In This Article
- Understanding CRA, CE Marking, and IEC 62443 for Industrial Computing Products
- What is the Cyber Resilience Act (CRA)?
- How Does the CRA Relate to CE Marking?
- Is CRA Mandatory?
- Does CRA Apply to Every Product?
- What is IEC 62443?
- Is IEC 62443 Mandatory?
- Can IEC 62443 Be Applied to Specific Products?
- How Does IEC 62443 Support CRA Compliance?
- CRA vs IEC 62443: What’s the Difference?
- What Does This Mean for Industrial Computing Manufacturers?
- Need Help Selecting Industrial Computing Solutions?
Understanding CRA, CE Marking, and IEC 62443 for Industrial Computing Products
As cybersecurity regulations continue to evolve, manufacturers, system integrators, and end users are increasingly asking how the Cyber Resilience Act (CRA), CE marking, and IEC 62443 fit together.
For companies supplying industrial computers, embedded systems, edge AI platforms, industrial motherboards, and automation equipment, understanding these requirements is becoming essential. This article explains the relationship between CRA, CE marking, and IEC 62443, and what they mean for industrial computing products sold into the European market.
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) is a European Union regulation that introduces mandatory cybersecurity requirements for products containing digital elements, including both hardware and software. The regulation aims to improve cybersecurity throughout a product’s lifecycle by requiring manufacturers to design, develop, and maintain products with security in mind.
Products covered by the CRA include:
- Industrial PCs
- Embedded computers
- Edge AI systems
- Industrial motherboards
- Network appliances
- IoT devices
- Industrial gateways
- Software products
- Connected automation equipment
The CRA entered into force in December 2024, with the main compliance obligations becoming fully applicable from December 2027. Certain reporting requirements begin earlier in September 2026.
How Does the CRA Relate to CE Marking?
One of the most important aspects of the CRA is that it becomes part of the CE marking framework. Before a product covered by the CRA can be placed on the EU market, manufacturers must complete a conformity assessment and demonstrate that the product meets the cybersecurity requirements defined by the regulation. Once compliance has been demonstrated, the manufacturer can issue an EU Declaration of Conformity and apply the CE mark.
In practical terms:
CRA Compliance → Conformity Assessment → CE Marking
This means cybersecurity becomes another requirement alongside existing CE-related legislation such as:
- Low Voltage requirements – Ensuring electrical safety through controlled power design, insulation protection, and safe operating voltage levels across industrial systems.
- Electromagnetic Compatibility (EMC) requirements – Ensuring devices operate reliably without causing or being affected by electromagnetic interference in industrial environments.
- Machinery requirements (where applicable) – Ensuring that integrated systems and machine-controlled equipment meet essential safety standards for automated industrial operations.
- Radio Equipment requirements (where applicable) – Ensuring wireless-enabled devices comply with safe, efficient, and interference-free radio spectrum usage and communication standards.
For many industrial computing products, cybersecurity compliance will become just as important as electrical safety and EMC compliance when accessing the European market.
Is CRA Mandatory?
Yes. If a product falls within the scope of the CRA, compliance is mandatory for sale within the European Union. Manufacturers, importers, and distributors must ensure that products meet the applicable cybersecurity requirements before they are placed on the market.
The CRA applies to products with digital elements that have a direct or indirect connection to a device or network. This broad scope means many industrial computing and automation products will be affected.
Does CRA Apply to Every Product?
No. CRA compliance is assessed on a product-by-product basis. A manufacturer may have some products that fall within the scope of the CRA and others that do not. Products that contain digital functionality, firmware, operating systems, networking capabilities, or software are much more likely to be affected.
For example, an industrial computer manufacturer could have:
- Industrial panel PCs requiring CRA compliance
- Embedded edge AI systems requiring CRA compliance
- Industrial gateways requiring CRA compliance
- Certain non-digital accessories that may fall outside CRA scope
The key factor is whether the product qualifies as a “Product with Digital Elements” under the regulation.
