SERVICES — CYBERSECURITY AXIS

OT plants and connected products CRA-compliant

NIS2 changes management's responsibilities for plant security. The CRA imposes continuous obligations on those who manufacture connected machinery or devices. IEC 62443 is the standard becoming the recognized path to demonstrate compliance with both. This page covers the full path: from team training to assessment, from CRA Reporting Ready to annual oversight.

THE CONTEXT

The standard becoming mandatory for manufacturing

IEC 62443 is no longer just a set of best practices for industrial plant security. CEN/CENELEC is adopting it as a harmonized EN standard: for Italian manufacturers of machinery, embedded systems and connected components, it becomes the recognized path to demonstrate compliance with the Cyber Resilience Act.

Those who don't know IEC 62443 won't be able to document CRA compliance when the deadlines take effect. Those who train their team now arrive prepared — instead of playing catch-up.

→

The CRA vulnerability-reporting obligation kicks in from 11 September 2026 for products already on the market.

→

OEM customers already require compliance as a contractual condition in vendor qualification.

→

NIS2 makes management personally accountable for OT security governance.

THE METHOD

Learn · Practice · Build

Each module lasts 4 hours, in person or remote, up to 12 participants. In the IEC 62443 domain the workshop deliverable is not a software tool but a process artifact — a map, a checklist, an analysis document — directly applicable to your plant or product.

LEARN ~120 min Concepts, structure of the standard, concrete cases from the manufacturing sector

PRACTICE ~45 min Guided exercises on real scenarios

BUILD ~60 min Workshop: each participant builds a process artifact applicable to their plant or product

WRAP-UP ~15 min Review and Q&A

The workshops produce better results when participants bring real material: a plant diagram or layout for the OT modules, product technical specs for the PRD modules. The pre-course briefing (1–2 hours, included) serves to gather this material.

IEC 62443 TRAINING — STARTING POINT

The base module: for anyone who must understand IEC 62443 before applying it

The 62443-01 module is the mandatory starting point for any IEC 62443 path. It's sellable on its own as an awareness session for management or mixed teams, and provides the conceptual framework that makes all subsequent modules effective.

62443-01 · 4 HOURS · NO TECHNICAL PREREQUISITES

Introduction to IEC 62443

Target: Mixed teams with different backgrounds — technical staff, managers, function heads. Great as an awareness session for management.

→What IEC 62443 is: structure of the parts, logic of the standard, who uses it and why
→The IACS security model: zones, conduits, security levels
→Actors of the standard: asset owner, system integrator, product supplier
→Regulatory context: NIS2, CRA and the CEN/CENELEC process to adopt EN 62443
→Why IEC 62443 becomes relevant even for those who have never done OT security
→Overview of ISA certification paths for professionals

Workshop — what you build: A preliminary systems map of the organization — plants, connected products, components — with a first indication of the standard's scope of application.

IEC 62443 TRAINING — TRACKS BY TARGET

Four vertical tracks, each for its own audience

After the base module, the path specializes by function. The tracks aren't mutually exclusive: companies with OT plants and connected products often bring OT technicians and R&D teams into the room together, with modules calibrated for both.

MANAGEMENT TRACK · 62443-MGT

1 MODULE · 4 HOURS

For whom: CEO, CTO, General Management. Those who must make decisions on investments, risks and regulatory obligations without needing to know the technical details of the standard.

What changes for management

→What changes for the company with NIS2, CRA and EN 62443: obligations, deadlines, sanctions
→Cyber risk in OT environments: operational, insurance and reputational impact
→How to read the results of an IEC 62443 assessment: what to ask, what to expect
→Investment decisions: build vs buy, internal resources vs external partners
→OT cybersecurity governance: roles, responsibilities, reporting to the top
→How to communicate cyber risk to the board and investors

Workshop: each participant builds an executive risk summary — a concise map of the main risks and the urgent decisions to bring to the board over the next 90 days.

OT / PLANT TRACK · 62443-OT

2 MODULES · 1 DAY

For whom: OT technicians, plant managers, maintenance managers.

