From December 2027, the EU Cyber Resilience Act (CRA) will be fully applicable, forcing manufacturers of connected products to guarantee cybersecurity throughout the entire lifecycle or lose access to the EU market. For German SMEs, this means urgent upgrades to existing products without halting production.

“For many manufacturers, the Cyber Resilience Act is not a future problem. It is already embedded in products currently on the market. Industrial drives and configuration tools are a good example: almost every product with digital elements is now a potential point of attack. Security can no longer be treated as an add-on,” says Marco Spielmann, CEO of Proekspert.

Proekspert supports manufacturers from the initial gap analysis through to certification readiness under IEC 62443, the internationally recognised standard for industrial cybersecurity. What sets the company apart from a traditional IT service provider is that it does not think in patches, but in product lifecycles. Secure update mechanisms, vulnerability management and clear documentation are the structures that help keep products secure, compliant and manageable in the long term, even as requirements evolve.

One example shows how this works in practice. For Danfoss Drives, a Danish manufacturer of industrial drive systems, Proekspert modernised systems that had been in use for more than 20 years – entirely through software, without touching a single hardware component. The result was IEC 62443 Security Level 1 and a successfully passed TÜV-SÜD-audit.

These systems do not operate in simple environments. Industrial processes, building technology and critical infrastructure all depend on devices that cannot fail in operation. In such contexts, cybersecurity and reliability must work together under real-world conditions. For SMEs whose products have been in the field for years, the Danfoss project sends an important signal: upgrading for compliance does not have to mean starting from scratch.