May 15 2025
Security

What Should Manufacturers Know About the Cyber Resilience Act?

The CRA highlights security measures required for manufacturers of digital products, including securing an entire software lifecycle.
Brian Horowitz
by

Brian T. Horowitz is a writer and editor covering enterprise IT, innovation and the intersection of technology and healthcare.

In 2025, the Cyber Resilience Act (CRA) is expected to change how manufacturers approach cybersecurity, including companies that manufacture or sell digital products.

It is urgent that manufacturers implement security measures for digital products, and they’re already adept at implementing new technology, according to Rockwell Automation’s 2024 State of Smart Manufacturing report. It revealed that 95% of manufacturers are already using or evaluating smart technologies.

More connected devices and the convergence of IT and operational technology present new security risks. Sorting out this complex matrix of interconnectivity is precisely what led to CRA’s development, says Krista Case, research director for cybersecurity at the Futurum Group.

“It is a response to the fact that many connected devices and software solutions hit the market without sufficient security measures,” she says.

The manufacturing industry is particularly vulnerable to ransomware cases, notes the Arctic Wolf 2025 Threat Report. The industry had the largest number of ransomware incident response attacks at 18.6%, according to Kerri Shafer-Page, vice president of digital forensics incident response at Arctic Wolf.

“Manufacturers are more likely to pay ransoms to restore operations due to a low tolerance for downtime,” she says.

Click the banner below to find out how manufacturers can harness Industry 4.0.

BT-priorities-manufacturing-animated-2024-desktop BT-priorities-manufacuring-animated-2024-mobile

 

What Is the CRA?

Before the CRA was first introduced in 2021, a legislative patchwork existed to tackle cybersecurity related problems and risks, leading to confusion for manufacturers and users. The new framework shifts responsibility for securing the product lifecycle to manufacturers.

“Similar to CISA’s Secure by Design, the CRA is a positive step in ensuring cybersecurity principles are implemented into every phase of the product development lifecycle,” Shafer-Page says.

The CRA takes a broader view of what manufacturing digital products entails. It tackles some areas that were previously addressed in silos, such as vulnerability management practices and secure software design lifecycles and risk management processes, notes Sabeen Malik, vice president of global government affairs and public policy at security firm Rapid7.

Products with digital elements include laptops, smartphones, smart robots, smart meters, routers, switches and industrial control systems. The CRA defines software with digital elements as firmware, operating systems, mobile apps, desktop applications and video games.

Kerri Shafer-Page
Similar to CISA’s Secure by Design, the CRA is a positive step in ensuring cybersecurity principles are implemented into every phase of the product development lifecycle.”

Kerri Shafer-Page Vice President of Digital Forensics Incident Response, Arctic Wolf

Spyware, ransomware and supply chain attacks have exploited the vulnerabilities of products with digital elements, according to CRA guidance.

The CRA requires continuous product monitoring as well as a machine-readable Software Bill of Materials, an inventory of software components and dependencies. The framework also calls for vulnerability disclosure mechanisms and timely remediation through secure updates, including over-the-air updates to circulate changes quickly.

“This may require updates to R&D processes, closer collaboration with security teams, and deeper visibility into third-party components and supply chains,” Case says. “Also, SBOMs, product lifecycle tracking, and patch management must become standard operating procedures.”

FIND OUT: The biggest manufacturing tech trends of 2025.

What Steps Should Manufacturers Take To Prepare for the CRA?

Manufacturers should comply with the CRA by conducting better risk assessments and prioritizing secure software development.

“IT leaders will play a role in operationalizing secure software development,” Case says. “For example, they will need to play a leadership role in seamlessly embedding security functionalities into CI/CD pipelines in a way that does not inhibit developers’ agility and automating security testing processes.”

Cybersecurity measures should address the entire lifecycle of products. “The Secure by Design integration is meant to make sure that security requirements, in terms of just product security, software lifecycle, design elements and good practices around code development, are actually being implemented right at the beginning stages of product design and development, not once it’s already been put out into the market and you’re just patching it,” Malik explains.

She notes that product testing should occur before organizations put new code into old code, she says. “Specifically, the CRA requires manufacturers to design security into their products, and to maintain that security throughout the product’s lifecycle,” Case says. “What is notable is that this includes mandatory vulnerability management and incident reporting to improve accountability and transparency.”

Krista Case
Specifically, the CRA requires manufacturers to design security into their products, and to maintain that security throughout the product’s lifecycle.”

Krista Case Research Director for Cybersecurity, Futurum Group

In addition, IT leaders in manufacturing must conduct incident reporting within strict timelines, according to Case.

“The CRA calls for reporting severe incidents to European authorities within 24 hours of detection, which requires having internal escalation procedures, real-time monitoring and clear accountability,” Case says.

To ensure compliance, manufacturers should secure external access points such as unsecured remote desktop protocols, VPNs or other remote access tools, Shafer-Page advises.

“Organizations must secure these interfaces with strong, phishing-resistant MFA and address any misconfigurations,” she adds.

Going forward, manufacturers will need to boost their resilience in an interconnected digital market.

Manufacturers can invest in technologies and processes for endpoint monitoring, anomaly detection and supply chain validation to build continuous insight into their security posture,” Case says. “There is also a need for them to adopt zero-trust architectures and capabilities such as Secure Boot to help keep digital products protected after they leave the factory.”

Click the banner below to advance your manufacturing organization’s zero-trust security strategy.

x-zerotrust-animated-success-cta-2024-dekstop x-zerotrust-animated-success-cta-2024-mobile
Sean Anthony Eddy / Getty Images

More On

Related Articles

Close

See How IT Leaders Are Tackling AI Challenges and Opportunities

New research from CDW reveals insights from AI experts and IT leaders.

Click Here to Read the Report