62443-OT-a — Practical Risk Assessment

How to conduct an IEC 62443 risk assessment on a real plant. Focus on the operational methodology: asset identification, zone definition, threat analysis and target security level definition.

→IEC 62443-3-2 risk assessment process
→IACS asset inventory
→Zones and conduits: logic and segmentation criteria
→Target and achieved Security Level
→Threat modeling in OT environments
→Risk assessment documentation

Workshop: each participant builds a draft zone/conduit diagram and a first proposed target SL for a real plant or system of the organization.

62443-OT-b — Implementation and Countermeasures

How to move from risk analysis to countermeasure implementation. Focus on the technical and organizational measures defined by the standard and on how to verify their effectiveness.

→IEC 62443-3-3 system requirements
→Priority technical countermeasures: segmentation, authentication, monitoring, backup
→Organizational countermeasures
→Prioritization based on target SL and budget
→Maintenance over time: patching, change management, audit

Workshop: each participant builds a priority countermeasures checklist for their plant, ordered by urgency and estimated implementation cost.

PRODUCT / EMBEDDED TRACK · 62443-PRD

2 MODULES · 1 DAY

For whom: Designers, R&D managers, product managers of embedded systems and connected machinery.

62443-PRD-a — Secure by Design: Component and System Requirements

How to integrate IEC 62443 security requirements into the design phases of a connected product or component. For those who must satisfy the CRA and don't know where to start in their development cycle.

→IEC 62443-4-2: security requirements for IACS components
→IEC 62443-4-1: secure development lifecycle
→Security requirements engineering
→Threat modeling for embedded products (STRIDE, attack surface)
→Basic hardening: authentication, encryption, secure updates, logging
→Interface with CRA requirements

Workshop: each participant builds a security requirements list for a real product or component — functional security requirements traceable to IEC 62443 clauses and CRA requirements.

62443-PRD-b — Secure Development Lifecycle (SDLC)

How to structure the development process to produce components and systems compliant with IEC 62443-4-1 and the CRA process requirements. For R&D teams that must integrate security into their workflow without overturning existing processes.

→The 8 practices of the IEC 62443-4-1 secure development lifecycle
→Security management: policy, roles, team training
→Requirements specification and secure design
→Secure implementation: coding guidelines, code review, SAST/DAST
→Verification and validation
→Post-release vulnerability management: disclosure, patch, SBOM

Workshop: each participant builds a secure development checklist adapted to their development cycle — with the minimum IEC 62443-4-1 controls mapped onto the phases of the existing process.

IT SECURITY TRACK · 62443-SEC

1 MODULE · 4 HOURS

For whom: CISOs, IT security managers, security architects who must extend their perimeter to OT environments.

62443-SEC — IT/OT Convergence: Governance and Incident Response

For those coming from the IT security world who must understand how to manage OT environments with completely different logic, priorities and constraints.

→Fundamental differences between IT security and OT security: priorities, constraints, architectures
→OT threat landscape: actors, vectors, real incidents in manufacturing
→Hybrid IT/OT governance models
→Network segmentation and industrial DMZ: Purdue architectures, zones and conduits
→Incident response in OT environments: playbooks, communication, operational continuity
→Integration with IT frameworks: relationship between IEC 62443, ISO 27001 and NIST CSF

Workshop: each participant builds an IT/OT gap analysis — a map of existing controls, main gaps and governance priorities for the next 12 months.

CROSS-CUTTING MODULE · 62443-CRA

From IEC 62443 to the Cyber Resilience Act: the compliance map

The CRA isn't yet another standard to satisfy separately — it's a set of essential requirements for which IEC 62443 becomes the recognized compliance path. But the mapping between the two isn't automatic: this module shows exactly where the standard covers the CRA requirements and where gaps remain to be handled another way.

62443-CRA · 4 HOURS · CROSS-CUTTING TO OT AND PRD TRACKS

From IEC 62443 to the Cyber Resilience Act

Target: R&D teams, product managers, compliance managers of connected industrial products.

