DE | EN

Blogeintrag

26 Nov 2025

Cyber Resilience Act: What's coming to your OT environment

The CRA (Cyber Resilience Act) fundamentally changes the way networked products are handled. The regulation has been in force since December 10, 2024, and the first mandatory requirements will take effect in 2026. Virtually all products with digital elements are affected – including OT sensors, gateways, control modules, edge devices, firmware, and cloud backends.

The CRA thus defines a binding standard for security throughout the entire product life cycle: from development and updates to the end of the product's useful life.

ALSEC gives you a clear overview of what the CRA means for the Swiss market: Although Switzerland is not a member of the EU, the requirements have a direct impact on our industry – via supply chains, export relationships, and the procurement of OT equipment. Manufacturers are under increasing pressure to deliver CRA-compliant products so that their components are approved in the EU in the first place. And operators will have to ensure in future that their OT landscapes only use products that comply with the new security and update requirements.


For manufacturers


The CRA affects manufacturers, regardless of whether they are based within the EU or not. The decisive factor is not the place of production, but whether your product enters the EU market or whether you build components that are in turn installed in EU products.


If you manufacture in Switzerland and deliver to the EU:

  • • You are fully subject to the obligations and responsibilities of a manufacturer under the CRA
  • In particular, secure development, vulnerability management, technical documentation, and CE conformity.
  • From the end of 2027, your products may no longer be placed on the EU market without CRA-compliant CE marking.
  • In addition, you must set up an incident and vulnerability reporting procedure (including 24-hour reporting to EU authorities by your EU authorized representative).


If you manufacture for Switzerland outside the EU, if you purchase components outside the EU and your product is exported to the EU:


  • Even then, the CRA applies to you, because all your components must be CRA-compliant.
  • This means you must establish the same security-by-design, documentation, and update processes.
  • In practical terms, this means requesting CRA documentation and evidence.



If you only supply the Swiss market:


  • Formally, you are not subject to CRA.
  • However, the market will demand CRA-compliant products because many Swiss operators are NIS2-relevant and will require CRA compliance as a quality and safety feature.
  • Manufacturers who do not work according to CRA will lose competitiveness in the medium term.
In short: CRA applies to you as soon as your products end up in the EU, either directly or indirectly, or are integrated into EU supply chains.


Vulnerability and incident management requirements – short and clear


CRA requires manufacturers to have a traceable process for risks, vulnerabilities, and incidents – before and after market launch. 


Before market launch


Manufacturers must:

  • Systematically analyze risks (threats, attack paths, safety dependencies)
  • Define & document security measures (hardening, access control, logging)
  • Perform security tests (code reviews, pen tests, create SBOM)
  • Prepare evidence for CE/CRA (risk analysis, test results)

After market launch


You need a functioning process for:

  • Vulnerability acceptance (clear point of contact, disclosure policy)
  • Assessment & prioritization (e.g., CVSS, exploitability)
  • Provision of updates (patches, firmware, cloud fixes)
  • Transparent communication (advisories, workarounds)


In the event of critical incidents


Obligations in the case of actively exploited vulnerabilities:

  • Reporting to EU authorities within 24 hours
  • Initial information to customers (impact, immediate measures)
  • Rapid countermeasures (hotfix, workaround)
  • Subsequent delivery of final patches



From the perspective of a Swiss CISO


Even though the CRA is not legally binding in Switzerland, it affects you as a CISO directly via the supply chain: most of your OT products come from manufacturers that produce for the EU market and therefore have to comply with CRA-compliant security, update, and documentation requirements. 


You can also demand these requirements one-to-one in Switzerland – in particular technical documentation, SBOMs, clear vulnerability processes, and CE conformity according to CRA. 


This allows you to benefit from higher product quality, better transparency, reliable updates, and a significantly stronger position vis-à-vis suppliers, without the need for a separate Swiss CRA obligation.



