Cyber Resilience Act:
How to prepare your SCADA?

The Cyber Resilience Act marks a turning point for manufacturers: the software that controls, supervises or historizes your operations will have to meet new European cybersecurity requirements. SCADA, HMI, historians, industrial gateways or industrial data platforms... your software choices will soon be under close scrutiny by your cybersecurity teams, your auditors, your insurers and your principals. Thanks to its Secure by Design approach and ongoing investment in cybersecurity, AVEVA is evolving its solutions to help manufacturers prepare for the demands of the Cyber Resilience Act. Factory Software helps you anticipate these changes and secure your industrial environments for the long term.

The CRA in figures

prev next

€10 trillion

global cost of cybercrime

26 %

attacks target industry

200 days

before intrusion detection

2.5% of sales

maximum fine CRA

24 hours

to declare a vulnerability

prev next

Presentation

What the CRA means for your industrial systems

The Cyber Resilience Act is profoundly transforming the way in which manufacturers must approach their digital systems. From now on, cybersecurity no longer relies solely on internal operations: it depends directly on the software and equipment deployed in your environments. SCADA, HMI, historians or data platforms will have to prove their compliance, their level of support and their ability to manage vulnerabilities over time.

For software publishers, this means total responsibility for the product lifecycle: security integrated from the design stage, ongoing maintenance, transparency and accessible documentation for audits. For manufacturers, this means increased pressure for contract renewal, customer audits and insurance requirements.

In this context, AVEVA solutions already meet these requirements, by integrating safety and lifecycle policies in line with forthcoming European standards.

Cyber Resilience Act puts industrial systems under the microscope

The Cyber Resilience Act reinforces the cybersecurity requirements applicable to the software and equipment that drive industrial operations. SCADA, HMI, historians, PLCs and other OT systems play an essential role in production and business continuity. Their compromise can lead to production stoppages, financial losses or security risks. Manufacturers must therefore ensure that the solutions they deploy incorporate robust cybersecurity mechanisms, rigorous vulnerability management and a software lifecycle that complies with the new European requirements.

Production-critical systems

These solutions directly control industrial operations. A fault can lead to production stoppages, quality defects or security incidents.

System interconnection

SCADA, MES, ERP and cloud are interconnected. A vulnerability can quickly spread to the entire industrial system.

Extended attack surface

Historians, OPC-UA gateways, edge devices: the scope goes beyond SCADA. Every component becomes a potential entry point.

Immediate operational impact

Unlike IT, an OT attack has physical consequences: line stoppage, loss of production, human risks.

Reinforced audit requirements

Class II systems must prove their compliance via independent audits, with full documentation and traceability.

AVEVA, a publisher already aligned with the requirements of the Cyber Resilience Act

Organization-wide cyber security

Cybersecurity is promoted at the highest level of the company and disseminated throughout the AVEVA ecosystem: R&D teams, partners, distributors. It is integrated into decision-making processes, development methods and operational practices, and not added after the fact.

Controlled, transparent lifecycle

AVEVA's lifecycle policy guarantees complete monitoring of each software version: defined support periods, security updates, vulnerability management and migration plans. This transparency enables manufacturers to anticipate their CRA audits and secure their technological choices.

Security by design throughout the software chain

AVEVA applies a complete Secure Development Lifecycle: analysis of third-party components, vulnerability scans, securing development environments and integrating protection mechanisms right from the design stage. The result: secure software by default, designed to withstand today's threats.

FAQ

Questions to ask yourself

What are the concrete risks we run in the event of a cyber attack or CRA non-compliance?

A cyber attack, or the use of software that does not comply with the Cyber Resilience Act, can have immediate and critical consequences for your operations. You could face production stoppages, loss of sensitive data or major disruptions to your industrial systems.

Non-compliant software may also be withdrawn from the market, blocking certain projects or deployments in progress. What's more, your clients and insurers now require cybersecurity guarantees: without CRA certification, your renewals may be refused, and your premiums sharply increased.

Finally, in the event of an incident, the use of non-compliant software may be considered a breach of due diligence, directly incurring your liability.

Does our currently deployed version still benefit from active security support?

With AVEVA solutions, the lifecycle phase is clearly defined (LTS/STS) and publicly documented. You can precisely identify the duration of security support, available updates and end-of-life conditions. This ensures that your environments remain protected over time.

What are the guaranteed timescales for correcting a critical vulnerability?

AVEVA applies a structured vulnerability management process with controlled timeframes: rapid notification, publication of security advisories and provision of patches within controlled timeframes. These commitments are in line with CRA requirements.

How are vulnerabilities identified, assessed and dealt with?

AVEVA software is based on a comprehensive process: continuous monitoring (CVE), risk assessment (CVSS), prioritization and publication of security advisories. This ensures proactive, documented management of vulnerabilities across the entire portfolio.

What can we present during a CRA supplier audit?

AVEVA provides complete artifacts: trust center, certifications (ISO 27001, IEC 62443), Secure Development Lifecycle documentation, lifecycle policy and security notices. These elements can be used directly for your supplier audits.

Is the publisher committed to certification for Class II products?

AVEVA industrial solutions are part of an advanced compliance approach, including preparation for CE marking and alignment with critical system requirements (Class II), with assessment by third-party bodies.

Has the lifecycle policy been updated to incorporate CRA requirements?

AVEVA revised its lifecycle policy in 2024 to integrate CRA requirements: transparency of support periods, vulnerability management and migration planning. This approach makes it easier to anticipate audits and upgrades.

How is the software supply chain managed and secured?

AVEVA audits all its third-party components (open source and commercial), maintains a precise inventory and continuously assesses their exposure to vulnerabilities. This control of the supply chain is a key element of its cybersecurity strategy.

What security mechanisms are built into solutions by default?

AVEVA solutions natively integrate security mechanisms: strong authentication, access management, encryption, logging and configuration hardening. This "secure by design" approach limits dependence on external layers.

How are development and delivery environments secured?

AVEVA secures its environments through controlled development pipelines, automated scans and regular audits. The aim is to guarantee software integrity from conception to deployment.

Do we have full traceability of versions and patches applied?

AVEVA solutions enable precise traceability of versions, patches and updates. This visibility is essential to meet audit requirements and ensure rigorous management of industrial environments.

What is the migration strategy for end-of-life versions?

AVEVA offers structured migration paths, with clear visibility of target versions and transition plans. This makes it possible to anticipate evolutions without operational disruption.

Will our current solutions remain compliant and supported after 2027?

AVEVA has taken a proactive approach to aligning with the CRA, including maintaining safety support and preparing for CE marking. Our solutions are designed to ensure sustainable compliance in critical industrial environments.

Cyber Resilience Act: How to prepare your SCADA?