→State of the CEN/CENELEC process: how EN 62443 becomes the harmonized standard for the CRA
→Mapping of CRA requirements → IEC 62443 clauses: what the standard covers and what remains uncovered
→CRA essential cybersecurity requirements: practical analysis for industrial products
→Mandatory technical documentation: declaration of conformity, technical file, vulnerability handling policy
→SBOM (Software Bill of Materials): obligations, formats, tools
→CRA deadlines: obligations for manufacturers, importers and distributors in the supply chain
→How to start a compliance path in a company without dedicated resources

Workshop — what you build: A preliminary compliance map between the CRA requirements applicable to your product and the corresponding IEC 62443 clauses — identifying gaps and priority actions.

This is not an ISA exam preparation course nor a professional certification path. The goal is to train the company teams who must apply IEC 62443 to their plant or product.

TRAINING PATHS

Five starting combinations

Awareness

1 module · half day

62443-01

For management, mixed teams, a first approach to the standard. Sellable on its own as a company awareness session.

OT Security Essentials

3 modules · 1.5 days

62443-01 + 62443-OT-a + 62443-OT-b

For OT technicians, plant managers, maintenance teams. The team leaves with a draft zone diagram and a priority countermeasures checklist.

Product Security Essentials

3 modules · 1.5 days

62443-01 + 62443-PRD-a + 62443-PRD-b

For embedded designers, R&D teams, product managers. The team leaves with a security requirements list and a secure development checklist.

CRA Compliance Path

4 modules · 2 days

62443-01 + 62443-PRD-a + 62443-PRD-b + 62443-CRA

The most direct path for those who must start a CRA compliance journey. The team leaves with a compliance map, a security requirements list and a priority action roadmap.

Full OT + CRA

5 modules · 2.5 days

62443-01 + 62443-OT-a + 62443-OT-b + 62443-PRD-a + 62443-CRA

Complete coverage for companies with OT plants and connected products.

Custom — from 2 modules. A free combination for specific needs.

GROUPS up to 12 participants · FORMAT in person or remote · LANGUAGE Italian or English · MATERIALS slides and checklists included · BRIEFING pre-course included

DEADLINE 11 SEPTEMBER 2026

CRA Reporting Ready: the reporting process operational before the deadline

From 11 September 2026, every manufacturer of products with digital elements sold in the European market is obliged to report actively exploited vulnerabilities and severe incidents to ENISA's Single Reporting Platform — on tight timelines: early warning within 24 hours of becoming aware of the event, full notification within 72 hours. The obligation applies to products already on the market. Those without a tested process find out at the worst moment — during an incident.

PHASE 1 — SNAPSHOT · half day

Census of products in CRA scope, of the channels through which the company currently learns of vulnerabilities and incidents, of the people involved. Verification of what already exists.

PHASE 2 — PROCESS BUILD · 1–2 weeks

Design of a vulnerability handling and incident reporting process sized for the company: who receives the report, who assesses, who decides, who notifies. Definition of roles and responsibilities. Preparation of operational templates.

PHASE 3 — TEST AND HANDOVER · 1 day

Tabletop simulation: an exploited vulnerability handled by the team with the new process, against the 24/72-hour clock. Fixing what doesn't work. Handover session with CEO/CTO.

CLOSED SCOPE · 3 WEEKS · DECLARED OUTPUT

Dig into CRA Reporting Ready →

ASSESSMENT — L2

Measuring exposure before an OEM customer or an inspection does

An OT assessment exists to understand where you're exposed — on NIS2, CRA and IEC 62443 — with a concrete, not theoretical, snapshot. Those who do it before receiving a vendor qualification request or a letter from the supervisory authority handle the adjustment calmly instead of chasing it.

OT Radar

OT TRACK · 1 DAY · DECLARED OUTPUT

What I analyze:

Plant architecture, connected products, vendors, past incidents, existing measures. Interviews with CEO/CTO, IT/OT and production or R&D.

