Six frameworks. One evidence system.
Industrial automation companies don't get to choose which regulations apply to their products. All six do.
EU CRA Class II
IEC 62443 certification supports CRA conformity. It does not automatically satisfy it.
EU CRA Important Class II requires third-party notified body assessment — not self-declaration. IEC 62443-4-1 certification provides the strongest available evidence of secure development lifecycle conformity, but additional CRA-specific requirements apply: machine-readable SBOM, 24h vulnerability reporting cascade, CE marking, and 10-year documentation retention.
Safety-Security Integration
A security patch that compromises a safety function fails two regulations simultaneously.
The EU Machinery Regulation's Safety-Related Security Levels must be co-engineered with IEC 61508 SIL and ISO 13849 PLr requirements from January 2027. Safety and security evidence must be traceable from the same system — and every change must be assessed against both disciplines before release.
2,155 ICS vulnerabilities in 2025. 7% of OT devices linked to ransomware. September 2026 is the CRA reporting deadline. The industrial software governance gap is no longer acceptable.
ICS/OT vulnerabilities disclosed in 2025 — highest annual volume on record. Source: Forescout / CISA ICS-CERT 2026.
Of OT devices carry known exploitable vulnerabilities. 7% are linked to active ransomware campaigns targeting industrial environments. Source: Claroty 2026.
Of OT incidents caused by transient devices and contractor access — the supply chain attack surface operations teams already manage.
Minimum security update support period EU CRA requires for Important Class II industrial products after last unit placed on market.
Black Duck BDSA advisories ahead of NVD — the operational lead time that makes CRA's 24h reporting window executable in OT change control environments.
Industrial automation answers to six frameworks — as a product manufacturer, a critical infrastructure operator, and a supply chain participant simultaneously.
| Regulation | Who it affects | Timing | What you must answer | How X-DLM™ helps |
|---|---|---|---|---|
| EU CRA — Important Class II | Manufacturers of PLCs, HMIs, industrial sensors, robotics controllers, SCADA software, ICS networking equipment, and any industrial product with software that can connect to networks or other devices. | Vulnerability reporting: September 11, 2026. Full enforcement including CE marking: December 11, 2027. Third-party notified body conformity assessment required for Important Class II — self-declaration is not sufficient. | Machine-readable SBOM (SPDX or CycloneDX), secure-by-design evidence, 24h/72h/14-day vulnerability reporting, coordinated vulnerability disclosure, 5-year minimum security update support, CE marking, 10-year documentation retention. | Black Duck generates SPDX/CycloneDX SBOMs covering RTOS, protocol stacks, cryptographic libraries, HMI frameworks, and third-party firmware. X-DLM™ routes vulnerability findings into Polarion with CRA cascade automation. LiveDocs produces the Class II conformity evidence package. |
| IEC 62443-4-1 Secure Development Lifecycle | Industrial automation product manufacturers — component suppliers, system integrators, and solution vendors seeking IEC 62443 certification as a CRA conformity pathway or OEM procurement qualification. | IEC 62443 certification increasingly required by major OEMs (Siemens, ABB, Rockwell Automation, Schneider Electric) as supplier qualification condition. Active CRA conformity pathway. Draft amendment aligning to CRA in public enquiry (March–May 2026). | Security management (SM), product requirements (SR), secure design (SD), secure implementation (SI), security verification and validation (SVV), defect management (DM), security update management (SUM) across ML1–ML4 maturity levels. | Polarion provides the development workflow aligned to IEC 62443-4-1 process areas. Black Duck supplies SBOM and vulnerability intelligence. X-DLM™ maintains ML-level evidence continuously — producing the documented SDL evidence that notified body auditors and OEM procurement teams require. |
| EU Machinery Regulation (Jan 2027) | Manufacturers of industrial machinery with integrated software — robots, CNC machines, conveyors, packaging equipment, and automated production systems with networked controllers. | Full enforcement: January 2027. Safety-Related Security Levels (SRSL) must be co-engineered with functional safety requirements before market placement. | Safety-Related Security Levels aligned to functional safety categories. No security measure may compromise a safety function. Combined safety and security risk assessment. Integration with IEC 61508/ISO 13849 functional safety standards. | Polarion traces security requirements alongside functional safety requirements (SIL/PLr) in the same traceability matrix. Change control records prove every security patch was assessed for safety function impact. The combined safety-security evidence chain is reviewable in one system. |
| NIS2 — Critical Infrastructure Operators | Industrial automation companies operating as critical infrastructure — energy, water, manufacturing of critical products — classified as Important Entities or Essential Entities under NIS2. | In force since October 2024. Supervisory authority enforcement active. No grace period for essential or important entity obligations. | Supply chain security risk management, incident reporting (24h/72h/30-day), vulnerability disclosure, business continuity planning, executive accountability, vendor cybersecurity assessment. | X-DLM™ routes Black Duck supply chain intelligence into Polarion incident workflows with NIS2 reporting cascade triggers. Supply chain vendor assessment evidence maintained continuously. |
| IEC 61508 / ISO 13849 (Functional Safety) | Industrial automation manufacturers building safety-instrumented systems, safety PLCs, emergency shutdown systems, and machinery with functional safety requirements. | Active — required for products making safety claims. Safety Integrity Level (SIL) and Performance Level (PLr) validation required for market placement. | Hazard and risk analysis, safety requirements specification, safety integrity level determination, hardware and software safety validation, functional safety assessment. | Polarion links functional safety requirements to architecture, code, test cases, and verification evidence in the same traceability thread as security requirements — enabling combined safety-security change control and the co-engineering audit trail EU Machinery Regulation requires. |
| NIST SP 800-82 (US ICS Security) | Industrial automation vendors and operators with US federal procurement relationships, DoD supply chain positions, or critical infrastructure operator classification under CISA guidelines. | Active US government guidance. Referenced in federal ICS procurement and CISA critical infrastructure security requirements. | ICS-specific risk management, network segmentation, access control, incident response, supply chain risk management, SBOM provision, vulnerability management aligned to OT operational constraints. | Black Duck provides OT-specific vulnerability and SBOM intelligence. Polarion maintains the risk management and change control evidence chain. X-DLM™ synchronizes both for US federal procurement delivery. |
From Black Duck OT component scan to IEC 62443 and CRA evidence trail.
- 01
Detect
Black Duck scans RTOS kernels, industrial protocol stacks (OPC UA, Modbus, EtherNet/IP, PROFINET, DNP3), cryptographic libraries, HMI software, and third-party firmware — producing SBOM data, vulnerability intelligence, malware signals, and license risk specific to OT software.
- 02
Route
X-DLM™ synchronizes findings into Polarion as governed work items — with IEC 62443 security level mapping, EU CRA Class II reporting cascade triggers, safety function impact assessment prompts, assigned owners, and change control timelines.
- 03
Co-Engineer
Security findings are linked to functional safety requirements (IEC 61508 SIL, ISO 13849 PLr) in the same Polarion traceability matrix — every change assessed against both disciplines before release, producing the combined safety-security evidence the EU Machinery Regulation requires.
- 04
Certify
LiveDocs and Polarion workflow history produce the IEC 62443-4-1 ML2/ML3 evidence package, EU CRA Class II SBOM and conformity documentation, and the NIS2 supply chain security record — on demand, for notified body assessment, OEM procurement review, or supervisory authority inspection.
One evidence system for every industrial automation obligation.
Book a walkthrough of how X-DLM™ operationalizes EU CRA Important Class II evidence, IEC 62443-4-1 secure development lifecycle, EU Machinery Regulation safety-security co-engineering, and OT vulnerability governance — on Siemens Polarion and Black Duck.