%20throughout%20the%20lifecycle%20of%20products){kind=link}
The Cyber Resilience Act (CRA) requires manufacturers, importers and distributors to implement cybersecurity measures throughout the entire lifecycle of products containing digital elements. In the context of industrial automation, this means products must be developed securely from the outset (‘secure by design’), delivered with preset security features (‘secure by default’), and any known vulnerabilities must be actively addressed. Furthermore, free security updates must be available throughout the entire lifecycle.
Regulation (EU) 2024/2847 was published on 20 November 2024. Reporting requirements for actively exploited vulnerabilities will take effect on 11 September 2026, with all requirements applying in full from 11 December 2027. This makes cybersecurity a central component of CE conformity.
For operators of networked production facilities, mandatory update and reporting processes will increase predictability and reduce supply chain risks. Going forward, controllers, HMIs and network technology must be powerful, auditable and cyber-resilient. Mitsubishi Electric consistently incorporates CRA requirements into its development, operational and support processes. A Product Security Incident Response Team (PSIRT) coordinates vulnerability management and publishes countermeasures. As a CVE Numbering Authority (CNA), Mitsubishi Electric can clearly identify and communicate security vulnerabilities transparently. The company also relies on signed firmware updates, role-based access controls and monitoring concepts to protect operations and ensure compliance. All these measures are based on international standards such as IEC 62443-4-2, creating a robust foundation for auditing and verification.
From HMI to PLC: Technical measures for auditable cyber resilience
Mitsubishi Electric’s success in implementing these requirements is well-documented. HMIs, such as the new GOT3000 series, use signed firmware updates, restrictive default configurations and role-based user management. PLC systems, such as the new MELSEC MX-F and MX-F platforms, are made resilient to cyberattacks by employing separate engineering and operating networks, encrypted remote access, and defined update processes. Typical evidence includes a complete SBOM (Software Bill of Materials), documented patch processes, log export, and communication of the support period. Comparable principles apply to drives, robots, and engineering software, including secure communication paths, documented lifecycle support periods, and disclosure of known CVEs (Common Vulnerabilities and Exposures). These measures increase resilience to manipulation and support verification in the context of CE marking.
Current threat situation and regulatory pressure
Current developments highlight the relevance of CRA. According to the Dragos Report, the number of ransomware attacks on industrial organisations increased by over 87 per cent in 2024 compared to 2023, while new ICS-specific malware families were identified. At the same time, Germany is tightening requirements for companies with the NIS-2 Implementation Act. From the end of 2025 onwards, around 29,000 companies will be subject to extended security and reporting obligations, with cybersecurity explicitly becoming a management responsibility. This significantly increases compliance pressure along the industrial supply chain and supplements the CRA requirements.
Greater trust in industrial systems
The CRA creates opportunities for greater transparency and trust in automation solutions. Mitsubishi Electric offers solutions for secure, future-proof production, including secure firmware updates, access controls and monitoring concepts. The company also provides checklists and security advisories to facilitate audit verification. Weekly patch windows for HMIs or PLC engineering via jump hosts according to the bastion principle are practical examples that illustrate the benefits for operations.
Further information at: