EU Cybersecurity Regulation

EU Cyber Resilience Act
Compliance with BlastShield

The BlastShield Security Gateway is a hardware-independent software package that can be installed in a VM or container, or purchased as a pre-installed appliance from our partners (see the bottom section of the page for appliances). It delivers Network Cloaking, terminates Secure Remote Access connections, and uses software-defined segmentation to secure OT networks.

Dec 2024

CRA entered into force

Sept 2026

Incident reporting obligations apply

Dec 2027

All product requirements apply

Now

Prepare compensating controls for legacy devices

About the Regulation

What Is the Cyber Resilience Act — and What Does It Mean for OT?

Regulation (EU) 2024/2847 — the Cyber Resilience Act — introduces mandatory cybersecurity requirements for any product with digital elements placed on the EU market. This includes hardware and software components in industrial automation and control systems: PLCs, RTUs, HMIs, sensors with digital interfaces, SCADA components, and network equipment used in OT environments.

The CRA applies primarily to manufacturers — the companies that design and sell these products — who must ensure their products are secure by design, ship with secure default configurations, have no known exploitable vulnerabilities at launch, include update mechanisms, and come with vulnerability disclosure obligations.

For OT operators, the CRA matters in two distinct ways: first, future product purchases will need to demonstrate CRA conformity. Second, and more immediately, the vast installed base of legacy OT equipment — most of which predates the CRA and will never be updated to meet its requirements — needs a risk management approach that satisfies both the CRA's intent and adjacent regulations like NIS2.

The legacy problem: The CRA applies to products placed on the market after its requirements take effect. Your existing fleet of PLCs, RTUs, and SCADA systems — installed over the past 10–20 years — will never be CRA-compliant. They may have known unpatched vulnerabilities, accept no authentication, transmit in plaintext, and have no update mechanism. The CRA does not require you to replace them. But NIS2 does require you to manage the risk they represent. BlastShield is that risk management layer.

CE marking under CRA: Products that comply with CRA essential requirements carry a CE mark indicating conformity. From December 2027, OT operators should give preference to CRA-compliant products in procurement. For existing non-compliant devices, documented compensating controls demonstrate due diligence to regulators.

About the Regulation

CRA Product Categories — OT Implications

The CRA categorizes products by risk level. Higher-risk categories require third-party conformity assessment. Most OT components fall into the default or important classes.

Default Products with Digital Elements

The majority of connected OT components. Manufacturers can self-certify compliance through internal conformity assessment.

Includes: most network equipment, standard sensors, general-purpose software

Self-Assessment

Important Products — Class I

Higher-risk products where vulnerabilities could have significant impact. OT-relevant examples include industrial routers and switches, SCADA components.

Includes: industrial network devices, security products, remote access software

Self-Assessment or Harmonised Standards

Important Products — Class II

Products with more significant potential impact requiring stricter conformity assessment procedures.

Includes: industrial automation and control systems, PLCs in certain categories, OS for industrial devices

Third-Party Conformity Assessment

Critical Products with Digital Elements

Highest-risk category including hardware devices with security boxes and critical infrastructure components. Strictest conformity requirements.

Includes: hardware security modules, smart meter gateways, safety-critical controllers

Mandatory EU-Type Examination

About the Regulation

What Is the Cyber Resilience Act — and What Does It Mean for OT?

CRA compliance for OT operators has two distinct dimensions. BlastShield addresses both.

Angle 1: Legacy Device Risk

Compensating Controls for Non-CRA-Compliant OT Assets

Your installed base of PLCs, RTUs, and legacy SCADA components will never achieve CRA compliance — they cannot be patched, updated, or reconfigured to meet the Annex I essential requirements. BlastShield acts as the architectural control layer that compensates for their non-compliance: cloaking them from unauthorized discovery, enforcing MFA at the network boundary before any packet reaches the device, and preventing lateral movement if an attacker does breach an adjacent system.

Regulators examining NIS2 Article 21(f) (vulnerability management) expect to see documented compensating controls for unpatchable assets. BlastShield's zero-trust overlay is exactly that documentation — and it's enforceable, not just theoretical.