What you receive:

→Map of NIS2, CRA and IEC 62443 regulatory exposure for your specific context
→The 3–5 priority risks to address
→First concrete actions for the next 90 days
→A concise document (4–6 pages) to share internally

OT Compass

OT TRACK · 2 DAYS · 15–20 PAGE REPORT · ROADMAP

What I analyze:

OT/IT architecture, products, critical vendors, existing measures — assessed against IEC 62443, NIS2 and CRA. Extended interviews reaching procurement.

What you receive:

→Complete OT cybersecurity assessment report (15–20 pages)
→Gap analysis against IEC 62443, NIS2 and CRA
→Map of priority risks for plants and products
→Compliance and mitigation roadmap with milestones and indicative costs
→Executive slides for the board or insurers, on request

The Radar doesn't oblige you to the Compass. From the Compass, the recurring services open up with no additional onboarding cost — knowledge of the company is already acquired.

Dig into Radar and Compass →

ANNUAL OVERSIGHT — CRA COMPLIANCE MANAGER

The CRA isn't a one-off requirement. The obligations continue after launch.

ANNUAL RENEWAL · SCOPE REVIEWED AT EACH RENEWAL

CRA Compliance Manager

TRIGGER → PRODUCTS WITH DIGITAL ELEMENTS SUBJECT TO THE CYBER RESILIENCE ACT

The CRA imposes continuous obligations on manufacturers: monitoring product vulnerabilities, managing disclosure, updating technical documentation, maintaining the SBOM. Those who don't oversee these obligations over time risk sanctions of up to 2.5% of annual global turnover and product withdrawal from the European market.

→Continuous monitoring of CVEs relevant to the organization's products
→Management of the vulnerability disclosure process — from receiving the report to public communication
→Maintenance and update of the SBOM (Software Bill of Materials)
→Update of mandatory technical documentation (technical file, declaration of conformity)
→Oversight of compliance with the CRA essential requirements applicable to the product
→Monitoring of CRA regulatory evolution and harmonized standards (EN 62443)
→Quarterly session with the R&D manager and CEO for updates and decisions
→Support for communication with market surveillance authorities in case of an incident

MEMBER ETSI TC CYBER — CYBERSECURITY · ISA IEC 62443 EXPERT PATH

Those who have completed an OT Compass access with no additional onboarding cost. Those arriving without an assessment start with a half-day of initial alignment that includes analysis of the in-scope product.

ANNUAL OVERSIGHT — OT SECURITY ADVISOR

An assessment captures a moment. Security posture must be maintained over time.

ANNUAL RENEWAL · FORMAL LETTER OF ENGAGEMENT

OT Security Advisor

TRIGGER → CRITICAL OT PLANTS OR CONNECTED INDUSTRIAL PRODUCTS TO KEEP COMPLIANT WITH IEC 62443 AND NIS2

Plants change, vendors change, threats evolve, regulations update. Maintaining compliance and security posture over time isn't manageable with sporadic interventions. This service oversees OT security in a structured way — without having to hire an internal CISO.

→Formal role of the organization's external OT Security Advisor
→Annual update of the IEC 62443 risk assessment: review of zones, conduits, SL and countermeasures
→Oversight of the remediation plan: progress monitoring, prioritization, decision support
→Cyber supply chain management: assessment of critical vendors, review of security contracts
→Continuous monitoring of the OT threat landscape relevant to the sector
→Support in managing OT incidents: interface with the internal technical team and communication to management
→Interface with cyber insurers for policy renewal and adjustment
→Monthly session with the CTO/OT manager for operational updates
→Quarterly session with the CEO for strategic updates and reporting
→Annual training of the internal technical team (1 four-hour module included)

ISA IEC 62443 EXPERT PATH · MEMBER ETSI TC CYBER — CYBERSECURITY

The organization must have completed an OT Compass. The service requires continuous access to plant documentation and the IT/OT structure. Formal letter of engagement.

Where do you want to start?

If you're not sure of the right starting point — training, CRA Reporting Ready or a direct assessment — the Regulatory Spark is for this: 45 minutes to understand your real exposure and choose the next step on concrete ground. If you already have a clear idea, write to me directly.

Book the Regulatory Spark — free

Write to me