Differences Between CRA (Cyber Resilience Act) and IEC 62443

Key takeaways

The Cyber Resilience Act (CRA, EU Regulation 2024/2847) is a legally binding EU law requiring cybersecurity compliance for all products with digital elements sold in the EU market, with full obligations applying from December 2027.
IEC 62443 is a voluntary international standard for industrial automation and control systems (IACS), covering secure product development (IEC 62443-4-1, 2018 edition) and component-level technical security (IEC 62443-4-2, 2019 edition).
IEC 62443 compliance partially overlaps with CRA requirements but does not substitute for full CRA conformity — the CRA additionally mandates SBOM documentation, vulnerability disclosure, and post-market monitoring obligations.
ORing industrial Ethernet switches and OT Cybersecurity products are developed in alignment with IEC 62443-4-1 (2018 edition) and support IEC 62443-4-2 (2019 edition) component-level security requirements.

The Cyber Resilience Act (CRA), published as EU Regulation 2024/2847 and entering full effect in December 2027, is a legally binding EU regulation that mandates cybersecurity requirements for all products with digital elements — including industrial networking devices such as managed Ethernet switches and secure routers — placed on the EU market. IEC 62443, maintained by the IEC TC65 committee, is a voluntary international standard series that defines security requirements for industrial automation and control systems (IACS), with IEC 62443-4-1 (2018 edition) covering the secure product development lifecycle and IEC 62443-4-2 (2019 edition) covering component-level technical security capabilities.

What is the core difference between CRA and IEC 62443?

The most important distinction is legal status and scope. The CRA is a market access regulation — products that do not comply cannot legally be sold in the EU from December 2027 onwards. IEC 62443 is a technical standard that organisations adopt voluntarily, though it is increasingly specified as a procurement requirement by utility operators, railway authorities, and critical infrastructure owners worldwide.

CRA — legally binding EU regulation for all digital products sold in the EU, regardless of industry sector.
IEC 62443 — voluntary international standard tailored specifically for industrial control systems, widely adopted in energy, railway, manufacturing, and oil & gas sectors.
CRA emphasises market access, lifecycle responsibility, and vulnerability disclosure; IEC 62443 emphasises technical security architecture and secure development process.

CRA vs IEC 62443: side-by-side comparison

The table below compares the two frameworks across seven key dimensions. Note that IEC 62443 is expected to be listed as a harmonised standard under the CRA, meaning demonstrated compliance with the relevant IEC 62443 parts would create a presumption of conformity for the corresponding CRA obligations.

Aspect	CRA (EU Regulation 2024/2847)	IEC 62443 (series)
Nature	EU regulation — legally binding	International standard — voluntary, but widely required by procurement
Scope	All products with digital elements sold in the EU market	Products and systems in industrial automation and control (IACS)
Focus	Cybersecurity throughout the entire product lifecycle, including post-market obligations	Secure development process (IEC 62443-4-1, 2018 ed.) and technical security capabilities (IEC 62443-4-2, 2019 ed.)
Mandatory?	Yes — required for CE marking and EU market access from December 2027	No — but often contractually required for OT projects in critical infrastructure
Lifecycle coverage	Full lifecycle: design, development, deployment, post-market monitoring, end of life	Development lifecycle (4-1) and product security features (4-2); operational security covered by IEC 62443-2-x
Target audience	All digital product manufacturers selling into the EU	Industrial device and system developers, system integrators, asset owners
Key requirements	Risk assessment, secure design, vulnerability handling, SBOM, incident reporting, CE marking	Secure development process (4-1 SR-1 to SR-8), technical security controls (4-2), patch management (2-3)

What are the CRA compliance deadlines?

The CRA entered into force in December 2024, with obligations phased in over three years:

December 2024 — CRA enters into force; manufacturers should begin gap assessments.
September 2026 — Vulnerability and incident reporting obligations to ENISA apply.
December 2027 — Full product requirements apply: conformity assessment, CE marking, SBOM documentation, and post-market monitoring.

Products placed on the EU market after December 2027 without CRA conformity cannot legally be sold. Existing products already on the market before that date are subject to a transitional arrangement. Full CRA text is available at EUR-Lex (EU Regulation 2024/2847).

Where do CRA and IEC 62443 overlap, and where do they differ?

