X-DLM integration connecting Siemens Polarion and Black Duck

A ransomware hit on a PLC is not an IT incident. It is a production shutdown — and your EU CRA liability.

12% of OT devices carry actively exploitable vulnerabilities. CRA Important Class II requires third-party conformity assessment. The production line is the number on the line.

Industrial automation companies face a convergence of three simultaneous EU obligations in 2026. EU CRA classifies PLCs, HMIs, industrial sensors, robotics controllers, and SCADA software as Products with Digital Elements — requiring machine-readable SBOM, secure-by-design evidence, and 24-hour exploited vulnerability reporting from September 2026. Many industrial products fall into Important Class II, requiring third-party conformity assessment — not self-declaration.

IEC 62443 certification supports CRA conformity — but is not automatic equivalence. The EU Machinery Regulation, enforced from January 2027, adds Safety-Related Security Levels that must be co-engineered with functional safety requirements. A security patch that compromises a safety function fails both.

X-DLM™ connects Siemens Polarion and Black Duck so industrial automation manufacturers can govern open-source risk in OT software, produce IEC 62443-aligned SBOM and vulnerability evidence, and maintain the safety-security co-engineering audit trail — all from one governed system.

Book a Discovery Call
Lead in cybersecurity withSiemens logoandBlack Duck logo

The OT/ICS vulnerability reality in 2026

OT environments were designed for reliability, not security. EU CRA now requires manufacturers to prove every component in their industrial products is governed — before it ships.

12%

Of OT devices carry known exploitable vulnerabilities (KEVs). 7% are linked to active ransomware campaigns targeting industrial environments. Source: Claroty 2026.

2,155

ICS/OT vulnerabilities disclosed in 2025 alone — the highest volume since tracking began. Manufacturing and energy are the top two affected sectors. Source: Forescout / CISA ICS-CERT 2026.

27%

Of OT security incidents are caused by transient devices — USB drives and contractor laptops. The threat enters through the supply chain and the service workflow.

Class II

EU CRA classification for most PLCs, HMIs, industrial sensors, and SCADA software — requiring third-party conformity assessment, not self-declaration. IEC 62443 certification supports but does not automatically satisfy CRA.

Sources: Claroty 2026. Forescout / CISA ICS-CERT 2026. IIoT World 2026 OT Security Trends. EU CRA Important Products classification.

EU CRA Sept 2026 · Machinery Regulation Jan 2027 · IEC 62443 Certification Now Baseline · All Three Active

Three EU obligations. Three evidence requirements. One window to get them all right before the market asks for proof. Safety and security must be co-engineered — not bolted on separately.

EU CRA — Important Class II

Third-Party Conformity Assessment

Most industrial automation products — PLCs, HMIs, industrial sensors, robotics controllers, SCADA software — are classified as Important Products under EU CRA. Class II requires third-party conformity assessment by an accredited notified body. SBOM, vulnerability reporting, and secure-by-design evidence are mandatory from September 2026.

IEC 62443 — Secure Development Lifecycle

Certification Moving from Differentiator to Baseline

IEC 62443-4-1 ML2/ML3/ML4 certification provides the most credible path to CRA conformity for industrial products. Rockwell Automation, Mettler-Toledo, and Microchip Technology already hold certification. For procurement teams at major manufacturers, it is moving from a differentiator to a contract prerequisite.

EU Machinery Regulation — Jan 2027

Safety-Related Security Levels

The EU Machinery Regulation introduces Safety-Related Security Levels (SRSL) that must be co-engineered with functional safety requirements (IEC 61508, ISO 13849). A security patch that compromises a safety function is a regulatory violation. Safety and security evidence must be produced from the same traceable workflow — not maintained in separate systems.

X-DLM™ routes Black Duck's open-source intelligence — covering industrial protocol stacks, RTOS components, OPC UA libraries, cryptographic dependencies, and third-party firmware — into Siemens Polarion's IEC 62443-aligned development workflows. Safety requirements and security requirements are traced in the same system, with the same evidence chain, for the same notified body review. One system of record. Three regulatory obligations covered.
View IEC 62443, EU CRA & All Frameworks →

Brand authority buyers recognize

Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.

Siemens logo

Siemens Polarion ALM

Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.

ALM · Requirements · Test · Workflow · LiveDocs evidence
Black Duck logo

Black Duck Software Composition Analysis

Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.

317,000+ vulns · 63,000+ exclusive advisories · 3,000+ licenses

Industrial products now need security proof.

IEC 62443. EU CRA Class II. EU Machinery Regulation. One evidence system covers all three.

Book a 15–30 minute discovery call. We show exactly how X-DLM™ connects Black Duck and Siemens Polarion to govern OT software risk, produce IEC 62443-aligned SBOM evidence, and maintain the safety-security co-engineering audit trail required for EU CRA notified body assessment.

Book a Discovery Call

The X-DLM™ industrial automation trust equation

Siemens + Black Duck
OT SECURITY
AUTHORITY
X-DLM™ automation
IEC 62443 +
CRA EVIDENCE
Certified conformity
EU MARKET
ACCESS
Result
SECURE PLANT
TRUSTED OEM