The EU Cyber Resilience Act (CRA) will require all manufacturers of products with digital elements to implement comprehensive security measures starting in December 2027. After thoroughly reviewing its technologies, PROFIBUS & PROFINET International (PI) has come to the following conclusion: PROFINET already provides the basis for CRA compliance today. Manufacturers can use existing installations and expand them step by step depending on their risk assessment. The PROFINET specification provides additional building blocks for extended security requirements.
“The CRA requirements pose major challenges for companies,” says PI Chairman Xaver Schmidt. "Our analysis shows that manufacturers who rely on PROFINET already have a solid basis for CRA compliance today. If higher security requirements are needed, manufacturers can gradually expand their products with PROFINET security features in the future – from authenticated secure communication to complete encryption."
The CRA requires manufacturers to assess the cybersecurity risks of their products. In doing so, they analyze possible attack scenarios and evaluate the necessary protection for industrial communication. Depending on the risk assessment, manufacturers can implement individual or multiple building blocks from the PROFINET security architecture to meet the CRA requirements for secure communication:
Secure Cell:
Network segmentation and access control (cell protection concept) can already be implemented with today's PROFINET installations. Additional hardening measures are available with the PROFINET specification V2.5.
Secure Access:
Direct, secure access to devices from higher-level networks for applications ranging from asset management to artificial intelligence.
Secure Realtime:
Integrity, authentication and, if required, confidentiality through cryptographic protection of acyclic and cyclic real-time communication for critical infrastructures.
The Secure Access and Secure Realtime building blocks are described in the PROFINET specification V2.5, which will be published in mid-2026.
“Cybersecurity is not a one-size-fits-all approach but must be scalable – from small standalone machines to installations spread over kilometers,” says Schmidt. “The PROFINET architecture covers the entire spectrum: from network segmentation to cryptographically secured real-time communication – all while maintaining consistent performance. The key point is that many manufacturers can use their existing PROFINET installations as a basis and expand them as needed. This enables the CRA to be implemented in line with requirements without compromising data access."
PI is developing the PROFINET specification in close cooperation with TÜV SÜD, based on the IEC 62443 industry standard.