Things You Need to Know about IEC 62443 and the Cyber Resilience Act (CRA)

Yes, the transition periods for the Cyber Resilience Act have been clearly defined. 
The regulation outlines two key transition milestones:

• September 11, 2026 – This is the date when reporting obligations begin. From this point, manufacturers must report any actively exploited vulnerabilities or incidents related to their digital products to ENISA within 24 hours.
• December 11, 2027 – This marks the date of full application. From then on, all products with digital elements placed on the EU market must fully comply with the CRA’s cybersecurity requirements, including conformity assessments, documentation, and CE marking.

The CRA applies to non-European manufacturers if they sell or offer products with digital elements in the EU market. Any company, regardless of where it is based, must comply with CRA requirements if its products are sold, distributed, or made available to EU customers.

The CRA applies to products placed on the EU market after its enforcement date (December 11, 2027). However, products already installed on sites are generally not retroactively subject to the CRA, unless they undergo a substantial modification that impacts their cybersecurity or intended purpose, or if they are sold again after the enforcement date.

CRA introduces legally binding cybersecurity requirements that align in many ways with the security controls, secure development practices, and lifecycle approaches defined in IEC 62443. CRA covers a broader product scope, but its principles (secure-by-design, vulnerability handling, documentation) map well to IEC 62443 practices.

Yes — at this moment adopting IEC 62443: 

• Prepares you ahead of CRA mandates, reducing the risk of non-compliance once CRA is enforced. 
• Strengthens overall cybersecurity posture in line with international best practices.
• Gives a competitive edge, as customers and partners increasingly require proven security credentials.
• Minimizes future adaptation costs, since many CRA requirements can be addressed through IEC 62443-aligned processes.

In short, investing in IEC 62443 now is a strategic move — it positions your organization for smoother CRA compliance while improving security and market trust.

Advantech was certified for IEC 62443-4-1 with Maturity Level 2 in September 2020. This allows us to continue pursuing IEC 62443-4-2 for components. Please refer to the Cybersecurity Guidebook for more.

According to requirements defined in the IEC 62443-4-1 SM-1 development process, a general product development/maintenance/support process is documented and enforced that is consistent and integrated with commonly accepted product development processes. Advantech established the Secure Software Development Life Cycle (SSDLC) with V-model.

For upcoming CRA requirements, SBOM and vulnerabilities scans are critically important. Advantech established an SBOM management mechanism to create/refine/review/remediate/monitor and update third-party software components with security patches. 

According to the requirements defined in IEC 62443-4-2 CR 3.10, support for updates, authenticity and integrity of software updates/upgrades is checked by verifying the digital signature provided by the product supplier prior to installation.

Advantech delivers pre-compliance reports and documentation verified by Bureau Veritas (BV). This minimizes the effort needed for official CB or VoC certification, accelerating market readiness for standards like SEMI-E187, IEC 80001, and TC65 or even CRA and RED-DA. With Advantech’s BV-reviewed reports and pre-compliance documentation, customers have credible evidence ready for submission to global certification bodies, streamlining approvals across regions.

Currently, we are moving towards more operating systems, such as Debian, Yocto Project, etc. However, due to the need for BV verification and approval, this will take some time. Additionally, Advantech's laboratory capacity is also increasing. The supported operating systems will be updated in real-time on this webpage.

Advantech’s platform integrates hardware (TPM 2.0, secure BIOS), OS security (Bitlocker, Secure Boot), and software controls (Trellix, Acronis) out of the box, eliminating the need for customers to build and validate these controls from scratch.

Advantech collaborates with BV to provide IEC 62443 certification services. BV, as a trusted third-party certification body, reviews and validates the pre-compliance reports generated by Advantech's internal team. Advantech’s software QA team, trained by BV, ensures the systems meet the necessary requirements for IEC 62443-4-2 compliance, streamlining the certification process. This partnership helps expedite the certification process, reduce costs, and improve the efficiency of obtaining official IEC 62443-4-2 VoC or CB certification.
In essence, BV serves as the certification authority, while Advantech handles the pre-certification preparation, ensuring a smoother and more cost-effective path to compliance for customers.