Cybersecurity by design: our commitment to the Cyber Resilience Act

Cybersecurity is a cornerstone of CAREL’s operations and of the trust we build every day in the marketplace. We maintain a robust security framework that extends across our entire organization and value chain, continuously integrating regulatory requirements into our products, solutions, and services, with particular attention to secure development, effective vulnerability management and communication, as well as the preparation of the required technical and compliance documentation.

With the Cyber Resilience Act (CRA), cybersecurity is transitioning from a best practice to a binding regulatory requirement. The regulation requires manufacturers to ensure security throughout the entire lifecycle of products with digital elements (including hardware and software and, where applicable, remote data processing services) by adopting a risk-based approach; this new regulatory framework is directly relevant to a portion of CAREL’s digital product portfolio.

We welcome this scenario not as an obstacle, but as an opportunity to further strengthen the quality, reliability, and competitiveness of our portfolio. As the framework of harmonised standards supporting the CRA continues to evolve, we align with established international standards as well as with the technical specifications and European references that gradually become available.

Our Secure Development Life Cycle is structured in line with the principles of IEC 62443-4-1, while product security requirements are defined and assessed with reference to IEC 62443-4-2 and other applicable standards, with the target security level determined according to the risk and the product’s context of use.

We will continue to monitor regulatory developments, supported by internal and EU-level compliance experts, providing transparent updates on readiness levels and compliance milestones.