What is IEC 62443?
IEC 62443 is an internationally recognised cybersecurity standard developed specifically for Industrial Automation and Control Systems (IACS). Unlike the CRA, IEC 62443 is not legislation. Instead, it provides a framework of cybersecurity best practices covering:
- Secure product development
- Security risk assessments
- Secure system design
- Security testing
- Patch and vulnerability management
- System integration security
- Security lifecycle management
The standard is widely adopted within manufacturing, utilities, energy, transportation, defence, and critical infrastructure sectors.
Is IEC 62443 Mandatory?
In most cases, no. IEC 62443 is generally voluntary and is not a legal requirement in the same way as the CRA. However, many end users and project specifications increasingly require compliance or certification to IEC 62443, particularly in:
- Critical national infrastructure
- Energy and utilities
- Oil and gas
- Defence applications
- Transportation systems
- Industrial automation projects
As a result, certification can provide a significant commercial advantage when bidding for projects in security-conscious industries.
Can IEC 62443 Be Applied to Specific Products?
Yes. Unlike some management system certifications that cover an entire organisation.
IEC 62443 can be applied to:
- Individual products
- Product families
- Development processes
- Complete systems
A manufacturer may choose to certify:
- A range of industrial panel PCs
- A family of industrial gateways
- A specific embedded computing platform
while leaving other products outside the certification scope.
There is no requirement for every product in a manufacturer’s portfolio to be covered by IEC 62443.
How Does IEC 62443 Support CRA Compliance?
Although IEC 62443 is not a legal requirement, many industry experts expect it to become one of the most effective ways of demonstrating compliance with CRA cybersecurity requirements. The CRA requires manufacturers to implement secure development practices, vulnerability management processes, risk assessments, and ongoing security support. These are all areas already addressed within IEC 62443.
For industrial computer manufacturers IEC 62443 can provide:
- A structured cybersecurity framework
- Evidence for conformity assessments
- Improved product security
- Greater confidence for customers
- Support for future CRA compliance programmes
CRA vs IEC 62443: What’s the Difference?
| Feature | CRA | IEC 62443 |
|---|---|---|
| Type | EU Regulation | International Standard |
| Mandatory? | Yes (when product is in scope) | Generally voluntary |
| Linked to CE Marking? | Yes | No |
| Applies to Individual Products? | Yes | Yes |
| Applies to Entire Product Range? | No | No |
| Focus | Legal compliance | Cybersecurity best practice |
| Geographic Scope | European Union | Global |
What Does This Mean for Industrial Computing Manufacturers?
For manufacturers and suppliers of industrial computers, embedded systems, industrial motherboards, and edge AI platforms, cybersecurity is rapidly becoming a core compliance requirement rather than simply a desirable feature.
The CRA will make cybersecurity compliance a requirement for many products sold within the EU, while standards such as IEC 62443 provide a recognised framework for developing and maintaining secure products.
Companies that begin addressing these requirements early will be better positioned to meet future regulatory obligations, support customer cybersecurity requirements, and maintain access to European markets.
Need Help Selecting Industrial Computing Solutions?
At BVM Ltd, we supply a wide range of industrial computers, embedded systems, industrial motherboards, edge AI platforms, and rugged computing solutions for demanding applications. Our team can help you identify hardware platforms suitable for long-term deployment in industrial, transportation, defence, energy, and automation environments.
Contact BVM today to discuss your project requirements and discover the latest industrial computing technologies available for secure, reliable, and future-ready deployments.
Ready to Discuss Your Project?
Contact BVM for all your Industrial and Embedded Computing OEM/ODM design, UK manufacturing or distribution needs. With over 35 years of experience, we supply standard hardware and design custom solutions tailored to your requirements.
Reach our expert sales team on 01489 780144 or email us at sales@bvmltd.co.uk.