Angle 2: Supply Chain Risk Management

Managing CRA Compliance Risk from OT Product Vendors

As the CRA enforcement date approaches, OT operators will need to validate that the products they procure from manufacturers demonstrate CRA conformity. But vendor OEM engineers still need remote access to maintain existing equipment in the meantime. BlastShield manages this risk by controlling and auditing all vendor remote access — ensuring that even a vendor whose products may have CRA compliance questions cannot use remote access to introduce vulnerabilities or exfiltrate data.

BlastAccess creates a scope-limited, session-recorded, identity-verified maintenance channel. Vendors service only the specific devices they are authorized for. Every session is captured for compliance evidence.

Annex I Mapping

CRA Essential Requirements — BlastShield as Compensating Control and Compliance Architecture

CRA Annex I Section 1 defines the product security requirements. For legacy OT assets that cannot meet these natively, BlastShield provides the compensating control layer. For BlastShield itself as a product, these requirements are built into its design.

Annex I Requirement

What the CRA Requires of Products

BlastShield as Compensating Control for Legacy OT Assets

Coverage

Annex I §1(1)

No Known Exploitable Vulnerabilities
Products must be placed on market without known exploitable vulnerabilities

Legacy OT assets cannot satisfy this — they ship with known, unpatched CVEs that will never be addressed. BlastShield's Network Cloaking makes these vulnerabilities unreachable: the device is invisible to unauthorized scans, and no exploit can land on what cannot be discovered. The CVE exists; the attack path does not.

Compensating Control

Annex I §1(2)

Security by Default Configuration
Products must be delivered with a secure by default configuration, including the ability to reset to original state

BlastShield itself ships with a deny-by-default Zero Trust policy — nothing is permitted unless explicitly authorized. For legacy OT assets that shipped with no authentication and open access, BlastShield retrofits a secure default at the network boundary: access is denied until identity is verified, regardless of the device's native security configuration.

Compensating Control

Annex I §1(3)

Confidentiality, Integrity, and Availability Protection
Products must protect confidentiality, integrity, and availability of stored, transmitted, and processed data

All communications to and from BlastShield-protected OT assets travel through AES-256 encrypted peer-to-peer tunnels. Plaintext industrial protocols (Modbus, DNP3, etc.) are wrapped in encrypted transport — no attacker with physical access to the network can read operational commands or sensor data. Integrity and availability are maintained through segment isolation that prevents a breach from propagating.

Compensating Control

Annex I §1(4)

Minimal Attack Surface
Products must minimize their attack surface, including external interfaces

BlastShield's core capability is attack surface reduction. Protected OT assets are invisible to unauthorized endpoints — they do not respond to pings, scans, or connection attempts from non-authenticated sources. There are no exposed management ports, no open services visible to the network. The attack surface is functionally zero for anyone outside the authenticated overlay.

Compensating Control

Annex I §1(5)

Protection Against Unauthorized Access
Products must be designed to limit access to authorized users, processes, and services only

BlastShield enforces identity-based least-privilege access at every connection attempt. Users and devices must authenticate with phishing-resistant MFA before establishing any connection to an OT asset. Unauthorized parties cannot access what they cannot reach — and they cannot reach what is invisible.

Compensating Control

Annex I §1(8)

Security Logging
Products must record security-relevant events; logs must be available for investigation

The BlastShield Orchestrator logs all access events — authentication attempts, successful connections, denied probes, session duration and termination — with full user identity and timestamp. For legacy OT assets with no native logging capability, BlastShield provides the security event record that CRA and NIS2 both require. Logs export via Syslog to enterprise SIEM platforms.

Full Coverage

Annex I §1(9)

No Unauthorized Access Channels
Products must not contain undocumented access capabilities, functions, or backdoors

BlastShield's Software-Defined Perimeter ensures that all network access paths are explicitly defined, authenticated, and auditable. The Orchestrator maintains a complete, version-controlled record of all access policies. Any connection that has not been explicitly authorized through the policy system is structurally impossible — not just blocked by a rule that could be misconfigured.

