Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

The Cyber Resilience Act (CRA), the Radio Equipment Directive (RED) and ISA/IEC 62443: July 2025 Update

Read More

Categories Arrow

All Posts

The Cyber Resilience Act (CRA), the Radio Equipment Directive (RED) and ISA/IEC 62443: July 2025 Update

In June 2025, the ISA Global Cybersecurity Alliance (ISAGCA) held a panel discussion at the ISA OT Cybersecurity Summit in Brussels, Belgium focusing on significant recent regulatory and standards developments impacting OT (operational technology) cybersecurity in Europe. The discussion centered on the Cyber Resilience Act (CRA), the Radio Equipment Directive (RED), their implications and the supporting role of standards — particularly the ISA/IEC 62443 series — within the evolving compliance landscape.

In July 2025, two of the panelists presented insights from the discussion at the monthly ISAGCA meeting. This blog post provides a summary of the information covered during that meeting.

Panelists and Introductions

The key presenters included Lukasz Kister, cybersecurity director at Honeywell and member of the European Commission CRA Expert Group, and Steve Ferguson, managing director of standards and technical activities at the International Society of Automation (ISA). Another panelist, Eloïse Ryon, senior manager for Europe digital policy at Schneider Electric, participated in Brussels but could not attend the ISAGCA meeting.

Overview of CRA and RED

Lukasz Kister started by framing the current regulatory structure in Europe, distinguishing between the Radio Equipment Directive (RED) and the new CRA. He explained that, as of 1 August 2025, all radio equipment products sold in Europe must comply with RED, which includes harmonized product requirements (EN 18031). Currently, this allows for self-assessment using harmonized standards without the need for external certification.

Looking ahead, Kister mentioned that, beginning in December 2027, the CRA’s cybersecurity requirements will supersede those of RED. At this point, manufacturers will need to focus solely on the CRA, streamlining compliance activities for digital and connected products entering the EU market. Significantly, the European Commission is working on implementation acts and official guidelines to clarify CRA application, but there is an acknowledged delay before harmonized standards relating directly to CRA will be available.

In the interim, Kister recommended that companies rely on internationally recognized standards, most notably the ISA/IEC 62443 series. Specifically, ISA/IEC 62443-4-1 applies to secure development lifecycle processes, and ISA/IEC 62443-4-2 to product-level security, both of which align closely with emerging CRA requirements — with additional organizational components relating to vulnerability management and notification.

Standards as Compliance Tools

Steve Ferguson built on Kister's overview, emphasizing the complementary nature of RED and CRA. RED targets secure communications for radio devices, while CRA establishes a broader product security framework. Ferguson said their combined impact may lead to changes in global policies, similar to the effects seen from GDPR. He noted that CRA and RED require all parties in the supply chain, including suppliers and distributors — not just manufacturers — to demonstrate compliance if they wish to access the European market.

He cited the current gap in harmonized EU standards, noting the ongoing efforts by CENELEC to develop hEN (harmonized European standard) versions of ISA/IEC 62443. Ferguson stressed the importance of feedback loops, where experiences and regulatory feedback from Europe inform the continuous improvement of global standards. Until harmonized standards emerge (expected by 2027), organizations will need to demonstrate compliance by other means, which could include internal compliance with ISA/IEC 62443.

Kister added that the harmonized standard for RED already aligns tightly with ISA/IEC 62443-4-2, serving as a positive precedent for similar alignment under CRA. Both panelists agreed that, while full harmonization is pending, adherence to ISA/IEC 62443 positions manufacturers well for future compliance within Europe.

Compliance Risks and Opportunities

Kister framed the evolving CRA requirements as opportunities to enhance organizational cybersecurity processes. As an example, he highlighted that Honeywell’s products are already largely compliant with ISA/IEC 62443-4-2, either certified or in preparation, and that CRA provides an impetus for further improvement and stakeholder dialogue.

The main uncertainties, per Kister, stem from delays in harmonized standards and guidance from the European Commission. However, he cited positive developments: the recognition of ISA/IEC 62443 as a foundational reference within CRA implementation, and the European Commission’s direction to standards organizations to use ISA/IEC 62443 as a core building block for new harmonized standards. This recognition extends particularly to products in the IoT and ICS (industrial control systems) domains.

Managing Compliance Risk through Standards Integration

Ferguson emphasized that deeply integrating mature standards frameworks like ISA/IEC 62443 helps organizations not only anticipate evolving regulations but also provide clear, proactive evidence of due diligence within a structured compliance approach. Adopting such standards enables common language and best practices across internal teams and external auditors, simplifying regulatory inspections.

He referenced the newly published version of ISA/IEC 62443-2-1, released in February 2025, which features detailed cross-reference tables mapping requirements to other major frameworks, including NIS2, ISO/IEC 27001 and the NIST Cybersecurity Framework. This cross-mapping helps organizations demonstrate compliance, identify gaps and address regulatory demands efficiently, even though ultimate compliance decisions rest with regulators.

Looking to the future, Ferguson anticipated continuous feedback from European standardization efforts into global ISA/IEC 62443 development, ensuring technical alignment. He also predicted greater clarification on the partitioning and harmonization of IT and OT controls within standards. He encouraged interested professionals to participate in standards development, influencing the direction of ISA/IEC 62443 in response to regulatory demands.

Conclusion and Next Steps

Kister closed by advising patience as industry awaits further guidance and publications from the European Commission, expected later in 2025. These will clarify how organizations should implement CRA and align it with recognized standards.

Anyone with questions related to CRA and ISA/IEC 62443 is invited to email Michelle Ritterskamp at mritterskamp@isa.org (subject: ISAGCA: CRA question). A webinar may be planned if there is sufficient interest.

    Recent Posts

    Brighten Your Automation Future with ISA Self-Paced, Modular Training

    Related Posts

    The Cyber Resilience Act (CRA), the Radio Equipment Directive (RED) and ISA/IEC 62443: July 2025 Update

    In June 2025, the ISA Global Cybersecurity Alliance (ISAGCA) held a panel discussion at the ISA OT Cybers...
    ISAGCA Jul 28, 2025 7:00:00 AM

    Defending Against Adversarial AI Attacks on Machine Vision Systems

    Manufacturing lines now trust machine-vision models to spot cracks in castings, align robotic arms and re...
    Zac Amos Jul 25, 2025 7:00:00 AM

    What Are Polyglot Files and What Is Their OT Security Risk?

    System integrators, service providers and essentially any professional responsible for safeguarding indus...
    Chester Avey Jul 18, 2025 7:00:00 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2025 International Society of Automation. All rights reserved.