ei3 and OMAC Collaborate to Present Insights on EU Cybersecurity Regulations

EU CRA Compliance Report

Cyber attacks pose a significant threat to businesses, with projected damages reaching $10.5 trillion USD annually by 2025. The European Commission has responded with the Cyber Resilience Act (CRA), requiring compliance for all digital products sold in EU markets. Non-compliance penalties are severe, with fines up to 15,000,000 EUR or 2.5% of total annual turnover. To assist business leaders in navigating CRA compliance and mitigating associated risks, Adam Griffen, ei3’s Product Manager, led OMAC’s EU-CRA task force in collaboration with 18 industry experts to deliver an insightful executive report

Through conducting thorough discussions and surveys, they offer practical insights and up-to-date information on various aspects of the CRA. Their collective expertise delves into critical areas such as the legislative progress and potential enactment timeline of the CRA, industries and entities affected by the CRA, guidelines on designing products for cybersecurity, establishing best practices, etc – ensuring organizations safeguard their products and customers.

As with all OMAC publications, members can access them through the portal.

Members - Download GuideNon-Members - Purchase Guide
About the CRA Compliance Report and Task Force


Essential Message

Sheds light on the rising threat of cyber attacks globally, which has resulted in the EU establishing the CRA with significant penalties for non-compliance.

CRA Executive Summary

Outlines the CRA Act, highlighting how it applies to all products with digital elements, with set minimum security requirements and vulnerability handling procedures.

Current Status of the Legislation

Provides the latest information on the progress and potential enactment timeline of the CRA, ensuring businesses stay informed and prepared for compliance.

Businesses Impacted by the CRA

Highlights how compliance responsibilities extend throughout the product lifecycle, involving various economic operators in the supply chain, including the Manufacturer, Importer, Authorized Representative, and Distributor.

Security Properties of Products with Digital Elements

Provides insights into the design requirements for products to achieve an appropriate level of cybersecurity and emphasizes the importance of manufacturers in consistently updating documentation and delivering security updates.

Security Vulnerability Handling Procedures

Breaks down how manufacturers must promptly report security vulnerabilities to ENISA and provide necessary documentation, including a Software Bill of Materials (SWBOM).

Compliance Evidence and Certification Procedures

Describes the process of proving EU-CRA compliance and outlines what it entails, including providing evidence of adherence to product lifecycle and vulnerability handling processes.

Good Practices and Practical Guidance

Offers information on practical best practices for businesses as a whole, as well as product-specific insights for effective compliance and cyber resilience.

This task force draws upon a diverse range of industry expertise, offering insights from machine builders, technology providers, system integrators, and end users. Participating organizations include:

  • Global OEM’s such as ID Technology, ProMach, Markem-Imaje, Rychiger Group, Mettler-Toledo,
  • Leading Manufacturing Companies such as Corning, P&G, and Arla Foods
  • System Integrators like MartinCSI
  • Technology Companies like ei3 Corporation, Mitsubishi Electric, Cisco, Domino Printing Sciences, Siemens, and Rockwell Automation, and
  • Industry Associations like PMMI

Member Experiences

"The biggest issue here is the right balance between innovation and security. Right now the slider is too far to the innovation side. We need to slide it a bit toward security, without stifling innovation. That will be a delicate balance to strike."

Member Experiences

"A manufacturer should not release a product if there is a known security issue... Risk assessments should look to reduce the functional safety risk levels to 'tolerable risk' and avoid 'foreseeable' causes. There will always be some vulnerability with any product (known or unknown). In my opinion the objective should be to use due diligence to identify any vulnerabilities and then reduce these to tolerable levels."

Member Experiences

"Specialized skills and knowledge should be required to properly conduct cybersecurity risk assessments, as the risk assessments for industrial applications (OT) may differ from typical IT applications."

Member Experiences

"It is the responsibility of the party placing the device on the market to be aware of all vulnerabilities. But this legislation should encourage better communication mechanisms from component manufacturers to integrators to end users.

Member Experiences

"A manufacturer can place items like a PLC on the market which can be very secure when used correctly, but it is then the responsibility of the manufacturer selling the system which contains that component to follow all the instructions and place on the market a secure system"