What the Cyber Resilience Act Means – and How Janitza Supports Implementation

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) establishes the first EU-wide binding cybersecurity requirements for products with digital elements. Manufacturers, importers, and distributors must now meet new obligations across the entire product lifecycle. Janitza supports customers throughout this process—from development and the communication of security updates to the structured phase-out of products.

What Is the CRA All About?

The Cyber Resilience Act (CRA) is an EU regulation that establishes uniform minimum standards for the cybersecurity of products with digital components. It covers both hardware and software that can connect directly or indirectly to a network or another device.

The CRA aims to:

better protect companies and consumers from cyberattacks,
raise the security level of many products,
define clear responsibilities for manufacturers, importers, and distributors, and
increase transparency around security features and updates so users can make informed purchasing and configuration decisions.

Which Products Are Affected?

In principle, the CRA applies to all products with digital elements that are designed to connect—directly or indirectly—to a device or network.

However, there are exceptions for areas already covered by specific EU regulations. These include medical devices, civil aviation, motor vehicles, and certain cases of open-source software.

What Does the CRA Mean for You as a Customer?

The CRA formally applies to economic operators such as manufacturers, importers, and distributors. For you as an operator, it primarily means the following:

Greater Transparency and Comparability

Manufacturers must provide clearer information about their products’ security features, support duration, and update strategy.
This makes it easier for you to evaluate whether a product aligns with your own security strategy.

Reliable Security Updates

Manufacturers are required to manage vulnerabilities throughout the entire product lifecycle and provide the necessary security updates.
This means you can rely on predictable update maintenance—while still incorporating these updates into your own operational and patch management strategy.

CE Marking as a Security Indicator

Starting December 11, 2027, products bearing the CE marking must comply with the CRA, which also covers the new cybersecurity requirements.
This simplifies documentation for internal and external stakeholders (e.g., IT security, audit teams, and customers).

A Stronger Foundation for Risk and Compliance Management

The harmonized EU requirements reduce fragmentation and make it easier to align security and compliance standards across different countries and suppliers.

What Can You Expect from Us as a Manufacturer?

The CRA places greater responsibility on manufacturers. For Janitza’s portfolio, this means the following within the framework of the legal requirements:

01.

A Secure Foundation and Secure Use

Janitza considers cybersecurity from the very beginning—during the planning, design, and development of products with digital elements.

02.

Vulnerability and Patch Management

Janitza establishes processes to identify, assess, and address vulnerabilities in its products (certified according to IEC 62443-4-1).

Janitza provides appropriate security updates throughout the defined product lifecycle. Please also refer to the notifications published via CERT@VDE and subscribe to the Security Updates.

03.

Clear Information for You as an Operator

Janitza’s technical documentation provides extended information about the principles and assumptions used when developing a product. It also explains which technical measures Janitza has implemented to enhance security.

Janitza clearly explains how these measures benefit you and how you can make effective use of the respective security features.

Timeline of the Cyber Resilience Act

According to the European Commission, the following timeline applies:

10 December 2024

The Cyber Resilience Act entered into force.

11 September 2026

Mandatory reporting of vulnerabilities and security incidents begins.

by 2027

Ausarbeitung untergesetzlicher Regelungen, harmonisierter Normen und Leitlinien, u. a. durch eine eigene CRA-Expertengruppe der Kommission.

Starting December 11, 2027

The key obligations for manufacturers, importers, and distributors become legally binding. From this date onward, these actors may place products with digital elements on the market only if they comply with the CRA requirements.

FAQ

Frequently Asked Questions About the Cyber Resilience Act (CRA)

When do the different requirements apply?

The Cyber Resilience Act has been in force since December 10, 2024.
The key obligations for manufacturers, importers, and distributors will apply starting December 11, 2027. From this date onward, these actors may place products with digital elements on the EU market only if they comply with the CRA requirements.
The mandatory reporting of vulnerabilities and security incidents will already apply starting September 11, 2026.

What is the difference between a manufacturer, importer, and distributor?

The roles are clearly defined in the Commission proposal:

Manufacturer
A natural or legal person that develops a product with digital elements—or has one developed or manufactured—and places it on the market under its own name or trademark, whether for payment or free of charge.

Importer
A natural or legal person in the EU that places a product with digital elements on the market that bears the name or trademark of a company located outside the EU.

Distributor
A natural or legal person in the supply chain—other than the manufacturer or importer—that makes a product with digital elements available on the EU market without modifying its characteristics.

What about devices that were sold to distributors before the CRA becomes applicable (inventory) and are only resold afterward?

The CRA applies to products with digital elements that are made available on the market for the first time after the regulation becomes applicable.
Products that were already placed on the market are not subject to the CRA requirements retroactively, even if they are resold or supplied from existing inventory after the effective date.
Important exception: If a product is significantly modified afterward—for example through a new intended use or new security-relevant functions—it may fall under the CRA requirements.

What support must manufacturers provide over the product life cycle (PLC)?

According to the Commission proposal:

Manufacturers must consider security throughout the entire product lifecycle and provide security support in the form of updates in an appropriate manner, while also organizing processes to manage vulnerabilities.
The European Commission states that manufacturers remain responsible for cybersecurity throughout the entire product lifecycle.

How long may companies continue operating devices purchased before the CRA enters into force?

The CRA sets requirements for placing products with digital elements on the market starting in December 2027.
However, it does not define a maximum operating period for products that have already been installed.

In which countries does the CRA apply?

The CRA is an EU regulation and therefore applies directly in all EU member states.
It addresses the EU internal market, meaning it applies to all products made available on the EU market—regardless of where the manufacturer is located.

How does Janitza inform customers about security updates?

Janitza already provides information about known vulnerabilities. Customers can subscribe to a dedicated mailing list for this purpose.

In addition, Janitza is a partner of CERT@VDE, the first platform dedicated to coordinating IT security issues specifically for companies in the field of industrial automation. Security advisories about known vulnerabilities are also published there.

Janitza is certified according to IEC 62443-4-1. What does this mean in this context?

Certification according to IEC 62443-4-1 confirms that Janitza’s development processes meet the requirements of this international standard for industrial cybersecurity.

TÜV SÜD has reviewed all relevant stages—from planning and implementation to testing and support. This assessment confirmed that security-relevant procedures are defined through structured and consistently documented processes.

What is the relevance for industrial applications with high security requirements?

The IEC 62443-4-1 certification demonstrates that cybersecurity is firmly embedded in Janitza’s development processes. This provides companies with reliable guidance when implementing secure automation and energy data management systems.

Based on this process certification, Janitza will also be able to certify future products according to IEC 62443-4-2, which defines technical security requirements for devices and components.

The current certification therefore represents an important step toward expanding the portfolio of security-certified solutions.