IEC 62443 OT/ICS Security Integrated Advisory
OT/ICS Organizational Compliance × Product Certification — Full Series
IEC 62443 spans organizational systems and product technology across 5 major sub-standards, with different role combinations applying to different organizations. Winners Consulting diagnoses applicable sub-standards in one assessment to avoid unnecessary effort, and guides in the correct sequence of "4-1 organizational capability → 4-2 product certification" to maximize first-submission certification success rates.
Quick Guide: Which Sub-Standards Do I Need?
I manufacture OT/ICS equipment and export
→ 4-1 (first) → 4-2 (product certification)
I integrate OT systems for European factories
→ 2-4 + 3-3
I am a factory/power plant/critical infrastructure
→ 2-1 + 3-3
I provide OT security services (MSSP)
→ 2-4
I develop embedded/IoT (OT use cases)
→ 4-1 (first) → 4-2 (product certification)
European clients require it but I don't know where to start
→ → Free assessment to confirm pathway
What is IEC 62443? Why Must Taiwan OT Vendors Pay Attention?
IEC 62443 is the international cybersecurity standard series for industrial automation and control systems (IACS/OT/ICS), covering the complete security requirements framework from security management systems to specific component products. While EU CRA does not directly mandate IEC 62443 certification, it is the mainstream technical pathway for CRA conformity assessment in industrial, energy, and manufacturing sectors, and is increasingly common in European OEM procurement contracts. Taiwan vendors face triple pressure: CRA 2026/09 reporting obligations are already applicable; European OEMs require 62443-4-1 organizational certification in procurement contracts; NIS2 critical infrastructure clients require equipment meeting 62443-3-3 security level specifications.
IEC 62443 Five Sub-Standards Explained
Understand applicable targets, content scope, and sequential relationships of each sub-standard
IEC 62443-2-1
IACS Security Management System RequirementsApplicable To
Asset owners (factories, power plants, water facilities, etc.)
Scope
Establish IACS Security Management System (SMS) covering policies, procedures, risk assessment, incident response, and supplier management
Prerequisites
No prerequisites
Regulatory/Market Requirements
NIS2 supplier security clauses, factory self-assessment
IEC 62443-2-4
IACS Service Provider Security RequirementsApplicable To
System integrators, maintenance service providers, OT consultants
Scope
Security requirements that service providers must follow when working in client IACS environments, covering remote access, change management, and incident response
Prerequisites
No prerequisites (independently applicable)
Regulatory/Market Requirements
European OEM contractual requirements for system integrators
IEC 62443-3-3
System Security Requirements and Security LevelsApplicable To
System integrators, asset owners
Scope
Defines IACS system security functional requirements (FR 1-7) and security levels (SL 1-4) as procurement specifications or system design reference
Prerequisites
Organization needs 2-1 or 2-4 foundation
Regulatory/Market Requirements
NIS2 critical infrastructure OT security requirements, CRA system assessment
IEC 62443-4-1
SDL Security Development LifecycleApplicable To
Equipment/component manufacturers (development organizations)
Scope
Defines manufacturer SDL requirements: security requirements, security architecture, secure code review, SAST/DAST, and vulnerability management
Prerequisites
Required prerequisite for 4-2
Regulatory/Market Requirements
CRA Security-by-Design obligations, European OEM supplier requirements
IEC 62443-4-2
Component Technical Security RequirementsApplicable To
Equipment/component manufacturers (for specific products)
Scope
Defines seven foundational requirements (FR) for OT/ICS component products: identification & authentication, use control, system integrity, data confidentiality, restricted data flow, timely response, resource availability
Prerequisites
Organization must first comply with 4-1 SDL
Regulatory/Market Requirements
Most direct CRA CE marking path, supply chain product compliance requirements
Sub-standard sequence and certification pathway
⚠️ Organizations must complete 4-1 SDL certification before obtaining 4-2 product certification
Confirm Applicable Sub-Standards by Role
Find your role and confirm the necessary certification combination
Industrial Equipment Manufacturer (exporting to EU)
4-1 establishes development capability, 4-2 achieves product certification, supports CRA CE marking
System Integrator (serving European factories)
2-4 meets service provider security requirements, 3-3 used for system design specifications
Factory/Power Plant/Critical Infrastructure
2-1 establishes own security management, 3-3 defines security level requirements for procured equipment
OT Security Service Provider (MSSP)
2-4 is the core requirement for service providers, ensuring service delivery meets client IACS security standards
