- IEC 62443-4-2: Technical security requirements for components
- IEC 62443-2-1: Security management system requirements
These standards help companies implement security measures systematically – and serve as a strong argument when dealing with customers, authorities, and partners.
What Does This Mean for You as a Machine or Plant Builder?
Even if you don’t develop your own components, the CRA still applies to you. As soon as your machines include digital elements – such as controllers, networking technology, or software – the new requirements come into play. IEC 62443 helps you implement these requirements in a structured and transparent way.
Your benefits:
- Clear guidelines for selecting secure components
- Transparency for customers and authorities
- Reduced risk through standardized security processes
In short: IEC 62443 is your toolbox for CRA compliance – and a strong signal to your customers that you take cybersecurity seriously.
Our Path to CRA Compliance: 360° Security
At Phoenix Contact, we take a holistic approach to cybersecurity – and have been relying on IEC 62443 for years. That’s why we’re well prepared for the CRA. Our comprehensive security concept is built on certified processes, secure products, and a strong incident response team. We call it: 360° Security.
PHOENIX CONTACT GmbH & Co. KG
Certified Processes – IEC 62443-4-1 across seven Business Units
Our development processes are TÜV-certified according to IEC 62443-4-1 – across seven business units. “Secure by Design” isn’t just a buzzword for us, it’s daily practice.
Certified PSIRT – Vulnerability Management & Incident Response
Our Product Security Incident Response Team (PSIRT) identifies and analyzes vulnerabilities, coordinates mitigation measures, and publishes security advisories. The certification confirms our ability to respond quickly and effectively to incidents – and protect our customers.
Security Services – IEC 62443-2-4 certified
Our Security Services are also certified offering consulting, risk analysis, network architecture, and secure integration of automation solutions.
Security Solutions – IEC 62443-3-3 for complete systems
For complete automation systems, we offer solutions based on IEC 62443-3-3 – including defined security levels and system architectures.
Certified Products – Security built in
Security is not an add-on — it’s integrated from the start. From controllers and firewalls to network components: many of our solutions are already certified according to IEC 62443-4-2. In fact, we offer a double-digit number of certified products that meet these requirements – and more are yet to come.
Secure. Certified. Scalable. Our top 3 CRA-Ready products
With a growing portfolio of IEC 62443-4-2 certified products it’s clear that CRA compliance is more than just a goal. It’s something we’re actively putting into practice.
Listing every product here might be a bit much, so we’ve picked three examples that show what CRA readiness looks like in real-world industrial environments. Each one reflects how security, certification, and usability come together to support your automation projects.
PLCnext Control – for Secure Automation
Phoenix Contact was the first provider to certify an industrial controller according to IEC 62443-4-2 developed under a certified IEC 62443-4-1 process. With PLCnext Control, we set the benchmark for secure automation.
The platform offers maximum openness for your applications and comes with built-in security. From secure boot to encrypted communication and regular updates: CRA requirements? Already fulfilled.
mGuard – Network Security That Thinks Ahead
The mGuard product family stands for top-tier industrial network security. As a firewall and VPN gateway, it reliably protects your systems from unauthorized access and is also certified according to IEC 62443-4-2. Especially in distributed infrastructures or remote maintenance scenarios, mGuard is an essential part of your security architecture.
Managed Switches – More Than Just Network Components
Our managed switches offer more than connectivity. With features like port security, VLANs, and access control – developed in line with IEC 62443 – they actively contribute to network segmentation and protection. A smart way to meet CRA requirements efficiently.
CRA? We are ready – and we’ll help you get ready too!
The CRA is coming – and with it, new challenges for everyone involved in developing, integrating, or operating digital products. IEC 62443 gives you a solid foundation to tackle these challenges with confidence. And Phoenix Contact is here to support you every step of the way.
Whether it’s secure products, certified processes, or tailored consulting – we help you achieve CRA compliance. Let’s shape the future of secure automation together.
CRA? We are ready. Are you?
Want to understand the bigger picture? Start here.
In case you missed it: Our latest Blogpost explains what the CRA is, who it affects and how Phoenix Contact is already CRA-ready.
Read it here: Cyber Resilience Act? We are ready!
