Will IEC 62443 become a harmonised standard under the CRA?

The European Commission may request CEN/CENELEC to develop harmonised standards referencing IEC 62443 concepts. The resulting European standards (e.g., EN IEC 62443-4-2) would need to be published in the Official Journal to create a presumption of conformity with CRA Annex I. This process is underway but not complete as of the date of this page.

If I have IEC 62443-4-2 SL-2 certification, which CRA Annex I requirements does it help demonstrate?

IEC 62443-4-2 foundational requirements overlap with several CRA Annex I requirements: FR1 (access control) aligns with Annex I (2)(d), FR3 (system integrity) with (2)(f), FR4 (data confidentiality) with (2)(e), FR7 (resource availability) with (2)(h). However, the CRA requires additional elements not in 62443-4-2: SBOM, ENISA notifications, user information under Annex II, and the specific documentation format of Annex VII.

Can I reference my IEC 62443 certification in the CRA Annex VII file?

Yes. Annex VII point (5) allows the manufacturer to list 'other relevant technical specifications applied' alongside harmonised standards. Your IEC 62443 certification is a technical specification that supports your demonstration of Annex I compliance. CRACheck provides the structured field for this reference.

Does the CRA apply to industrial automation systems not sold to consumers?

Yes. CRA Article 2(1) applies to all products with digital elements made available on the market with a data connection. Industrial products sold B2B are within scope. The CRA does not distinguish between consumer and industrial products — it applies to all products with digital elements placed on the EU market.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

IEC 62443 is a series of international standards for the security of industrial automation and control systems. Regulation (EU) 2024/2847 (CRA) is a mandatory EU regulation requiring product-level cybersecurity documentation. They are not the same thing. IEC 62443 addresses security capabilities and processes for industrial products and systems. The CRA requires specific documentation under Article 31 and Annex VII, a structured cybersecurity risk assessment under Article 13, an EU Declaration of Conformity under Article 28, and vulnerability notification to ENISA under Article 14. IEC 62443 conformity does not automatically produce any of these documents. CRACheck generates them.

The relationship between IEC 62443 and the CRA is potential alignment, not equivalence. Annex VII point (5) of the CRA requires the manufacturer to list "harmonised standards applied in full or in part" or "descriptions of the solutions adopted to meet the essential cybersecurity requirements." If the European Commission publishes harmonised standards that reference IEC 62443 concepts, IEC 62443 conformity could support a presumption of conformity with certain Annex I requirements. But as of the date of this page, IEC 62443 is not a CEN/CENELEC harmonised standard cited in the Official Journal for purposes of the CRA. It is a valuable technical framework — and CRACheck allows you to document IEC 62443 compliance as part of the "other relevant technical specifications applied" in Annex VII point (5). €149. 15–25 minutes. 8 PDFs.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Key facts

Mandatory vs voluntary

CRA = EU regulation (mandatory). IEC 62443 = international standard (voluntary).

Annex VII §5

CRA allows citing IEC 62443 as a "relevant technical specification" in the documentation

€15M

Maximum CRA fine under Art. 64(2) — no IEC 62443 certificate exempts from this

How CRACheck bridges IEC 62443 practices to CRA documentation

Product identification

You enter your industrial product type, IEC 62443 security level target (SL-T), and component security capabilities.

Annex I mapping

CRACheck maps the 21 CRA Annex I requirements against your product. Many IEC 62443-4-2 foundational requirements (FR) align with CRA Annex I requirements: FR1 (access control) ↔ Annex I (2)(d), FR2 (use control) ↔ Annex I (2)(d), FR3 (system integrity) ↔ Annex I (2)(f), FR4 (data confidentiality) ↔ Annex I (2)(e), FR7 (resource availability) ↔ Annex I (2)(h).

Standards declaration

In the Annex VII §5 section, you declare IEC 62443 as a "relevant technical specification applied" and specify the parts (62443-4-1 for secure development lifecycle, 62443-4-2 for component security requirements). CRACheck structures this in the format Annex VII requires.

Gap documentation

CRA requirements not covered by IEC 62443 — including SBOM (Annex I Part II point 1), CVD policy (Part II point 5), ENISA notification (Art. 14), and user information (Annex II) — are documented separately in the CRACheck dossier.

Output

8 PDFs. The Technical Documentation references IEC 62443 where applicable and documents CRA-specific requirements independently.

IEC 62443 demonstrates technical cybersecurity competence. The CRA file demonstrates regulatory compliance. CRACheck generates the regulatory file.

Common mistakes with IEC 62443 and CRA

❌

ANNEX VII · §5

Treating IEC 62443 certification as CRA compliance

An IEC 62443-4-2 certificate demonstrates component security capability against the standard. It does not produce the CRA Annex VII technical documentation, the Article 13 risk assessment, the Article 28 Declaration of Conformity, or the Article 14 notification template. The CRA file is a separate deliverable.

❌

HARMONISED STANDARD

Assuming IEC 62443 is a harmonised standard under the CRA

A harmonised standard under the CRA must be a European standard (EN) adopted by CEN/CENELEC and published in the Official Journal of the European Union. IEC 62443 is an international standard published by IEC/ISA. It may inform future harmonised standards, but it is not one as of the date of this page. Annex VII §5 allows citing it as an "other relevant technical specification."

❌

CRA · ANNEX I PART II

Overlooking CRA-specific obligations not addressed by IEC 62443

The CRA requires: (1) an SBOM in machine-readable format (Annex I Part II point 1), (2) a coordinated vulnerability disclosure policy (Part II point 5), (3) ENISA vulnerability notification within 24 hours (Article 14), (4) user information including support period end-date (Annex II point 7). IEC 62443 does not specify these requirements.

8 CRA documents — referencing IEC 62443 in Annex VII §5

CRACheck generates the CRA documentation, referencing IEC 62443 in the standards section and documenting CRA-specific requirements independently.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

IEC 62443 certification + CRA documentation: cost comparison

🧾 IEC 62443 CERTIFICATION + CRA GAP ASSESSMENT

€20,000–€50,000

IEC 62443 certification: €15,000–€40,000. CRA gap assessment: €5,000–€10,000.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history