Download the guide

Get your free copy of "CRA Evaluation and Connectivity Strategy" and gain a practical framework for evaluating embedded connectivity decisions under the CRA.

What you'll learn:

  • How the CRA affects products with embedded communication

  • How to assess the cybersecurity responsibilities associated with industrial network connectivity

  • The long-term implications of maintaining protocol stacks and communication software internally

  • Key differences between in-house embedded communication and ready-made communication interfaces

  • A practical framework for making future-proof connectivity decisions

 

who_is_this_for_whitapaper

Who should read this guide?

If you're responsible for developing connected industrial products, managing product cybersecurity requirements, or making decisions about embedded communication and long-term product lifecycle management, this guide will help you understand how the Cyber Resilience Act impacts those decisions and what it means for your organization.

What you'll find inside

CRA evaluation framework

A practical approach to understanding how the CRA applies to products with embedded communication.

In-house vs. ready-made communication

A structured comparison of the responsibilities, resources, and risks associated with different embedded communication strategies.

Long-term lifecycle considerations

Insights into cybersecurity maintenance, update management, compliance documentation, and product lifecycle responsibilities.

FAQ

Questions and answers about CRA and embedded connectivity

When you use a ready‑made connectivity solution from a specialist like HMS, a significant part of the CRA workload at the connectivity layer shifts from your team to the supplier. 


This includes responsibility for: 

  • secure development of the communication interface 

  • vulnerability monitoring and disclosure 

  • firmware management and updates 

  • security documentation 

  • long‑term lifecycle support 

Your team still owns the complete product, including risk assessment and overall compliance. But the amount of work you need to build and maintain internally is significantly reduced. 

For many manufacturers, this is the most practical way to meet CRA requirements without expanding internal engineering resources. 

Existing Anybus CompactCom users are in a strong position, but CRA does introduce some new considerations. The most important is to ensure the integration follows the intended-use guidance in the Secure Device Integration Guide. For example, disabling unused ports and services, implementing access controls, and aligning device documentation with CRA requirements. 

It is also a good opportunity to standardize CompactCom use across more products and variants, so that connectivity security, updates, and documentation can be managed consistently through the HMS lifecycle rather than handled differently for each product. 
For device makers who build connectivity into their products, HMS offers the Anybus CompactCom family of embedded communication interfaces.  

CompactCom integrates directly into a device’s PCB or housing and provides industrial network connectivity, such as PROFINET or EtherNet/IP, without the device maker needing to develop or maintain the underlying communication stack. HMS develops, tests, documents, and maintains CompactCom, so the connectivity-layer CRA workload transfers to HMS rather than sitting with the device maker’s engineering team.  

It is available in two main variants depending on the intended use: the standard CompactCom 40 for trusted industrial OT environments, and the CompactCom 40 IIoT Secure for devices that connect to IT systems, IIoT platforms, or operate outside trusted networks. 
Yes, significantly. 

CRA turns in-house connectivity into a long-term organizational commitment, not just an engineering task. If you own the protocol stack, you own everything that comes with it under CRA - the secure development lifecycle, vulnerability monitoring, SBOM maintenance, firmware signing and update mechanisms, security documentation, and lifecycle support for as long as the product is on the market. That is a substantial and continuous workload.  

The key question manufacturers need to consider is whether maintaining connectivity is where their engineering resources create the most value, or whether it has become a maintenance obligation that is now much more visible and costly under CRA. 
By integrating CompactCom, device makers inherit HMS’s certified development processes - including IEC 62443-4-1 ML3, ISO 9001, and ISO 27001 - along with firmware management, vulnerability disclosure, security datasheets, and long-term lifecycle support. That is the bulk of the connectivity-layer CRA workload taken off the device maker’s plate. What remains with the device maker is responsibility for the host application, the product risk assessment, intended-use documentation, and the overall device conformity - but the connectivity security infrastructure itself is HMS’s responsibility to build and maintain.