An Important Update on the EU Cyber Resilience Act (CRA) and Our Commitment to You
At AVEVA, our customers trust us to provide them with state of the art cybersecure industrial solutions that enable their resiliency, ensure business continuity and drive sustainable growth. We are committed to upholding a strong cybersecurity position – global regulatory compliance is an outcome of our approach. AVEVA recognises that every nation has the duty and the right to protect its critical infrastructure and citizens from cyberattacks, necessitating the creation of cybersecurity regulations, guidelines, and frameworks. We embrace these regulations and respond with transparency and alignment.
Cybersecurity is a major challenge for the European Union (EU) due to the increasing number of connected devices and the impact of cyberattacks on the EU market and critical infrastructure. To address this, the EU aims to strengthen its cybersecurity approach by creating a uniform legal framework for essential cybersecurity requirements for products with digital elements. This includes both hardware and software products that are connected directly or indirectly to another device or network. It introduces mandatory cybersecurity requirements for manufacturers and retailers, covering the entire lifecycle of these products. Although currently an EU regulation, the impact is expected to be global given the dynamic nature of the software industry and global presence many companies have.
The CRA addresses two main challenges:
1. The low level of cybersecurity in digital products.
2. The insufficient information available to users to make informed choices.
The CRA seeks to ensure that digital products are developed with no vulnerabilities and that manufacturers prioritize security throughout the product lifecycle. The key tenets of the act include:
- Manufacturers must build security into products from the start and ensure they ship with secure configurations.
- Manufacturers remain accountable for a product’s cybersecurity throughout its lifecycle.
- Software manufacturers must undergo a conformity assessment (self-assessment or third party) to demonstrate compliance.
- Manufacturers must disclose cybersecurity features and usage instructions to end users, ensuring clarity and awareness.
- Products meeting these standards will bear the CE marking, signifying their adherence to the CRA.
The CRA will be applicable from 11 December 2027, with an exception for reporting requirements which will be applicable as of the 11 September 2026.
As an established leader with over 50 years’ experience delivering and supporting our industrial software portfolio, we recognize that our customers’ data demands a stringent cybersecurity posture and the highest set of operating standards.
AVEVA’s experience with security development lifecycle standards positions us well for the journey toward offering products with the CE mark*. While the regulation is still evolving and full implementation is two years away, we’ve already begun proactive internal assessments to understand it’s implications across our product portfolio.
At the date of applicability, the CRA will impact predominately on-premise and hybrid offers, but the compliance strategy will adhere to the following principles:
1. Security Culture: Ensuring our internal stakeholders are aware of this important regulation and its impact on our global business practices including value chain partnerships.
2. Lifecycle Policy: The 2024 update to our product lifecycle policy was informed by CRA requirements. AVEVA will diligently implement these product lifecycle policy changes to provide transparency and flexibility in the support models we offer customers.
3. Security Development Lifecycle: Essential requirements are integrated with our formal development process to ensure they are addressed throughout a product’s lifecycle – from training to release and subsequent management of security response as needed until product sunset.
4. Conformity Attestation: Our plans for security assurance measures and artifacts include comprehensive documentation, online trust center, legal and commercial contract governance, transactional controls, CE marking of compliant products, and integration of CRA requirements into global service delivery.
*The mark on a product indicates that the manufacturer or importer of that product affirms its compliance with the relevant EU legislation and the product may be sold anywhere in the European Economic Area (EEA).
In conclusion, AVEVA is dedicating focused resources to support our proactive work towards the 2027 effective date of the CRA. While compliance is a mandatory duty, this effort is part of our mission to continuously develop and maintain resilient solutions at the core of industrial value chains. We aspire to deliver CRA essential requirements with excellence and in a manner that will have significant benefits worldwide in our service to our customers.