What does the Cyber Resilience Act mean for the railway sector?

Our article on the Cyber Resilience Act has been published in the SIGNAL+DRAHT (11/2025) magazin.

Key question: How do you implement a horizontal EU regulation in a sector where signal boxes run for 50 years while cyber threats change every month?

The CRA introduces two deadlines that pack a punch: From September 2026, actively exploited vulnerabilities must be reported within 24 hours – for all products, including those that have been in use for decades. From December 2027, every new product on the EU market will require a CRA declaration of conformity.

Key takeaways:

• From 11 September 2026, actively exploited vulnerabilities must be reported to ENISA and the national CSIRT within 24 hours – including products that have been on the market for 20 years or more
• From 11 December 2027, every new product requires a CRA declaration of conformity with CE marking
• Spare parts are exempt as long as they remain identical or functionally equivalent
• Compatible system extensions may use old, non-CRA-compliant interfaces
• IEC 62443 already meets almost all CRA requirements – those using this framework are well positioned

The good news: There are solutions. The less good news: “Business as usual” is not an option.

The full article can be downloaded here: