Leverage Profinet’s security building blocks to navigate EU regulations

If I had a nickel for every time I get asked about the EU Cyber Resilience Act (CRA) … well then, this article wouldn’t exist as I’d instead be sailing around my private island in the Caribbean. Nevertheless, the topic is indeed top of mind for device makers, systems integrators, machine builders and end users across the industrial automation and controls spectrum. And more than a few people are working hard to meet its requirements. Apart from the CRA, two other regulations exist that affect stakeholders in industry.

End-user impact: NIS2

The NIS1 Directive was a milestone for the EU-wide harmonization of cybersecurity in 2016. NIS1 was replaced by the NIS2 Directive in 2024 to cover more sectors and companies and to impose stricter requirements. It is aimed at organizations operating in critical and important sectors that have a certain size or significance for society. Such organizations must perform cybersecurity risk assessments on their networks and information systems.

Machine-builder impact: EU Machinery Regulation

The EU Machinery Regulation (EUMR) 2023/1230, which replaced the existing Machinery Directive 2006/42/EC, contains binding requirements for cybersecurity within machinery and equipment. Enforceable starting January 2027, the EUMR, in addition to classic functional and mechanical safety, includes a focus on digital security.

Device-maker impact: CRA

The CRA impacts device makers by making cybersecurity a product requirement across the EU with the CE mark now covering cybersecurity, as well. Its aim is to improve the security of hardware and software products sold in the EU, all the way from smartwatches to computer operating systems to industrial control systems.

Product risk tiers

The CRA creates product categories with escalating requirements:

• standard products—self-certification allowed
• important products (I & II)—stricter third-party assessment required; includes switches, routers, firewalls, VPNs and operating systems
• critical products—mandatory EU cybersecurity certification; includes, for example, hardware security modules for PKI.

And the essential cybersecurity requirements for these products are mostly outlined in the CRA’s Annex I, Part I.

Cell protection and more

Up until a few years ago, security in Profinet networks relied purely on cell protection via the well-known defense-in-depth approach. With the rise of increased IT/OT integration, and documented cyberattacks against OT systems, additional security measures became necessary. Cybersecurity with Profinet can be thought of as building blocks each addressing increasing requirements:

• secure cell—network segmentation and access control
• secure access—secure communication from higher-level networks into the cell
• secure realtime—secure communication within the cell.

Since these classes of security measures are part of the Profinet specification, products must fall into one or more of them.

So, what four critical items should a device-maker selling Profinet -enabled devices into the EU know?

1. First, they should know that all Profinet devices are certified for conformance to the specification.
2. Second, that this certification is not, alone, a CRA cybersecurity conformity assessment.
3. Third, they should know how Profinet cybersecurity measures map to CRA requirements.
4. And, finally, they should know that Profinet already provides the basis for CRA compliance in 2026.

Secure cell

Profinet security right away supports CRA, EUMR and NIS-2 compliance. Even existing Profinet installations support the secure cell concept and can be readily implemented. Three additional hardening measures were introduced with the Profinet specification V2.5. First, by preventing device renaming/readdressing/resetting operations during runtime, mechanisms to protect against unauthorized access were introduced. Second, optional or disabled-by-default simple network management protocol (SNMP) addresses requirements for secure-by-default configuration. Finally, cryptographically signed general station description (GSD) files consider the protection of configurations against unauthorized modification.

Get your subscription to Control Design’s daily newsletter.

Secure access

Defense-in-depth cybersecurity measures often involve firewalls that regulate traffic to/from IT/OT networks; OT network devices cannot typically communicate securely with higher-level components directly. With secure access however, Profinet devices can be accessed via a secured, authenticated channel directly from IT networks. Secure access also supports encryption to further safeguard communication. Protection measures against unauthorized access and confidentiality requirements are thusly addressed.

Secure realtime

Secure realtime focuses on securing Profinet communication within an automation cell. Secured communication channels ensure the integrity of transmitted Profinet data against manipulation. If necessary, secure realtime also enables the encryption of Profinet traffic, preventing it from being read, even if intercepted. This directly deals with confidentiality requirements. These secured communication channels are adjustable, maintaining configurability.

Certificates, roles and syslog

Profinet secure access and secure realtime both rely on certificates to establish secured, authenticated communication channels. Certificates also enable role-based access control, with permissions tied to pre-defined roles. A credential manager is employed to handle it all, enabling seamless security configuration across devices from different vendors. These measures further tackle access management requirements. Finally, Profinet devices can generate auditable security-related events for forwarding, for example, to syslog infrastructure, thereby addressing the need to record and monitor such events.

No crying: ready to run

After a thorough review, Profibus & Profinet International (PI) reconfirmed in 2026 that Profinet provides the basis for CRA compliance. And end-users can employ their existing installations and expand them step by step depending on their risk assessment.

Guidelines for industry

The CRA, EUMR and NIS2 each go well beyond the handful of requirements mentioned. Topics include vulnerability reporting, security management processes, limiting attack surfaces, patches/updates management, SBOMs and support periods. While these may be technically out of scope of the pure Profinet specification, they are nonetheless exhaustively addressed in various security guidelines from PI. Strategies discussed include VLAN planning, zone and conduit concepts, defense-in-depth and certificate handling.

End goal: ease of use

The tricky part, and the goal of PI, is to make the deployment of cybersecurity measures as easy as possible. It is well known that end-users’ strong desire for cybersecurity is often outweighed only by the barriers to deploying cybersecurity measures. Therefore, ease of use regarding Profinet cybersecurity measures is a primary concern for the respective working groups within PI.

Summary

In summary, the Profinet specification provides the basis for CRA, EUMR and NIS2 compliance. End users can use their existing installations and expand security step by step depending on their risk assessment. All device makers and machine builders should be working with their customers to determine which Profinet cybersecurity measures are required to meet their customers’ needs. End users should lean on the Profinet Security Guidelines for detailed instruction on securing their networks. Meanwhile, PI will continue to pour every available resource into making Profinet cybersecurity measures as easy as possible to deploy.