Cybersecurity
Profinet enables CRA conformity
The EU Cyber Resilience Act (CRA) will require all manufacturers of products with digital elements to implement comprehensive security measures from December 2027. After a thorough review of its technologies, Profibus & Profinet International (PI) has come to the conclusion that Profinet already provides the basis for CRA compliance.
"The requirements of the CRA present companies with major challenges," says Xaver Schmidt, CEO of PI. "Our analysis shows: Manufacturers who rely on Profinet already have a solid basis for CRA compliance today. With higher security requirements, manufacturers can gradually expand their products with Profinet security features in the future - from authenticated secure communication to full encryption."
The CRA requires manufacturers to assess the cyber security risks of their products. They analyze possible attack scenarios and evaluate the required protection for industrial communication. Depending on the risk assessment, manufacturers can implement individual or multiple building blocks from the Profinet security architecture to meet the CRA requirements for secure communication:
- Secure Cell: Network segmentation and access control (cell protection concept) can already be implemented with today's Profinet installations. Additional hardening measures are available with the Profinet specification V2.5.
- Secure Access: Direct, secure access to devices from higher-level networks for applications ranging from asset management to artificial intelligence.
- Secure Realtime: Integrity, authentication and, if required, confidentiality through cryptographic protection of acyclic and cyclic real-time communication for critical infrastructures.
The Secure Access and Secure Realtime modules are described in the Profinet specification V2.5, which will be published in mid-2026.
"Cyber security is not a one-size-fits-all approach, but must be scalable - from small standalone machines to systems distributed over many kilometers," says Schmidt. "The Profinet architecture covers the entire spectrum: from network segmentation to cryptographically secured real-time communication - while maintaining the same level of performance. The decisive factor is that many manufacturers can use their existing Profinet installations as a basis and expand them as required. This enables a needs-based implementation of the CRA without compromising on data access."
PI is developing the Profinet specification in close cooperation with TÜV SÜD and is based on the industry standard IEC 62443.










