Most people in industrial operations don’t wake up excited about regulations. They wake up thinking about uptime, safety, and whether today will be calm or chaos.
The EU Cyber Resilience Act (CRA) matters because it’s going to change what “acceptable” industrial software looks like in Europe, especially when auditors, procurement, insurers, and leadership start asking for evidence. The aim of CRA is straightforward: raise cybersecurity standards for products with digital elements sold in the EU.
We wrote a practical whitepaper that explains CRA (and how it connects to NIS2) in plain terms for people who look after industrial facilities, without drowning you in legal language.
CRA in plain English
The CRA is an EU law focused on the product side of cybersecurity: software, devices, and components that are sold in the EU. It entered into force on 10 December 2024. The main obligations apply from 11 December 2027, with some reporting obligations starting earlier on 11 September 2026.
In practice, CRA pushes vendors to prove they can do things industrial operators have wanted for years:
- build security in from the start
- manage vulnerabilities over the product lifecycle
- be clearer about what’s inside their products (dependencies/components)
- provide stronger proof/assurance artifacts
That’s the “vendor side” of the story.
“Wait… isn’t this NIS2?”
NIS2 is the “operator side” of the story: it places cybersecurity obligations on organisations operating essential/important services (which includes many industrial sectors). EU Member States had to transpose NIS2 into national law by 17 October 2024.
So yes, CRA and NIS2 are different. But they collide in the real world:
- NIS2 asks you to manage risk
- CRA changes what your vendors must deliver
- Your ability to meet NIS2 outcomes is heavily influenced by whether your vendors are genuinely CRA-ready
Our whitepaper explains this relationship clearly and gives you practical questions to ask suppliers.
Why this matters to facility teams (even if you don’t “do compliance”)
If you look after a plant or industrial site, CRA connects to five universal, day-to-day human priorities:
1) Keep the plant running
CRA will influence product lifecycle, patching discipline, and supportability. That flows directly into downtime risk. If you’ve ever been stuck on a version you can’t confidently maintain, you already feel why this matters.
2) Keep people and the site safe
In industrial environments, cyber incidents can become operational incidents. CRA is part of the EU’s broader move to treat cyber risk as systemic risk, especially in sectors that affect society.
3) Stay in control
Plants hate black boxes: unknown components, unclear ownership, uncertain end-of-support. CRA pushes vendors to be more transparent and structured, so you can manage OT like an engineered system.
4) Avoid “why was this still running?” moments
After an incident, the question is rarely “did you mean well?” It’s “did you act responsibly, and can you show it?” CRA increases the expectation that insecure, unsupported software is not a passive risk, it’s a managed decision.
5) Reduce firefighting
The worst version of this story is a forced migration under pressure: vendor retires something, a vulnerability appears, procurement needs an attestation, and you’re suddenly in emergency mode. CRA is meant to reduce that kind of chaos, if you prepare early.
What you can do now (without starting a massive project)
You don’t need a multi-year programme to get value quickly. Start with three moves:
- Inventory what matters most
Not everything. Start with the systems that would hurt most if compromised or unsupported: SCADA/HMI, historians, gateways, key OPC/communications components. - Ask vendors grown-up questions
For your exact versions: support windows, vulnerability handling process, patch guidance, and what evidence they can provide for supplier risk reviews. - Align OT + IT + Procurement
CRA will often hit you first through procurement: renewals, supplier risk checks, insurance questions, customer audits. Get aligned before the first “please attest…” email lands.
Our whitepaper includes a short vendor checklist you can use immediately.
What AVEVA is doing (and the commitment we’re making)
If you rely on AVEVA software, you should expect clarity, not vague promises.
AVEVA has publicly outlined its CRA approach, including focus areas like lifecycle policy, secure development lifecycle, and conformity/assurance artifacts (documentation, trust resources, governance, and CE-related considerations for relevant products). aveva.com
AVEVA also publishes a Software Support Lifecycle policy that includes Long-Term Servicing options for designated products/versions (5 years Full Support + 2 years Limited Support) to match the reality of long-lived industrial environments. aveva.com
We summarise these commitments in a short “commitment box” in the closing of the whitepaper, along with three questions you can use to evaluate any vendor, not just AVEVA.
Download the whitepaper
If CRA still feels abstract, the whitepaper makes it concrete, using a real-world scenario that most industrial teams recognise, and then turning CRA + NIS2 into practical actions. Download:The Cyber Resilience Act: Why Industrial Organizations Should Pay Attention Now
