EU Cyber Resilience Act

CRA compliance for industrial automation

Industrial automation and OT products with digital elements fall under the Cyber Resilience Act. Category depends on the product; many are default-category, while some controllers may be treated as important.

What to focus on

  • Classify the product — some industrial components are in the important tier.
  • Maintain an SBOM and a vulnerability-handling process across long product lifecycles.
  • Document secure-by-design choices against Annex I.
  • Produce the Annex VII dossier and Declaration of Conformity.

Frequently asked questions

Are PLCs and industrial controllers in scope for the CRA?
Industrial products with digital elements are generally in scope; some may be classified as important (Annex III), which changes the conformity route. Classify the specific product.

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See what the CRA requires for your industrial automation.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.