Log out reminder
Rooted in Security,
Building the Future of Industry Together
——Inovance’s Comprehensive Response to the EU Cyber Resilience Act (CRA)
I. Context: A New Era of Global Industrial Cybersecurity
As industrial digital transformation accelerates and connected devices proliferate, regulatory scrutiny over cybersecurity is tightening worldwide. Digitally enabled industrial products now face broader, more stringent compliance requirements. The European Union’s Cyber Resilience Act (CRA), a mandatory regulation for digital products, mandates end-to-end security governance throughout a product’s lifecycle, raising the bar for industrial cybersecurity.
For industrial sectors, both automation hardware and industrial control software fall under regulatory oversight. Cybersecurity responsibility no longer ends at product launch; it now spans the entire lifecycle. Inovance has positioned itself to meet these demands, offering secure, reliable, and compliant industrial automation solutions to clients globally.
II. Inovance’s Perspective: A New Engine for Product Security
The essence of product cybersecurity lies in building an intrinsic system of “security by design” and “full-lifecycle protection”, coupled with strict vulnerability management and traceability mechanisms. Compliance with the CRA fundamentally reflects a commitment to product security and respect for customer trust. Inovance has deeply internalized CRA’s core requirements and is systematically integrating them into its operations.
i. Built-in Security
CRA requires cybersecurity to be integral to the product spanning planning, design, production, and delivery. Security must be proactive: risks are identified during the requirement phase, threat modeling is conducted, and key capabilities such as access control and data encryption are deeply embedded in the product architecture. Products are shipped with secure default settings, minimizing vulnerabilities at the source.
ii. Systematic Vulnerability Management
The CRA calls for a structured vulnerability management capability: establishing external vulnerability reporting channels, defining clear internal processes for triage, assessment, and remediation, and maintaining mechanisms for rapid response and long-term support.
iii. Traceable Evidence
Under CRA, companies must not only implement security and compliance measures but also establish a complete, auditable evidence chain. Every stage—from security requirements, risk assessment, design, coding, testing, and patching, to emergency response and supply chain management—requires thorough documentation and version control to ensure every step is recorded and traceable.
iv. Systematic Compliance
CRA extends beyond individual products, testing the robustness of the entire security management system. It requires rigorous evaluation based on risk levels, the creation of Software Bills of Materials (SBOMs) to identify all components and dependencies, and comprehensive supply chain scrutiny to achieve full lifecycle transparency and systematic compliance.
III. Inovance’s Practices: Strengthening Security Across the Chain
Global industrial manufacturers face dual challenges: translating CRA’s macro-level legal requirements into actionable technical implementations, and demonstrating compliance throughout the product lifecycle. Inovance has proactively aligned its long-standing security strategies with CRA directives, leveraging technical expertise and international compliance practices to identify potential risks and enhance client safety amid the wave of industrial digitalization.
i. From Regulation to Engineering Practice
Certification & Testing: Products are developed following industry best practices such as IEC 62443, with relevant certifications already obtained. Security activities—vulnerability scanning, penetration testing, and threat modeling—are conducted on a routine basis. Inovance also aligns with other information security standards and works with globally recognized bodies for third-party security assessments and certifications.
Secure Design: CRA requirements are integrated at the product design stage to minimize attack surfaces and implement communication integrity, confidentiality, session management, and access control.
Technical Documentation & CE Certification: For products under development, technical documentation such as security design reports, vulnerability management records, SBOMs, and test reports is progressively compiled in accordance with CRA Annex VII.
Supply Chain Standardization: A supply chain security management specification is established, integrating CRA requirements into supply chain governance. Core suppliers are assessed for CRA compliance, with a focus on their secure development capabilities and vulnerability management maturity. Efforts include tracking bill of materials practices and providing technical support to promote synchronized compliance.
ii. Lifecycle-Wide Traceable Evidence
Security SDL System: A Secure Development Lifecycle (SDL) system conforming to IEC 62443-4-1 is established, achieving a high maturity level of ML3. Cybersecurity activities are standardized and embedded into each phase of product development.
Vulnerability Management: Continuous product security testing and threat analysis are carried out, coordinated by a dedicated security team. Drawing on practical security testing experience and internal vulnerability reporting channels, Inovance continuously refines vulnerability discovery and handling processes, improving both internal and external vulnerability management systems.
SBOM Management: Third-party component risks are managed through SBOMs, with vulnerability remediation records preserved to ensure out-of-the-box security. A product risk traceability mechanism is built, enabling fast root-cause analysis and closed-loop resolution for future security issues.
After-Sales & Maintenance: Within the CRA implementation cycle, a security update support mechanism and End-of-Support (EoS) lifecycle management are in place. Remote security update channels ensure timely patch delivery, reducing manual intervention costs.
IV. Strategic Advancement: Compliance-Driven Innovation for a Secure Ecosystem
Building on a deep understanding of the CRA and its existing security framework, Inovance is integrating security controls as standard practice across the entire product development lifecycle, anchored by the IEC 62443-4-1 standard, and continue to reinforce relevant security measures and systematically align its products’ security capabilities with the CRA.
Inovance remains committed to advancing industrial cybersecurity, partnering across the value chain to enhance overall control system safety, delivering secure industrial automation solutions worldwide, cementing trust in both domestic and international markets through proven product security, and building a secure industrial digitalization framework together with ecosystem partners.
