Relevant Information for the EU Cybersecurity Regulation
The Cybersecurity Regulation (EU) 2024/2847 (also known as the CRA) will gradually come into force from 2026. The regulation stipulates that affected products must be developed securely, contain no known vulnerabilities, and receive security updates during their use. Manufacturers must analyze risks, manage vulnerabilities, and report security incidents. In addition, every compliant product requires technical documentation and a CE marking as proof of cybersecurity.
Following definitions apply for devices that are covered by the CRA regulation
a) Products with digital elements are interpreted as having at least one data interface.
b) Devices are not suitable for use in important or critical products in accordance with Articles 7 and 8 of the CRA Regulation without additional measures. They are only suitable for products in the “Default” category.
c) If not specified individually, the following cybersecurity support periods are defined:
– In the first 5 years after market launch: 15 years
– From the 6th to the 15th year after product launch: 10 years
– From the 15th year after product launch: 5 years
d) PULS examine all relevant devices for their protection level against cyber attacks through a self-assessment procedure set out in Article 23a. The DIN EN IEC 62443-4-2 assessment model is used to evaluate risks and the necessary measures associated with them.
e) Conformity assessment for cybersecurity risks in accordance with paragraph 3 is based on the EN IEC 62443 series of standards. The self-assessment procedure set out in Article 23a is used for conformity assessment. The category ‘Embedded Devices’ is assumed for PULS devices. PULS devices are considered to be IACS (Industrial Automation and Control Systems) products.
f) No personal data is stored in PULS devices.
g) No artificial intelligence (AI) is used in PULS devices.
Which PULS devices are affected by the CRA regulation?
Whether a product falls within the scope of the CRA Regulation depends primarily on the possibility of a data connection as described in Article 2(1). This includes communication networks, but not binary signals such as DC-OK, Remote ON/OFF, and the like. A distinction is made between data connections that can in principle be made secure and those where this is not possible. If a certain protection level is not possible, protection must be provided at a higher level
Notes:
1) According to article 2 paragraph 1 of the (EU) 2024/2847
2) Threat modeling involves identifying and naming potential security vulnerabilities in the device and prioritizing countermeasures.
3) The catalog of measures describes technical requirements for achieving the SL-C, are specific to each product and can be found in the product datasheet.
4) Provided that all other legal acts relevant to CE marking are complied with.
The SL-C classes are in accordance with EN IEC 62443-4-2 Annex B and can take values from 0 to 4 or “N/A”. 0 offers the lowest security level, while 4 offers the highest. If “N/A” is entered in the field, this means that the device does not fall within the scope of the CRA Regulation.
The information regarding the SL-C classes of a product can be found in the data sheet, in the installation manual, and in the technical data on the PULS website.
PSIRT (Product Security Incident Response Team)
PULS has appointed a PSIRT (Product Security Incident Response Team) team and a coordinator. The team is the central point of contact for all questions relating to product cybersecurity, including the reporting of discovered vulnerabilities.
It can be reached by email at PSIRT@pulspower.com or anonymously through the following form.
Which PULS device fall under the EU Cybersecurity Regulation?
Please download our document to receive further information
Known cases of discovered field vulnerabilities:
– None