Is the CRA silent on operational security?

The EU Cyber Resilience Act (CRA) has ushered in a new era for manufacturers of digital products, laying out clear and enforceable standards for cybersecurity. But a question that has been discussed in a number of forums is whether these obligations extend beyond the product itself, to the security of the environment in which it is manufactured. Let’s explore what the CRA makes explicit, where it is silent, and the very real implications that stem from this potential grey area.

What the CRA Explicitly Requires: The text of the Cyber Resilience Act mandates that manufacturers must ensure the cybersecurity of their products with digital elements throughout their entire lifecycle—from planning, design and development, through to release and maintenance.

A summary of some of the key requirements include;

• Undertaking a cybersecurity risk assessment of the product, considering all risks to the product and the users of the product. Based on the risk assessment to ensure “Security by Design and by Default” is included across the entire lifecycle.
• Exercising due diligence when integrating third-party components—whether hardware, software, or open-source elements—so as not to compromise the cybersecurity of the finished product.
• Implementing incident and vulnerability reporting procedures for the products themselves .

At no point do the recitals or main articles explicitly require the manufacturer to secure their broader IT environment, networks, or facilities as a compliance obligation under the CRA.

Why Is Manufacturing Environment Security Not Explicitly Mandated?

From a legislative perspective, the focus on products makes sense: the regulation’s aim is harmonisation and to ensure that any product with digital elements on the EU market meets a robust baseline of cybersecurity. The legislative language repeatedly refers to “products with digital elements,” with no direct reference to manufacturing plant IT, OT environments, or the company’s general cyber hygiene standards

The Implicit—and Crucial—Cyber Risk:

However, an implicit risk looms large. Poor cybersecurity practices in manufacturing environments can jeopardise the very integrity of the products the regulation seeks to protect. Consider this scenario: if a threat actor penetrates a manufacturer’s IT systems during production and installs a backdoor or malware into software or hardware, the product can be compromised before it ever reaches the consumer. This risk is not confined to theory—supply chain attacks are rapidly becoming one of the most pressing issues in global cybersecurity.

The logic here is clear: a poorly secured manufacturing environment can undo the effectiveness of all product-level protections mandated by the CRA. In this way, while the Act does not explicitly

require manufacturers to secure their environments, it is implicitly at odds with the Act’s intent to guarantee secure digital products if basic cybersecurity hygiene is lacking in production settings.

The Path Forward: Best Practices and Strategic Foresight

Forward-thinking manufacturers should recognise that, even if the CRA does not spell it out, securing the production environment is fundamentally aligned with compliance and risk management. For example consideration of the following cyber security controls:

• Implementing strong access control and monitoring systems on production networks.
• Conduct regular vulnerability scans and regularly update and patch manufacturing equipment and software.
• Continuously assessing possible supply chain attack scenarios—including at the development and assembly stages.
• Training staff on cyber hygiene to avoid insider threats and mistakes.
• Documenting these efforts as part of their overall risk assessment and cybersecurity diligence.

Conclusion

The CRA stops short of explicitly mandating manufacturers to secure their broader environment. But the interconnected nature of modern supply chains and manufacturing processes means that this is a gap that forward-looking companies should address as a matter of best practice and organizational resilience. Because if a compromised environment leads to an insecure product, the intent of the CRA—protecting consumers and the digital ecosystem—fails.