Cyber Resilience Act

CRA and product cybersecurity

The Cyber Resilience Act (CRA) is an EU regulation that sets a common baseline for cybersecurity in products with digital elements sold on the European market. It introduces cybersecurity requirements that span the entire product lifecycle, from design and development to maintenance, vulnerability handling and updates.

For organisations operating critical infrastructure, this means new expectations on secure design, vulnerability handling and long-term product support, as well as clearer responsibilities for product manufacturers.

Westermo designs industrial networking hardware and software for environments where security, reliability and long lifecycles are essential. We are actively aligning our products and processes with the CRA to ensure that customers can deploy and operate our solutions with confidence.

What the Cyber Resilience Act means in practice

Under the CRA, products must meet a number of cybersecurity requirements across their lifecycle. Key areas are:

• Secure-by-design principles
• Structured vulnerability management
• Clearly defined cybersecurity responsibilities

The regulation applies to products made available on the EU market, regardless of where they are manufactured. 

Cybersecurity built into Westermo products

Cybersecurity has always been a natural part of how Westermo designs, develops, manufactures, and supports products for mission‑critical industrial networks. The CRA builds on practices and standards that are already established within our organisation, which means we have a solid foundation for meeting the CRA requirements.

Our product development organisations follow internationally recognized secure development practices, aligned with IEC 62443‑4‑1 and supported by formal certification. These practices include:

• Threat and risk analysis
• Secure design
• Vulnerability handling
• Controlled production

Integrating CRA into the way we work

The CRA is an important step toward strengthening cybersecurity across the industry. Our approach is to integrate the new requirements into the way we already work, in a structured and consistent way. At the same time, we make sure that we continue to support long product lifecycles and stable operation, which are critical for our customers.

To support this work, we have started a global CRA programme covering relevant product families across our portfolio.

Transparent vulnerability handling

Westermo also has a structured process for handling vulnerabilities as part of our Product Cybersecurity framework, aligned with IEC 62443-4-1.

This process is handled by our Product Security Incident Response Team (PSIRT), which coordinates product security incidents and vulnerabilities.

Supporting long-life products under the CRA

Westermo has been producing extremely robust networking solutions for decades. Many of these products are designed to be used for a long time, often in demanding mission-critical environments. One example is the WeOS 4 platform, which is still actively developed and manufactured.

To meet the CRA requirements, we are reviewing long-life products to identify potential risks and define appropriate operational controls and mitigation measures. Our objective is to support our customers in continuing to use Westermo products safely and securely throughout their entire lifecycle. 

If you’d like to understand how the Cyber Resilience Act affects your specific products, projects or future planning, we're here to support you.

CRA timeline

The Cyber Resilience Act was introduced in 2024, with key requirements gradually coming into effect from 2026. Full compliance will be required from December 2027.

Want to learn more about the Cyber Resilience Act?

You can explore the full regulation on the official EU website >> eur-lex.europa.eu