EU Cyber Resilience Act Guide for Oil & Gas Automation Vendors

Automation products supplied to EU oil and gas operators — including SCADA front-ends, remote terminal units (RTUs), programmable logic controllers (PLCs), historian servers, and safety instrumented system (SIS) components — qualify as products with digital elements under Article 3(1) of the CRA. Classification depends on functional criticality: PLCs and SIS components performing safety or process-shutdown functions are likely Class II Important Products under Annex III, requiring third-party conformity assessment by a notified body. General-purpose SCADA servers and historian platforms may qualify as Class I if they do not directly actuate physical processes. Vendors should conduct a documented classification analysis before selecting their conformity pathway. Software-only products such as HMI applications also fall within scope if distributed commercially to EU operators, regardless of whether they are embedded in hardware.

Annex I Part I of the CRA requires oil and gas automation products to be designed with security as a fundamental property. For OT vendors this means: applying the principle of least privilege to all service accounts and remote access channels; enforcing authenticated and encrypted communications on all field protocols where the underlying standard permits (e.g. OPC-UA security profiles, DNP3 Secure Authentication v5); providing documented secure configuration baselines for each product; ensuring firmware and software update mechanisms are authenticated and integrity-verified; and supporting mechanisms to clear all sensitive operational data on decommissioning. Vendors must also maintain a software bill of materials (SBOM) in a machine-readable format covering all components including third-party libraries. Annex I Part II imposes ongoing obligations to actively monitor for vulnerabilities in distributed products and to issue updates without undue delay.

Article 13 of the CRA mandates that manufacturers establish and publish a coordinated vulnerability disclosure (CVD) policy. For oil and gas automation vendors, this policy must specify a dedicated, publicly accessible reporting channel — typically a security contact email and a machine-readable security.txt file — and commit to acknowledging reports within defined timeframes. Because OT vulnerabilities in energy infrastructure are frequently reported by ICS security researchers and national CERT/CC teams, vendors should ensure their CVD policy explicitly accommodates coordinated multi-party disclosure, including interaction with ENISA and sector-specific CERTs. The policy must cover how discovered vulnerabilities are triaged, remediated, and communicated to affected operators. CVD Portal provides compliant hosted disclosure programmes that generate security.txt files and manage researcher communications, substantially reducing the administrative burden for vendors without dedicated product security teams.

Article 14 requires manufacturers to notify ENISA — via the relevant national CSIRT — within 24 hours of becoming aware of any actively exploited vulnerability in a product placed on the EU market, and within 72 hours for significant incidents affecting product security. For oil and gas automation vendors, this obligation is operationally demanding: field-deployed products may be in service for 15–20 years, meaning vendors must maintain vulnerability tracking across legacy product lines long after active development has ceased. The 24-hour notification window requires vendors to have pre-established incident response procedures, a designated security officer authorised to make regulatory notifications, and direct contact details for relevant national CSIRTs in each EU member state where products are deployed. Early notification must be followed by a detailed report within 14 days covering the vulnerability, affected versions, and available mitigations.

Class II oil and gas automation products require conformity assessment by an EU notified body under Module H (full quality assurance) or Module B+C (type examination plus production quality assurance). Vendors should begin notified body engagement at least 12 months before their target market date, as assessment queues for OT products are expected to be lengthy. Class I products may use the manufacturer's self-declaration of conformity against a harmonised standard — IEC 62443-4-1 (secure product development lifecycle) and IEC 62443-4-2 (component security requirements) are the most relevant candidate harmonised standards currently under CEN/CENELEC mandate. Regardless of pathway, vendors must compile a complete technical file including threat model, SBOM, vulnerability management procedures, security testing evidence, and the declaration of conformity. The CE marking and technical file must be maintained and updated for the entire product support period.

Oil and gas vendors face a distinctive challenge: large installed bases of legacy automation products that were never designed with CRA-compliant security features. The CRA applies to products placed on the market after September 2026, so existing installed products are not directly in scope — however, any firmware update, significant feature release, or product variant placed on the market after the deadline triggers full compliance obligations. Vendors should conduct an inventory of all actively sold product lines, identify which will require CRA compliance work, and determine which legacy products will be end-of-life before September 2026. For products that will remain in active sale, a structured security remediation roadmap — aligned with the IEC 62443-4-1 secure development lifecycle — should be established immediately. Customers should be proactively informed of the vendor's CRA readiness timeline.