Full Coverage

Annex I §2

Vulnerability Handling
Manufacturers must identify vulnerabilities, distribute security updates, and coordinate disclosure

For OT operators, this requirement on product manufacturers creates supply chain risk management obligations under NIS2. BlastShield addresses this by controlling and auditing all manufacturer/vendor remote access — ensuring vendor maintenance sessions cannot be used to introduce new vulnerabilities or exfiltrate operational data. BlastAccess session recording provides evidence of authorized vendor activity.

Supply Chain Control

Practical Guidance for OT Operators

What OT Operators Should Do Now to Prepare for CRA

Inventory Your OT Assets Against CRA Product Categories

Identify which OT components in your environment fall under CRA product categories — particularly Class II Important Products (industrial automation and control systems) and critical products. Document their current vulnerability status and whether any update path exists.

Deadline: Complete before Dec 2027 compliance date

Establish Compensating Controls for Legacy Assets

For assets that will never be CRA-compliant, implement and document compensating controls that achieve the security outcome the CRA requires. Network isolation, authenticated access boundaries, and encrypted communications satisfy regulatory due diligence — and BlastShield delivers all three without touching the legacy device.

Action: Deploy BlastShield before CRA reporting obligations begin Sep 2026

Tighten Vendor Remote Access Controls

CRA places vulnerability disclosure obligations on your OT equipment suppliers. But until their products achieve compliance, you must manage the risk of their remote maintenance access. Replace uncontrolled VPN access with BlastAccess: scope-limited, session-recorded, phishing-resistant maintenance channels.

Action: Audit all third-party OT access paths; migrate to BlastAccess

Update Procurement Requirements

As the CRA enforcement date approaches, update your OT equipment procurement specifications to require CRA conformity declarations from manufacturers. Prefer CE-marked products where available. Document exceptions with compensating controls for any non-compliant products that must still be purchased.

Deadline: Build into 2026 procurement cycles

Create a Security Event Log for OT Infrastructure

Both the CRA and NIS2 require access logging and incident reporting capabilities. Most legacy OT assets have no native logging. BlastShield provides the security event record for every OT asset it protects — authentication events, access grants, denied probes, and session data — exportable to SIEM for retention and analysis.

Action: Connect BlastShield logs to your SIEM before Sep 2026 reporting obligations

Coordinate with National Cybersecurity Authority

CRA enforcement runs through national market surveillance authorities. NIS2 incident reporting runs through national CSIRTs. Establishing early dialogue with your national authority, demonstrating a documented compensating control architecture, positions you favorably before mandatory reporting obligations begin.

Action: Prepare CRA gap assessment and compensating control documentation

Regulatory Intersection

CRA and NIS2 Are Designed to Work Together

The CRA and NIS2 are complementary, not redundant. The CRA focuses on the security of products with digital elements — the hardware and software that makes up OT infrastructure. NIS2 focuses on the security practices of the organizations that operate that infrastructure. Together they create a supply-side and demand-side security mandate for OT environments.

Under NIS2 Article 21(d), essential and important entities must address cybersecurity risks in their supply chain — which explicitly includes the security of products they procure. A NIS2-compliant operator must therefore have a view on which of their OT products are CRA-compliant (or on what timeline they will become so) and what compensating controls exist for those that are not.

BlastShield in the CRA/NIS2 Stack

→ For NIS2 Article 21(d): BlastShield controls and audits all third-party vendor access, demonstrating active supply chain risk management.

→ For NIS2 Article 21(f): BlastShield provides documented compensating controls for unpatchable OT assets with known CVEs.

→ For CRA Annex I: BlastShield compensates for legacy assets that cannot meet essential product security requirements by providing network-layer enforcement of those outcomes.

→ For both regimes: BlastShield's audit logs satisfy the security event recording requirements that both regulations require.

Ready to Build Your CRA and NIS2 Compliance Architecture?

Our European compliance specialists help OT operators develop a defensible compensating control architecture that addresses both CRA and NIS2 — before enforcement deadlines arrive.

Contact Us

Our Privacy Policy applies.