In today’s global marketplace, the European Union’s Cyber Resilience Act (CRA) isn’t just a European problem. For any North American OEM shipping connected machinery or products with digital elements to the EU market, the clock is already ticking and the first major deadline is closer than many realize.
That was the central message of a recent PMMI Cyber Resilience Act webinar featuring Bruce Main, Technical Director and Standards Specialist, PMMI; Juergen Kress, Managing Director / Global Business Unit Leader, Mettler Toledo Garvens GmbH; and Scott Tenorio, Principal Platform Lead at Rockwell Automation.
CRA in simple terms
The CRA establishes mandatory cybersecurity requirements for any product with digital elements sold on the EU market. CE marking, which is already familiar to most OEMs exporting to Europe, will now require demonstrated cybersecurity compliance. Non-compliance carries significant financial penalties described in Article 64 as “effective, proportionate and dissuasive.”
Unlike traditional CE marking exercises, the CRA isn’t a one-time event. “This CRA has got legs on it,” said Main. “It extends quite a bit.” Manufacturers must maintain security updates for a minimum of 10 years, actively monitor and report vulnerabilities, and treat cybersecurity as a living commitment for the life of the machine.
Six Things OEMs Can Do Right Now
- Start your cybersecurity risk assessment — today. This is the single most repeated recommendation from all three panelists. The risk assessment is not a checkbox; it’s a living document that evolves as threats, products, and regulations change. “You don’t need to assume perfection,” said Kress. “You just need to keep iterating it.”
- Build your Software Bill of Materials (SBOM). The CRA requires manufacturers to document all software, controllers, digital components, interfaces, and dependencies in a machine-readable format. With the September 2026 deadline approaching, this work needs to start immediately.
- Adopt IEC 62443 as your framework. While not mandatory, IEC 62443 is strongly aligned with CRA requirements and provides a structured path through protection need analysis, system architecture review, threat identification, and risk mapping. Mettler-Toledo achieved full certification against the standard; Rockwell Automation has held maturity level 4 on IEC 62443-4-1 for years. “There are lots of online resources,” said Kress. “You will find lots of material about it immediately.”
- Address network segmentation. In its 2026 report, the industrial cybersecurity company Dragos found that the majority of cyber incidents occurred in systems where the OT and IT layers lacked proper segmentation. “Without that segmentation, you’re basically inviting attacks,” warned Tenorio. OEMs should map their network topology, understand where their machines connect to broader infrastructure, and design in appropriate firewalls and segmentation from the start.
- Spread security knowledge across your whole team. Don’t rely on one or two internal experts. Tenorio drew a direct parallel to safety: “I really do parallel cybersecurity to what safety was probably 10–15 years ago. Now today, almost every one of our engineers has some knowledge of [IEC] 61508 and safety is just kind of integrated into our mindset. I see security being the same way moving forward.” Bring IT, OT, and product engineering teams together. You may find unexpected talent in the process.
- Compliant parts don’t equal a compliant machine. A critical point for OEMs sourcing components from compliant suppliers: buying CE-marked, CRA-compliant components is a strong start — but it doesn’t get you all the way there. “It doesn’t fully paint the whole picture,” said Tenorio. “You’ve got to put the pieces together” in a secure manner. How a machine is architected, how it connects to the cloud or customer networks, and how its components interact all factor into overall compliance.
The CRA formalizes what good security practice should already look like. For OEMs, the message from the experts is simple: don’t be overwhelmed, don’t wait for perfect information, and don’t treat this as someone else’s problem. Start now, build your team’s knowledge, document everything, and treat cybersecurity as the ongoing commitment it has always needed to be.
For more information, PMMI members can access the full webinar recording at pmmi.org/global-marketing/webinars.
