Industrial cybersecurity in transition

Navigating the CRA, NIS2, IEC 62443, and maritime requirements

Executive summary

 1. A new era of industrial cybersecurity

Industrial systems are more connected than ever. That connectivity brings efficiency, but also exposes operational technology (OT) to cyber threats that were once limited to IT networks.

Regulators have responded with a clear shift:

  • From voluntary guidelines → mandatory requirements  
  • From add‑on security → security throughout the lifecycle  From protecting components → protecting entire systems

For industrial companies, this means cybersecurity is no longer optional, it’s a core operational requirement.

Beijer Electronics is committed to actively aligning our portfolio, development processes, and documentation with CRA, NIS2, IEC 62443, and maritime cybersecurity requirements. Our roadmap strengthens secure‑by‑design practices, enhances product resilience, and ensures long‑term compliance for customers building modern industrial systems.

2. The regulatory landscape – simplified

 

Cyber Resilience Act (CRA) 

What it is: EU law requiring cybersecurity for all “products with digital elements.” 

Who it affects: CRA applies broadly to organizations that operate with digital products available in the EU market, including manufacturers, importers, and distributors

When it applies: Fully mandatory on new or substantially modified products released on the market after December 11, 2027.

Key obligations:

  • Security‑by‑design
  • Vulnerability management throughout the lifecycle
  • 24‑hour incident reporting  
  • Clear documentation and security instructions  
  • Guaranteed security updates for the expected lifetime  

Why this matters  
The CRA matters because it requires manufacturers to rethink how they design products and document their security practices. Integrators must verify that the components they select comply with CRA obligations, and end users benefit from stronger protection, clearer instructions, and greater transparency throughout the product lifecycle.

NIS2 directive  
What it is: EU law for organizations that operate in critical sectors or provide critical services.  

Who it affects: Energy, manufacturing, transport, water, healthcare, and more.  

Focus: Risk management, incident response, supply chain security, business continuity, etc.

Technical alignment: IEC 62443 is widely recognized as the framework that helps organizations meet NIS2 requirements.

Why this matters  
NIS2 raises the bar for everyone involved in essential and important services. Operators must demonstrate that they manage cyber risks in a structured and systematic way, while suppliers are expected to show that their development processes are secure and transparent. As a result, accountability increases across the entire supply chain.

Maritime requirements: IACS UR E26/E27 & DNV profiles

Cybersecurity at sea is now mandatory for newbuilds contracted after July 1, 2024.

  • E26 → Cyber resilience of ships
  • E27 → Cyber resilience of on-board systems and equipment
  • Both are based on IEC 62443 principles

Why this matters  
These requirements matter because suppliers must now meet defined cybersecurity criteria to participate in the maritime market. Shipyards and integrators are expected to choose components that carry the appropriate certifications, and ship owners gain clearer assurance that the systems they rely on are built to withstand modern cyber threats.

3. IEC 62443 - The technical backbone

 IEC 62443 is the most widely adopted cybersecurity standard for industrial automation. It provides a structured way to secure organizations, systems, and components.

#The four parts of IEC 62443

1.    General concepts  
2.    Organizational requirements  
3.    System‑level requirements  
4.    Component‑level requirements

Component‑level standards

  • IEC 62443‑4‑1: Secure development lifecycle (SDL)  
  • IEC 62443‑4‑2: Technical security requirements for components (HMIs, PLCs, software, etc.)

Security Levels (SL1–SL4)  

  • SL1: Protection against accidental misuse  
  • SL2: Protection against simple intentional attacks  
  • SL3: Protection against sophisticated attackers  
  • SL4: Protection against highly resourced adversaries  

SL2 is becoming the new baseline across industries.

What SL2 adds beyond SL1:

  • Stronger Identification and Authentication
  • Session timeout and inactivity handling  
  • Verification of communication sources  
  • Stronger software integrity and update controls  

Why this matters  
The shift toward SL2 is significant because it pushes manufacturers to build more secure products with stronger authentication, integrity controls, and protected interfaces. Machine builders must design systems that meet the required security levels, and end users benefit from clearer expectations and more appropriate protection against intentional attacks.

3. CRA timeline - the essentials

  • Dec 10, 2024: CRA enters into force  
  • June 11, 2026: Conformity Assessment Bodies can apply  
  • Sept 11, 2026: Mandatory vulnerability & incident reporting begins  
  • Dec 11, 2027: Full CRA applicability; CE marking requires compliance  

Products already on the market are only affected if substantially modified.

What CRA means for manufacturers and customers
For manufacturers
•    Implement secure development processes  
•    Maintain vulnerability reporting procedures  
•    Provide long‑term security updates  
•    Deliver clear documentation and instructions  

For customers
•    More transparency  
•    Stronger protection  
•    Predictable security support  

4. Beijer Electronics cybersecurity roadmap

Beijer Electronics aim to exceed or follow CRA and other legally binding requirements in our products. By aligning with CRA, NIS2, the Machine regulation and IEC 62443, Beijer Electronics ensures that customers can build compliant, resilient systems using a portfolio that is continuously strengthened and future‑ready.
Our roadmap includes security architecture updates, new security features planning, documentation enhancements, and certification planning. 

 

5. Conclusion: Cybersecurity you can trust

Industrial cybersecurity is shifting from optional to mandatory, and the expectations are rising quickly. Regulations like CRA, NIS2, and IACS UR E26/E27 demand stronger protection, clearer responsibilities, and secure‑by‑design products.

Beijer Electronics is committed to:

  • Meeting all applicable cybersecurity regulations  
  • Delivering secure‑by‑design products  
  • Supporting customers through their compliance journey  
  • Maintaining a future‑ready portfolio  

Cybersecurity is now essential for safe, reliable, and resilient industrial operations. We’re here to help you navigate this new landscape with confidence.