CRA Compliance Checklist: Process Control & SCADA Systems
Annex III Class II — SCADA systems and industrial process controllers for critical infrastructure are among the highest-risk categories under CRA; third-party conformity assessment mandatory
SCADA systems and industrial process controllers form the backbone of critical infrastructure — water treatment, energy generation, chemical processing, and manufacturing. CRA Annex III Class II applies to these systems given their potential for widespread societal harm if compromised. Third-party conformity assessment by an EU Notified Body is mandatory. Manufacturers must align with IEC 62443 and address the intersection with NIS2 Directive obligations for their customers.
1. Scope & Classification
Confirm SCADA systems and process controllers for critical infrastructure are classified as Annex III Class II
Process control systems for water, energy, chemicals, transport, and similar critical infrastructure are explicitly within Annex III Class II scope. No self-declaration is permitted.
Engage a Notified Body with OT and industrial cybersecurity expertise for mandatory Type Examination
SCADA system Notified Body assessments require deep OT expertise. Allow 9–18 months for assessment given the complexity of industrial control system documentation.
Assess NIS2 Directive implications for your customers — your SCADA must support their essential entity security obligations
Critical infrastructure operators are NIS2 essential entities. Your SCADA must support security features required by NIS2 Article 21 (access control, incident response, supply chain security).
Compile a comprehensive SBOM including all PLC firmware, HMI software, historian, engineering workstation software, and communication drivers
SCADA stacks are architecturally complex with many vendor components. The SBOM must cover every software component capable of execution.
2. Product Security (Annex I Part I)
Implement principle of least privilege for all SCADA accounts — separate engineering, operator, and monitoring roles
Over-privileged SCADA accounts are a leading attack vector. Role separation with MFA is mandatory. Emergency bypass procedures must be documented and logged.
Provide native encryption for all SCADA communications — do not rely solely on network-layer controls
OPC-UA Security Mode Sign & Encrypt, TLS for web HMIs, and VPN for remote access are minimum requirements. Avoid plaintext legacy protocols over routable networks.
Implement application whitelisting on engineering workstations and SCADA servers
SCADA workstations should only execute authorised software. Application whitelisting prevents execution of malware and unauthorised tools.
Provide tamper-evident audit logging of all process setpoint changes, alarm acknowledgments, and configuration modifications
SCADA audit logs are essential for incident investigation and regulatory compliance. Logs must be forwarded to a centralised log management system and be tamper-evident.
Support network demilitarised zone (DMZ) architectures to isolate control networks from corporate IT and the internet
Purdue Model or IEC 62443 zone-and-conduit architecture must be supported. SCADA components should not have direct internet connectivity.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy with a dedicated ICS/OT security contact and defined response timelines
SCADA systems attract significant ICS security research. CISA and ENISA publish ICS-CERT advisories regularly. A responsive CVD process with OT expertise is essential.
Provide cryptographically signed offline firmware and software update packages for air-gapped SCADA deployments
Critical infrastructure SCADA systems are often air-gapped. Provide signed update packages deliverable via secure media (USB, DVD) with documented verification procedures.
Define a minimum 15-year security support period reflecting the asset lifecycle of industrial process control systems
SCADA systems have typical lifespans of 15–25 years. A 15-year security support commitment is appropriate. Publish end-of-support dates at product launch.
Coordinate vulnerability disclosures with national ICS-CERT / CERT organisations in addition to ENISA
SCADA vulnerabilities may warrant coordination with CISA ICS-CERT, ENISA, and national CERTs. Build this multi-stakeholder process into your CVD procedure.
4. Article 14 Incident Reporting
Define Article 14 triggers for SCADA incidents — prioritise safety system bypass, process disruption, and data exfiltration from critical infrastructure
Any exploitation that could cause physical process disruption, equipment damage, or environmental release is a critical Article 14 trigger. Pre-define your criteria.
Coordinate Article 14 reporting with customer NIS2 incident reporting — parallel notifications are often required
A SCADA incident at a water utility simultaneously triggers your Article 14 obligations and the utility's NIS2 reporting duties. Pre-agree customer notification procedures.
5. CE Marking & Conformity Assessment
Complete Notified Body Type Examination — document assessment against IEC 62443-3-3 System Security Requirements
IEC 62443-3-3 Security Level 2 is the recognised standard for industrial control system security. Align your technical file with IEC 62443 to streamline Notified Body assessment.
Issue EU Declaration of Conformity referencing the CRA for all SCADA platform components
The DoC must cover all components placed on the market — RTUs, PLCs, HMI software, historian, and engineering workstation software.
Track your Process Control & SCADA Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our SCADA system is air-gapped — does the CRA still apply?+
Yes. The CRA applies to the product as it is placed on the market, not its deployment configuration. An air-gapped SCADA system is still a product with digital elements that must meet CRA Annex I requirements and undergo Notified Body assessment. Furthermore, many 'air-gapped' systems have temporary connections for updates or remote support that create real attack surfaces.
We supply SCADA components (RTUs, PLCs) that integrate into third-party SCADA systems — are we responsible for the integrated system's CRA compliance?+
As a component manufacturer, you are responsible for CRA compliance of your component as a standalone product. The system integrator who assembles the full SCADA system and places it on the market takes on manufacturer obligations for the integrated system. You should provide CRA technical documentation and SBOM data to integrators to support their compliance.
How does IEC 62443 certification relate to CRA compliance for SCADA systems?+
IEC 62443 certification is not legally required by the CRA, but it is highly relevant. The CRA allows harmonised standards to be used as presumption of conformity with Annex I requirements. When harmonised standards referencing IEC 62443 are published under the CRA, compliance with those standards will provide a presumption of CRA conformity. Proactively aligning with IEC 62443 is strongly recommended.
Need a CVD policy for Process Control & SCADA Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.