Security Operations Centre (SOC)

A Security Operations Centre (SOC) is a dedicated organisational function responsible for the continuous monitoring of an organisation's security posture, detection of threats and incidents, and coordination of incident response. SOCs are staffed by security analysts working in shifts (often 24/7 for large organisations), supported by technology tools including SIEM platforms, EDR solutions, threat intelligence feeds, and automation playbooks. SOC analysts investigate alerts, correlate events across multiple data sources, determine whether a genuine security incident has occurred, and escalate to incident response teams. For manufacturers of CRA-covered products, the SOC function is relevant both for protecting the manufacturer's own infrastructure (including development and signing infrastructure) and for supporting the monitoring obligations relevant to CRA Article 14 notifications.

Several SOC capabilities directly support CRA compliance:

• Exploitation monitoring: SOC analysts monitoring threat intelligence feeds and telemetry can detect evidence that a vulnerability in the manufacturer's products is being actively exploited — triggering the CRA Article 14 24-hour notification obligation.
• Product security telemetry: For cloud-connected products, the SOC may monitor product telemetry for signs of compromise or anomalous behaviour that could indicate an exploited vulnerability.
• Manufacturing and signing infrastructure protection: The SOC monitors the manufacturer's internal infrastructure, including the build pipeline and signing servers. A compromised signing key — not detected by the SOC — could result in malicious firmware being signed and distributed to customers.
• Incident escalation to PSIRT: When the SOC identifies a security event related to a product vulnerability, it should have a defined escalation path to the PSIRT team responsible for CRA Article 14 notifications and remediation.

The SOC and PSIRT are distinct functions that must collaborate for effective CRA compliance:

• SOC: Monitors the organisation's infrastructure and detects threats in real time. Focuses on the organisation as the target. Responds to active incidents.
• PSIRT: Manages the vulnerability lifecycle for the manufacturer's products. Receives researcher reports, triages CVEs, coordinates remediation, and publishes advisories. Focuses on the product as the subject.

The interfaces between them are: the SOC escalates to PSIRT when it detects evidence of product vulnerability exploitation; the PSIRT escalates to the SOC when it needs infrastructure security support during incident response. Both contribute to the CRA Article 14 notification process — the SOC provides exploitation evidence; the PSIRT provides the vulnerability context and notification drafting.

The CRA does not mandate a SOC specifically. However, the obligation to notify ENISA within 24 hours of becoming aware of actively exploited vulnerabilities effectively requires some form of continuous monitoring capability. For smaller manufacturers, this might be a lightweight monitoring capability with automated alerting for critical threat intelligence events rather than a full 24/7 SOC. Manufacturers subject to NIS2 as operators have more explicit monitoring obligations that may require SOC-level capabilities.

• Managed SOC / MSSP: Outsource SOC functions to a Managed Security Service Provider. Provides 24/7 monitoring without internal staffing.
• Threat intelligence subscription with alerting: Subscribe to threat intelligence feeds that send alerts for new exploitation events affecting the manufacturer's product technology stack.
• CSIRT partnership: Establish a notification arrangement with the national CSIRT to receive proactive alerts when exploitation of the manufacturer's products is detected.