Rockwell Automation recognizes the European Union's efforts to improve the cyber resilience of hardware and software products with digital elements that are made available on the EU market through the EU Cyber Resilience Act (CRA).
The act entered into force on 10 December 2024. The primary cybersecurity obligations of the act will apply as of 11 December 2027, with obligations of reporting actively exploited vulnerabilities and severe incidents applying as of 11 September 2026. Rockwell Automation is carefully reviewing the cybersecurity requirements and obligations set by the EU Cyber Resilience Act (EU) 2024/2847 and is planning and implementing the necessary steps towards timely compliance therewith.
In parallel with the European Union's regulatory efforts, the European standards organization, CEN/CENELEC (CEN/CLC), commenced working groups to develop vertical and horizontal standards to support the act. Rockwell Automation has engaged directly with CEN/CLC working groups and other EU and US industry groups to understand and align with the act and its underlying cybersecurity standards.
Rockwell Automation has long offered cybersecurity in our products. As examples of our commitment, we,
- Delivered the world's first IEC 62443-4-2 SL1-certified programmable logic controller;
- Implemented Ethernet/IP, a leading secure industrial protocol;
- Operate an IEC 62443-4-1 ML4-certified product development lifecycle;
- Operate an IEC 62443-2-4 ML4-certified delivery lifecycle, demonstrating secure integration and maintenance capability;
- Certified our PlantPAx architecture to IEC 62443-3-3 SL1, following our IEC 62443-2-4 SL4 delivery lifecycle;
- Proved that our PlantPAx architecture could be certified in the real world by achieving IEC 62443-3-3 SL1 certification for our Milwaukee facility, following an IEC 62443-2-1 aligned security program;
and we intend to comply with the EU Cyber Resilience Act to ensure continued support for our customers in the region.