CRA: a major new EU regulation on cybersecurity – Interview with UNIFE expert Luca Cedric Biggiogera

The Cyber Resilience Act (CRA) is a major new EU regulation on cybersecurity. Can you briefly explain its main objectives and why it is relevant for railway companies?

The CRA has been a challenging and unique task for the railway sector: although it affects us on many levels, it was not written with the rail industry in mind. Understanding how to interpret and apply it to rail has been our top priority in recent months. The CRA’s goal is to raise the overall level of cybersecurity for all digital products, from the simplest to the most complex. It is part of a broader EU initiative to secure Europe’s digital infrastructure, on which our society increasingly depends. Think of connected voice assistants or toys, often sold with little or no security and without the possibility of updates. In the wrong setting, they can become easy entry points for malicious actors. The CRA introduces essential cybersecurity requirements for all such digital products. Since the rail sector – unlike aviation and maritime – has had no comparable EU cybersecurity legislation, it now falls under the scope of the CRA.

Which types of rail-related products, systems, or companies fall under the scope of the CRA? How is it decided which products are considered critical or regulated?

This question was the starting point for our sector-wide initiative to create the Cybersecurity Rail Sector Group, aimed at analysing the CRA and providing technical guidance in the form of a detailed document. The CRA’s scope is very broad, as it applies to all hardware and software products. The definition of a “product with digital elements” is not easily transferable to the rail sector, initially causing significant uncertainty. Through legal analysis and existing EU practices, our experts concluded that the CRA applies to all rail products containing digital elements (software or hardware) and placed on the EU market as a unit. From sensors to vehicles to entire trainsets, the entire rail supply chain must consider CRA requirements. “Critical” and “Important” categories are reserved for products that require special assessment procedures. Only those listed in the CRA fall under these categories, and they generally do not include rail products. Although the list may be expanded in the future, most rail products currently fall under the standard self-assessment category.

The CRA introduces requirements such as ongoing security updates throughout the product lifecycle. In the railway sector, products are often in operation for 30 years or more. How can companies realistically meet such long-term obligations?

The CRA mandates security updates for at least five years, or for the full lifetime of the product if shorter. For long-lived products such as those in the railway sector, the support duration should instead cover a reasonable portion of the expected lifecycle. When determining this period, manufacturers should consider the product’s purpose, user expectations, and other factors such as the support duration of third-party components and the operating environment. The CRA will undoubtedly bring a major shift in how the railway sector approaches cybersecurity and updates, but the regulation also offers flexibility for manufacturers to agree with customers on suitable support durations.

For many companies, complying with cybersecurity requirements is uncharted territory. What practical first steps do you recommend?

The first step for every company is to prepare early: before the regulation’s application date in December 2027, companies should familiarise themselves with the CRA and determine how it applies to their products. Adapting processes takes time, and it is crucial that the sector approaches this deadline with good preparation and a shared understanding of the regulation to avoid confusion and inefficiencies. To that end, UNIFE and the sector are developing an explanatory guide based on a common interpretation among operators, manufacturers, and infrastructure managers. This guide will be a key resource for the entire sector, providing a coherent foundation for implementing the CRA and serving as a practical tool for companies that cannot study the full legislation in depth.

UNIFE plays a central role in the EU regulatory process. How are you working with the European Commission on the CRA, and what priorities or concerns are you raising on behalf of the rail supply industry?

The CRA has been one of UNIFE’s most prominent topics over the past year and even earlier. We have adopted a dual approach toward the European Commission to gain clarity on the legislation and ensure smoother implementation. On one hand, UNIFE is actively contributing to the development of guidelines and implementation support. We participate in the Commission’s CRA Expert Group and coordinate the Cybersecurity Rail Sector Group to enable effective and well-informed implementation of the CRA. On the other hand, UNIFE recently published a position paper calling for the inclusion of the CRA, the Data Act, and the AI Act in the upcoming Digital Omnibus for Simplification—a Commission initiative aimed at streamlining the EU’s digital framework. The paper specifically calls for ongoing projects to be exempted from CRA obligations. Discussions are ongoing, and the outcome is uncertain, but successfully including the CRA in the Omnibus could lead to much-needed adjustments to better reflect industrial realities.

Thank you very much for this interview!

This interview was published in the September 2025 edition of Swissrail's magazine “express.”

You can read the full issue here.