EU Cyber Resilience Act
CRA compliance for industrial automation
Industrial automation and OT products with digital elements fall under the Cyber Resilience Act. Category depends on the product; many are default-category, while some controllers may be treated as important.
What to focus on
- Classify the product — some industrial components are in the important tier.
- Maintain an SBOM and a vulnerability-handling process across long product lifecycles.
- Document secure-by-design choices against Annex I.
- Produce the Annex VII dossier and Declaration of Conformity.
Frequently asked questions
- Are PLCs and industrial controllers in scope for the CRA?
- Industrial products with digital elements are generally in scope; some may be classified as important (Annex III), which changes the conformity route. Classify the specific product.
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.