EU Cyber Resilience Act Guide for Water Treatment & Utilities Automation Vendors

Automation products supplied to EU water utilities — including SCADA platforms for water treatment plant control, remote telemetry units (RTUs) for distribution network monitoring, pump station controllers, chlorination dosing system controllers, and smart metering concentrators — are products with digital elements under Article 3(1). Water treatment process control systems — particularly those controlling chemical dosing, filtration, and disinfection — are strong candidates for Class II Important Products given their role in ensuring public health through safe drinking water supply. SCADA historian and monitoring-only platforms without direct actuator control may qualify as Class I. Vendors supplying both control and monitoring functionality in an integrated platform should classify based on the highest-risk function. The water sector's designation as critical infrastructure under EU CER Directive and NIS2 elevates the regulatory stakes for product cybersecurity.

Water treatment automation systems face adversarial interest from both criminal ransomware groups and state-sponsored threat actors targeting critical infrastructure. High-profile attacks on water utilities have demonstrated the public health consequences of SCADA system compromise. Annex I requires: authenticated and encrypted remote access for all operator and maintenance interfaces; elimination of default credentials on all field RTUs, PLCs, and HMI terminals; integrity-verified firmware updates deployable without requiring physical site visits to each remote pumping station; tamper-evident audit logs recording all process control commands and configuration changes; network segmentation documentation separating OT networks from corporate IT and the internet; and robust access control preventing operator-level accounts from modifying control system configuration. The SBOM must cover RTU firmware, SCADA server software, historian databases, and any OPC-UA or similar middleware components used for protocol translation.

Article 13 mandates a published CVD policy. For water automation vendors, the CVD programme must be designed to accommodate: coordination with water sector national CSIRTs and information sharing mechanisms (such as WaterISAC); vulnerability disclosure to ENISA as the competent authority for critical infrastructure cybersecurity; and the operational challenge that water utilities cannot take treatment systems offline for security patching without securing alternative supply arrangements. The CVD policy should establish a security advisory notification system that reaches water utility operators through multiple channels — including direct email notification, ISAC bulletins, and account manager communication — to ensure rapid awareness of critical vulnerabilities. Interim mitigations — network isolation measures, monitoring rule updates — must be documented and rapidly disseminated when a critical vulnerability cannot be immediately patched.

Article 14 requires notification to the relevant national CSIRT within 24 hours of confirmed active exploitation. For water treatment automation vendors, active exploitation — particularly if it involves manipulation of dosing controls or flow management systems — may constitute a public health emergency requiring simultaneous notification to water sector regulators, public health authorities, and law enforcement, in addition to the CSIRT notification. Vendors must have pre-established communication protocols covering all relevant authorities for this scenario. The incident response plan should include pre-written notification templates for each scenario type, pre-authorisation for incident response team members to make regulatory notifications without executive approval delays, and direct contact details for national CSIRTs and water sector regulators in all EU member states where products are deployed.

Class II water treatment automation products require notified body assessment. Given the water sector's critical infrastructure status, notified body assessment provides the assurance level that utility procurement teams and regulators expect. For Class I monitoring platforms, self-declaration against IEC 62443 standards is the appropriate pathway. Vendors should prioritise obtaining CRA CE marking as it directly supports compliance with NIS2 supply chain security requirements that water utility customers must meet. Water utility tender specifications in EU member states are already beginning to include CRA compliance requirements as procurement criteria. The technical file should be structured to facilitate extraction of key security information for customer supply chain security questionnaires, reducing the administrative burden on both vendor and customer during the procurement process.