This document is under active development and has not been finalised.
Skip to content

IEC 62443 & ISO Standards vs. CRA

COMPLEMENT, NOT CRITICISM

IEC 62443 is a valuable standard with substantial overlap with the CRA. Manufacturers who follow it are doing something right. The purpose of this page is delineation — what these standards do and do not cover relative to the CRA — not a verdict that they are wrong.

A common belief among manufacturers of industrial communication hardware is that an IEC 62443 certificate equals CRA compliance. It does not. IEC 62443 is a strong foundation that overlaps with several CRA requirements, but it leaves the CRA's ongoing operating and reporting duties uncovered.

What IEC 62443-4-1 and -4-2 actually cover

StandardSubjectOverlaps withKey limitation
IEC 62443-4-1Secure product development lifecycle (SDLC): security management, design, implementation, verification, patch & end-of-life processesCRA Annex I Part II (vulnerability-handling / secure-process requirements)The audit is a snapshot; it does not verify ongoing operations after market launch
IEC 62443-4-2Technical security requirements for components (authentication, access control, data integrity, communication security), graded by Security Level SL 1–4CRA Annex I Part I (essential product cybersecurity requirements)Says nothing about ongoing manufacturer duties after placing on the market

Both are genuine and useful — and both are assessed at a single point in time.

Master comparison

DimensionIEC 62443-4-1IEC 62443-4-2ISO 9001CRA
What is assessedDevelopment processProduct propertiesQuality processesProcess + product + ongoing operation
WhenSnapshotSnapshotSnapshot + annual surveillanceEntire product lifecycle
Certificate existsYesYesYesConformity route depends on class (see below)
Ongoing manufacturer dutyNone until renewalNone until renewalMaintain the QMSCVE monitoring, patching, SBOM upkeep, ENISA reporting
Reporting duty to an authorityNoneNoneNoneYes — ENISA: 24 h early warning, 72 h notification
Liability after market launchShared with certifierShared with certifierShared with certifierManufacturer alone
Minimum support dutyNoneNoneNoneSecurity updates across the support period (≥ 5 years / expected lifetime)
Ends withCertificate expiryCertificate expiryCertificate expiryEnd of market availability + support period

THE CONFORMITY ROUTE IS NOT "CLASS = CERTIFICATE"

For the CRA, the assessment route depends on the product class and on whether harmonised standards apply: Standard → Module A (self-assessment); Class I → Module A only where harmonised standards are applied in full, otherwise Module B+C; Class II → Module B+C or Module H; Critical → EUCC. See Product Classification and Harmonised Standards.

What IEC 62443 does NOT replace

No audit certificate can substitute for the following, because they are operating tasks, not assessment tasks:

  • The SBOM per firmware version, kept continuously up to date → SBOM & Signing
  • The ENISA reporting duty — 24 h early warning for an actively exploited vulnerability, 72 h notification, 14-day final report → ENISA Reporting
  • The continuous CVE-monitoring infrastructure (permanent, not auditable at a point in time) → Vulnerability Management
  • The CVD policy as a working channel for security researchers → Disclosure Policy
  • The provision of security updates across the entire support periodSupport & Lifecycle

No audit replaces an operating task. A certificate confirms a state at a point in time; these are processes that have to keep running.

How standards still help you

Following IEC 62443 or holding ISO certificates is genuinely useful — provided you understand their role:

  • Presumption of conformity comes only from harmonised standards whose references are published in the Official Journal of the EU (OJEU). Until then, no standard — including IEC 62443 — grants automatic CRA conformity. IEC 62443 is currently a reference, not a harmonised CRA standard. → Harmonised Standards
  • An existing QMS (ISO 9001 / ISO 27001) is a strong basis for the CRA's process requirements and integrates well with the Module H route. → Module H

Back to: Certificate vs. CRA Lifecycle

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT