With the publication of Regulation (EU) 2024/2847 on November 20, 2024, the European Union introduced the Cyber Resilience Act (CRA), which enshrines cybersecurity for products with digital components in law. The CRA requires manufacturers, importers, and distributors to demonstrably implement cybersecurity requirements throughout the entire product lifecycle. This includes secure development (“secure by design”), preset security features (“secure by default”), and regular, free security updates. Mitsubishi Electric is one of the companies that integrated the CRA into its development, operation, and support processes at an early stage, with a focus on documented measures, secure updates, and standard-compliant system architectures. Reporting requirements for actively exploited security vulnerabilities will apply from September 11, 2026, and all requirements will come into full effect from December 11, 2027. This makes the CRA a central component of CE conformity assessment for digital industrial products.
Binding processes for operators of networked systems
The CRA creates clear framework conditions for operators of networked production systems. Binding update and reporting processes increase predictability and reduce cyber risks along the supply chain. Controls, HMIs, and network technologies must not only be functionally capable, but also cyber resilient and auditable. These requirements aim to systematically prevent manipulation, unauthorized access, or known vulnerabilities and to make documented measures verifiable.
Mitsubishi Electric integrates Cyber Resilience Act requirements into product development and support
Mitsubishi Electric provides an example of how CRA requirements can be implemented: the company consistently integrates security requirements into development, operation, and support. A Product Security Incident Response Team (PSIRT) coordinates vulnerability management and publishes countermeasures. In addition, Mitsubishi Electric acts as a CVE Numbering Authority (CNA) to clearly identify security vulnerabilities and communicate them transparently.
Key technical measures include signed firmware updates, role-based access control, and monitoring concepts that protect operations and ensure compliance. Alignment with international standards such as IEC 62443-4-2 creates a robust basis for auditing and verification within the framework of CE marking.
Practical examples: From HMI to PLC: Technical measures for auditable cyber resilience
Modern HMI platforms such as the new “GOT3000” series use signed firmware updates, restrictive default configurations, and role-based user management to minimize attack surfaces. PLC systems such as the “MELSEC” and “MX-F” platforms are made resilient to cyber attacks through separate engineering and operating networks, encrypted remote access, and defined update processes.
Typical evidence of CRA compliance includes complete software bills of material (SBOM), documented patch and log processes, and transparent communication of support periods. Similar principles apply to drives, robots, and engineering software: secure communication paths, disclosed CVEs, and clear lifecycle support periods increase resilience and support verification in the context of CE marking.
Regulatory pressure and growing threats
The relevance of the Cyber Resilience Act is underscored by the current threat landscape: According to the Dragos Report, the number of ransomware attacks on industrial organizations in 2024 increased by more than 87 percent compared to the previous year. At the same time, the implementation of the NIS 2 law in Germany is tightening the requirements for companies. Since the end of 2025, around 29,000 companies have been subject to extended security and reporting requirements. In this environment, cybersecurity is explicitly becoming a management task and complements the CRA's requirements along the industrial supply chain.
Cyber Resilience Act: Opportunities for greater trust and transparency
Beyond compliance, the CRA offers the opportunity to strengthen trust in industrial systems. Mitsubishi Electric offers solutions for secure, future-proof production, from secure firmware updates and access controls to monitoring concepts. With such measures, manufacturers and operators can increase the resilience of their solutions while simplifying the verification process for audits. Supplementary checklists and security advisories facilitate practical implementation and provide clarity on necessary processes. Practical examples such as fixed patch windows for HMIs or engineering access via secure jump hosts show how security and productivity can be reconciled.
Nozomi Networks acquisition: OT security as a strategic component of the Cyber Resilience Act
Against the backdrop of CRA requirements, Mitsubishi Electric is also specifically expanding its portfolio in the area of OT security. At the end of January 2026, the company completed its acquisition of US provider Nozomi Networks for approximately $883 million. Nozomi develops and sells security solutions for OT and IoT environments and is particularly well established in critical infrastructure sectors such as energy, railways, and manufacturing. By integrating Nozomi as a wholly owned subsidiary, Mitsubishi Electric is significantly expanding its cybersecurity software offering. The aim is not only to advise customers on compliance with regulatory requirements such as the Cyber Resilience Act, but also to provide technical solutions that cover both traditional IT security and the protection of machine and production networks.
