CRA Compliance Checklist: Industrial Controllers & PLCs
Important Class II (Annex III) — industrial automation and control systems for critical processes
Industrial controllers, PLCs, and SCADA components are classified as Important Class II under Annex III of the CRA, requiring third-party conformity assessment. These products have long operational lifetimes (10–20+ years), network connectivity, and significant safety implications. CRA compliance must be planned well in advance of the September 2026 deadline.
1. Classification & Conformity Route
Confirm Annex III Class II classification for industrial automation and control products
Industrial controllers, PLCs, DCS, and SCADA components fall under Class II. Self-assessment is NOT permitted.
Identify and engage an accredited notified body for EU type-examination (Module B)
Lead times for notified body engagement may be 6–18 months. Engage immediately — the September 2026 deadline is approaching fast.
Begin the technical documentation review process with the notified body
Notified bodies will need full technical documentation including security architecture, SBOM, risk assessment, and CVD policy.
2. Product Security (Annex I Part I)
Implement role-based access control for all HMI and engineering workstation interfaces
Industrial controllers must authenticate users at all access levels — operator, engineer, and administrator — with appropriate privilege separation.
Ensure secure firmware update process with signature verification and rollback protection
Industrial controller updates must preserve safety function integrity. Update signing and rollback protection is mandatory.
Disable all unused communication protocols and ports (Modbus, OPC-UA, EtherNet/IP)
Industrial protocols frequently lack authentication. Disable unused protocols to minimise attack surface.
Scan all firmware and software components against ICS-specific CVE databases (ICS-CERT, NIST)
SBOM must cover embedded RTOS, communication stack, protocol implementations, and any HMI software components.
Implement network segmentation support (industrial DMZ, OT/IT separation)
Controllers must support deployment in properly segmented OT networks.
Maintain tamper-evident security logs for audit and forensic investigation
Logs must capture all configuration changes, authentication events, and communication anomalies.
3. CVD Policy & Long-Lifecycle Management
Publish a CVD policy covering all active product lines and legacy products still in support
Industrial customers expect clear vulnerability reporting channels. Include product-specific scope in the CVD policy.
Define security support periods of at least 10 years for industrial controller products
Industrial controllers often operate for 15–20+ years. Support periods must reflect this. Plan for long-term patch provision.
Establish a PSIRT (Product Security Incident Response Team) with defined escalation paths
A dedicated PSIRT function is expected for Annex III Class II products. Document roles, responsibilities, and escalation timelines.
Create a process for delivering security updates that works in air-gapped environments
Many industrial sites are air-gapped. Provide offline update packages (USB, DVD) alongside OTA updates.
4. Article 14 Incident Reporting
Monitor ICS-CERT and sector-specific threat intelligence for exploitation of your product lines
Industrial controller exploits are often state-sponsored and may target specific product models. Active monitoring is essential.
Establish and test the 24h early warning notification procedure with responsible personnel
Coordinate with ICS-CERT or sector CERT. Establish a communication protocol that can be executed within 24 hours even outside business hours.
Document supply chain notification procedures — notify downstream customers of critical vulnerabilities
Industrial customers may have critical infrastructure deployments. Notification procedures must reach them directly, not just via public advisories.
5. Legacy Product Management
Publish an end-of-life roadmap for all current product lines with security support end dates
Industrial customers need long advance notice of EOL to plan migration. Publish this proactively.
Develop a migration assistance programme for customers on end-of-life products
CRA obligations extend to products throughout their supported life. Having a migration path available reduces liability.
Track your Industrial Controllers & PLCs compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Do all PLCs require third-party conformity assessment under the CRA?+
PLCs and industrial automation controllers used in process control are classified as Important Class II under Annex III. This requires third-party EU type-examination by a notified body — self-assessment is not sufficient. However, simple relay-replacement PLCs with limited network connectivity may not meet the classification criteria.
How does the CRA interact with IEC 62443 for industrial cybersecurity?+
IEC 62443 is the primary industrial cybersecurity standard and aligns well with CRA Annex I requirements. Conformity with IEC 62443-4-2 (product security requirements) and IEC 62443-4-1 (secure development lifecycle) can serve as evidence of CRA compliance. Notified bodies will likely accept IEC 62443 certification as supporting evidence.
My PLCs are deployed in air-gapped nuclear/defence sites — does the CRA apply?+
Products used exclusively for national security or military purposes are excluded from the CRA. However, the same PLCs sold commercially for industrial use are in scope. The classification of a specific deployment (defence vs commercial) affects application, but products placed on the EU commercial market must still meet CRA requirements.
Related compliance checklists
Need a CVD policy for Industrial Controllers & PLCs?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.