Helping a leading industrial manufacturer achieve a clear path to EU Cyber Resilience Act compliance
● Context
Our client is a leading manufacturer of industrial controllers for power management, genset control, and grid applications, serving highly regulated sectors including energy, marine, and utilities.
With hardware and software embedded at the core of their products, they faced a pressing and complex challenge: the EU Cyber Resilience Act (CRA).
The CRA imposes stringent cybersecurity requirements on products with digital elements sold in the EU market. For the client, this meant that not only newly developed products but also legacy controller lines still in active production needed to be evaluated and brought into compliance before the regulatory deadline.
Several factors made this particularly urgent:
- Limited implementation timeline – the regulatory deadline created hard constraints on how quickly gaps needed to be identified and addressed.
- Legacy product complexity – several of the target devices were legacy products still in production, meaning years of accumulated technical documentation had to be analysed against modern cybersecurity requirements.
- Multi-dimensional scope – the assessment had to cover both the technical (hardware and software) attributes of the devices and the broader organisational processes and documentation practices required to produce CRA-compliant devices.
- No prior CRA baseline – our client needed an external, structured perspective to understand their actual compliance position before committing to a remediation roadmap.
Star and the partner organization were engaged to bring structured regulatory expertise and a proven assessment methodology, helping define the compliance baseline and provide the client with a clear, actionable path forward.
● Impact
Within two months, we delivered a comprehensive CRA Gap Assessment covering all three target industrial controller devices and client’s organisational readiness. They received:
- Full CRA applicability picture – each device was classified by CRA product category and risk class, giving them immediate clarity on what requirements apply and with what level of stringency.
- Detailed gap analysis – every applicable CRA control reviewed against actual product attributes and current documentation, identifying specific compliance gaps per device.
- Mitigation roadmap – a prioritised, actionable set of implementation recommendations for each identified gap, structured to align with client's available implementation timeline.
- Organisational readiness review – an assessment of client's existing processes, documentation practices, and internal capabilities to sustain CRA compliance post-deadline.
The delivery provided our client with the foundation to make informed prioritisation decisions, knowing precisely where they stand, what needs to change, and in what order.
● Journey
The first step was establishing what the CRA actually requires of each device. Working together with a partner, Star reviewed the technical characteristics of all three controllers (hardware architecture, embedded software, communication interfaces and intended deployment context) to determine the applicable CRA product category and risk class. For the two legacy products, this meant working carefully through accumulated technical documentation to reflect the real product state rather than any idealised version of it. Getting classification right was the foundation on which everything else depended.
● What's next?
The gap assessment has given our client a structured compliance baseline and a clear remediation agenda. With the roadmap in hand, the organization is positioned to move into implementation while addressing identified gaps systematically across their legacy and current product lines within the required timeframe.
Star's engagement leaves the company not only with a set of findings, but with the analytical foundation to manage CRA compliance as an ongoing operational reality: a documented understanding of their product portfolio's compliance position, and a template for conducting similar assessments as product lines evolve.
Share
Share
