EU Cyber Resilience Act Guide for Railway Signalling & Train Control Vendors

Railway signalling and train control products placed on the EU market — including European Train Control System (ETCS) on-board units and wayside equipment, communications-based train control (CBTC) systems, electronic interlocking systems, automatic train protection (ATP) systems, and level crossing control equipment — are products with digital elements subject to the CRA. Safety-critical signalling components that directly control train movements or enforce speed restrictions are strong candidates for Class II Important Products under Annex III. Ancillary systems such as passenger information displays and ticketing equipment not involved in train safety may qualify as Class I. Vendors must conduct a documented classification analysis taking into account SIL (Safety Integrity Level) designations under EN 50128 and the product's role in the safety management system. CRA classification is independent of functional safety certification status.

Annex I security requirements apply to railway signalling products with particular rigour. Core obligations include: segregating safety-critical processing from diagnostic and maintenance interfaces; ensuring all remote access for maintenance purposes uses authenticated, encrypted channels with multi-factor authentication; implementing firmware integrity verification on all field components; providing tamper-evident audit logs for safety-relevant operations; eliminating unauthenticated access to any interface that could influence train movement authority; and documenting the interaction between security controls and functional safety mechanisms. The SBOM must cover both the application software and any real-time operating system components. Vendors must also address supply chain security, given that rail signalling systems often incorporate components from multiple specialist suppliers. Security controls must be demonstrated not to introduce failure modes that could compromise the safety case.

Article 13 requires rail signalling vendors to establish and publish a coordinated vulnerability disclosure policy. The rail sector has historically relied on a small community of specialist engineers with implicit security knowledge, but the increasing software complexity of modern ETCS and CBTC systems opens these products to a broader research community. The CVD policy must establish a dedicated reporting channel, define response timelines, and address the specific challenge of vulnerabilities in safety-critical systems: security patches for EN 50128-certified software may require re-certification before deployment, which can extend remediation timelines significantly. The CVD policy should explicitly acknowledge this constraint and commit to providing interim mitigations — configuration changes, network isolation measures — while re-certification is in progress. Coordination with the European Union Agency for Railways (ERA) and national safety authorities (NSAs) should be built into the CVD process.

Active exploitation of a vulnerability in railway signalling equipment requires notification to the relevant national CSIRT within 24 hours under Article 14. For safety-critical signalling systems, vendors must also consider parallel reporting obligations to national rail safety authorities and, for cross-border rail corridors, ERA. A single compromised signalling component could affect multiple EU member states on pan-European corridors. Vendors must maintain 24/7 incident response capability with clear escalation paths to both cybersecurity and functional safety teams, as a security incident in signalling equipment may trigger both CRA notification requirements and safety management system incident procedures. Pre-established communication templates for regulatory notifications will reduce response time under pressure.

Class II railway signalling products require notified body conformity assessment under the CRA, which is entirely separate from and additional to the assessment by a notified body under the Railway Interoperability Directive (2016/797/EU) and applicable TSIs. The CRA notified body and the rail interoperability notified body (NoBo) may be the same organisation, but their assessments operate under different regulatory frameworks and must produce separate documentation. Manufacturers should seek to align assessment timelines where possible. The CRA technical file must include a cybersecurity case demonstrating that security controls are compatible with the functional safety case — this is a novel document type that bridges the safety and security disciplines and requires dedicated engineering resource to prepare. IEC 62443 and EN 50159 (safety-related communication in railway systems) provide the closest available standards basis.