IEC 62443-4-2 Cited as Harmonised Standard Under EU Cyber Resilience Act

The EU CRA implementing regulations cite IEC 62443-4-2 for ICS components, creating a conformity presumption pathway for OT vendors. Manufacturers have until September 2027 to comply; critical infrastructure faces accelerated timelines.

Regulatory Context

The EU Cyber Resilience Act entered into force in December 2024, requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle.

IEC 62443-4-2 Inclusion

IEC 62443-4-2, covering technical security requirements for IACS components, has been included as a harmonised standard for Class I and II critical products. Conformity creates a legal presumption of CRA compliance.

Compliance Timeline

September 2026: Conformity assessment bodies must be designated
September 2027: Manufacturer compliance required for new products
Critical infrastructure products: 12-month accelerated timeline

Manufacturers already certified under existing IEC 62443-4-2 schemes may leverage gap assessment procedures.

Read the original article at ec.europa.eu.