What you need to know about the CRA – the most important points in a nutshell


1. Scope: Everything that is networked is basically included


Affected from an OT perspective:


  • Industrial IoT devices
  • Edge gateways
  • Network-enabled controllers & modules
  • Firmware & software
  • Cloud and remote services
Exceptions: Only areas that are already heavily regulated (e.g., automotive, medical).



2. Security by design & default becomes mandatory


Manufacturers must:


  • Provide secure default configurations
  • Minimize attack surfaces
  • Prevent unauthorized access
  • Monitor security-related activities
  • Provide security updates
  • Have a documented vulnerability handling process



What you can do now – differentiated by target group


For manufacturers (Switzerland & EU export)

  1. Start portfolio analysis
  2. Which of your products fall under the CRA? (Spoiler: almost all digital ones.)
  3. Make security-by-design processes mandatory
  4. Development, requirements, testing, documentation – everything must be verifiable.
  5. Prepare CE conformity process for CRA
  6. Technical documentation, software bill of materials (SBOM), risk analyses, standards.
  7. Establish vulnerability management
  8. Intake, assessment, remediation, publishing, 24-hour reporting – clearly defined.
  9. Organize EU authorized representatives
  10. Mandatory for manufacturers outside the EU who deliver to the EU.[MT1]



For CISOs, OT managers, and purchasers (operators)

  1. Review and classify the OT product landscape
  2. Which components have “digital elements”? What cloud dependencies exist?
  3. Check suppliers for CRA capability
  4. Who has processes? Who has documentation? Who will deliver CE compliance in the future?
  5. Update procurement guidelines
  6. Define CRA compliance as a mandatory criterion for new OT products and services.
  7. Ensure test and update capability in OT environments
  8. Network design, maintenance windows, secure update pipelines, rollback scenarios.
  9. Integrate vulnerability information into SOC/OT security
  10. CRA provides greater transparency – but you have to operationalize it.


CTA – Let us check your CRA fitness


At ALSEC, we support manufacturers and operators in establishing OT security in a pragmatic and regulatory-robust manner.


CRA check for manufacturers


  • Does your development process cover CRA obligations?
  • Where do you need documentation, processes, evidence?



CRA check for operators/CISOs


  • How CRA-compliant is your supply chain?
  • Which OT components need additional controls?

Latest Posts

Was wir vom SOTSS KickOff gelernt haben:

  • 15 May 2026

BLICK HINTER DIE ALSEC KULISSEN - HEUTE: TIMOTHEOS STAUFFIGER

  • 17 Oct 2025

BLICK HINTER DIE ALSEC KULISSEN - HEUTE: PERE DALIC

  • 26 Aug 2025

Auch 2025 unterstützt ALSEC den PluSport (Behindertensport Schweiz)

  • 17 Feb 2025

Cyber-Resilienz in der Schweizer Energiebranche: Warum klare Prozesse und Verantwortlichkeiten der Schlüssel zur IKT-Sicherheit sind

  • 05 Dec 2024

BLICK HINTER DIE ALSEC KULISSEN - HEUTE: TIBOR KÜLKEY

  • 27 Jun 2024

Get our latest Whitepaper

Whitepaper only available in German.

Back to analog für Business Continuity

Gerade in industriellen Umgebungen von kritischen Infrastrukturen ist ein Betrieb mit hoher Verfügbarkeit, möglichst ohne jede Unterbrechung der Produktionsprozesse, absolut unabdingbar. Das Thema Business Continuity Management (BCM) spielt im Kontext der Security in diesem Bereich eine besonders grosse Rolle. Wenn ein Cyberangriff erfolgt und dadurch Infrastruktur lahmgelegt wird, müssen möglichst typengleiche Systeme (Hardware) als Ersatzsysteme mit kompatibler Software (Firmware, Betriebssystem) unmittelbar bereitstehen, damit Backups zurückgespielt und Systeme wiederhergestellt werden können. Bis dies erfolgt ist, müssen zudem Ersatzprozesse möglichst sofort in Kraft treten.

Download now