IEC 62443-4-1 (2018 edition) and IEC 62443-4-2 (2019 edition) address several obligations that also appear in the CRA, particularly around secure product design and vulnerability management. However, three CRA requirements are not covered by IEC 62443:

Software Bill of Materials (SBOM) — The CRA requires a structured inventory of all software components; IEC 62443-4-1 requires software dependency management but not a formal SBOM output.
Mandatory incident reporting to ENISA — The CRA requires actively exploited vulnerabilities to be reported to the EU Agency for Cybersecurity (ENISA) within 24 hours; IEC 62443 has no equivalent mandatory reporting obligation.
CE marking and conformity assessment — CRA requires formal third-party conformity assessment for higher-risk products; IEC 62443 certification is vendor-led or third-party audited but not linked to EU market access.

How do ORing products address CRA and IEC 62443 requirements?

ORing develops its industrial Ethernet switches and cybersecurity products using a secure product development lifecycle aligned with IEC 62443-4-1 (2018 edition), including threat modelling, SAST scanning, dependency management, and pre-release penetration testing. At the component level, products in ORing's OT Cybersecurity line support the technical security capabilities defined in IEC 62443-4-2 (2019 edition):

IEEE 802.1X port-based access control and role-based access control (RBAC)
VLAN-based network segmentation for GOOSE domain isolation
SNMPv3 encrypted management and SSH secure access
Syslog-based audit logging for anomaly detection and incident evidence
Firmware integrity verification and secure update mechanisms

These capabilities directly address CRA Article 13 obligations for secure design, vulnerability handling, and access control. For CRA-specific requirements such as SBOM generation and ENISA incident reporting, contact ORing technical support for current product documentation and compliance roadmap information.

Frequently asked questions

1. What is the main difference between the CRA and IEC 62443?

The CRA (EU Regulation 2024/2847) is a legally binding EU regulation — products that do not comply cannot be sold in the EU from December 2027. IEC 62443 is a voluntary international standard for industrial control systems, covering secure development (IEC 62443-4-1, 2018 edition) and technical security (IEC 62443-4-2, 2019 edition). One is a legal requirement; the other is a technical best-practice framework increasingly required by industrial customers.

2. Does IEC 62443 compliance satisfy CRA requirements?

Partial alignment exists: IEC 62443-4-1 and IEC 62443-4-2 overlap significantly with CRA Article 13 secure design and vulnerability management obligations, and IEC 62443 is expected to become a harmonised standard under the CRA. However, three CRA obligations are not covered by IEC 62443: mandatory SBOM documentation, incident reporting to ENISA within 24 hours, and CE marking through formal conformity assessment. IEC 62443 compliance alone is not sufficient for full CRA conformity.

3. Which products must comply with the CRA?

All products with digital elements placed on the EU market — including hardware with embedded software, software products, and remote data processing solutions. Industrial networking devices such as managed Ethernet switches, secure routers, and cellular gateways fall within CRA scope if sold into the EU. The full obligations apply from December 2027 (EU Regulation 2024/2847).

4. Is IEC 62443 mandatory?

IEC 62443 is a voluntary standard with no global regulatory mandate. In practice, it is contractually required by many utility, railway, and critical infrastructure operators for network devices (IEC 62443-4-2, 2019 edition) and vendor development processes (IEC 62443-4-1, 2018 edition). In the EU, demonstrated IEC 62443 compliance is expected to create a presumption of CRA conformity for the corresponding requirements once IEC 62443 is listed as a harmonised standard.

5. What are the CRA compliance deadlines?

The CRA entered into force in December 2024. Vulnerability and incident reporting obligations apply from September 2026. Full product obligations — conformity assessment, CE marking, SBOM, and post-market monitoring — apply from December 2027.

6. How does ORing address CRA and IEC 62443 requirements?

ORing applies a secure development lifecycle aligned with IEC 62443-4-1 (2018 edition) across its industrial Ethernet switch firmware and OT Cybersecurity product line. Products support IEC 62443-4-2 (2019 edition) technical security controls including IEEE 802.1X, VLAN segmentation, SNMPv3, RBAC, and audit logging — capabilities that also address CRA Article 13 secure design obligations. Contact ORing technical support for SBOM and CRA conformity documentation.

7. What is an SBOM and does the CRA require it?

A Software Bill of Materials (SBOM) is a structured inventory of all software components, libraries, and dependencies in a product, enabling vulnerability tracking throughout the product lifecycle. The CRA (EU Regulation 2024/2847) requires manufacturers to maintain and provide SBOM documentation. IEC 62443-4-1 requires software dependency management but does not mandate a formal SBOM output — this is one of the gaps that IEC 62443 compliance alone does not address.