Embedded Systems/IoT Device Vendor (OT use cases)
Same path as industrial equipment; CRA + 62443-4-2 dual-track ensures market access
✅ Achieving IEC 62443 Certification
- ✓4-2 product certification becomes the most direct CRA CE marking conformity path
- ✓European OEM procurement contract qualification reviews passed on first attempt; stable orders
- ✓4-1 SDL organizational certification improves development process quality; reduces product vulnerability density
- ✓NIS2 critical infrastructure client procurement specifications automatically satisfied
- ✓3-3 security level assessment serves as a procurement specification tool; leads supplier selection
- ✓Lower EU market entry barriers compared to competitors after certification
- ✓Integrated advisory for multiple sub-standards simultaneously; efficiency maximized
× Risks of Non-Certification
- ×Unable to obtain CE marking before CRA 2027/12 deadline; OT products banned from EU sales
- ×European OEM procurement contracts require 4-1 certification; inability to provide results in disqualification
- ×Pursuing 4-2 without 4-1; certification body rejection wastes 6-12 months
- ×No 2-4 certification; European clients add major breach clauses to system integration contracts
- ×Not knowing which sub-standards are needed; pursuing unnecessary certifications wastes resources
- ×After competitors obtain certification, EU market pricing negotiation capability gap widens
- ×NIS2 supply chain security requirements indirectly force clients to switch to certified suppliers
Winners Consulting IEC 62443 Integrated Advisory Process
Five steps from sub-standard diagnosis to certification
Role Definition & Sub-Standard Applicability Diagnosis
Based on enterprise role (equipment manufacturer/system integrator/service provider/asset owner) and objectives (organizational compliance/product certification/supply chain requirements), diagnose the minimum necessary sub-standard combination to avoid over-investing in unnecessary certifications.
4-1 SDL Security Development Capability (Organizational Prerequisite)
If 4-2 product certification is needed, must first establish SDL security development process per 4-1: security requirements management, security architecture design, secure code review, security testing, and vulnerability management.
2-1/2-4 Security Management System
Build organizational security management policies per 2-1 (IACS security management system) or 2-4 (service provider security requirements), Zone & Conduit model design, risk assessment procedures, and supplier security management.
3-3/4-2 Technical Requirements Assessment & Implementation
Assess system-level security level targets (SL-T) and capability (SL-C) per 3-3, conduct gap analysis against the seven foundational requirements (FR) for product components per 4-2, implement technical hardening and test verification.
Conformity Assessment & Third-Party Certification
Arrange conformity self-assessment or commission third-party certification from Notified Bodies such as TÜV/SGS based on target certification level; prepare technical documentation package; confirm if concurrent CRA CE marking is needed.
Success Stories
Industrial Automation Equipment Manufacturer
Taoyuan, exporting to European OEM vendors
4-1 + 4-2 (SL 2)Completed 4-1 SDL organizational certification (5 months), then obtained 4-2 SL 2 product certification (6 months), integrated CRA technical documentation, passed European automotive OEM supplier review, added 2 European supplier qualifications.
Duration:11 months
Power Infrastructure System Integrator
Taipei, serving European power plant clients
2-4 + 3-3Completed 2-4 service provider security certification, established Zone & Conduit security architecture design capability (3-3), passed European power plant client annual supply chain security audit, maintaining core contract.
Duration:5 months
Embedded Security Component Manufacturer
Hsinchu, products for European industrial IoT
4-1 + 4-2 (SL 1)Confirmed as CRA Class I through diagnosis; integrated IEC 62443-4-2 certification with CRA conformity assessment; shared technical documentation saved 35% manhours; obtained CE marking; achieved CRA 2027 deadline compliance 6 months early.
Duration:8 months
Frequently Asked Questions
What is IEC 62443? What is its relationship with CRA?▾
IEC 62443 is the international cybersecurity standard series for industrial control systems (ICS/IACS/OT). While EU CRA does not directly mandate IEC 62443 certification, it is the most widely recognized technical standard for proving CRA conformity in industrial automation, energy, and manufacturing. IEC 62443 certification significantly simplifies CRA conformity assessment.
What sub-standards does IEC 62443 have? Which does my enterprise need?▾
Key IEC 62443 sub-standards: 2-1 (IACS security management system, organizational), 2-4 (service provider security requirements, organizational), 3-3 (system security requirements and security levels, system layer), 4-1 (SDL security development, organizational, product certification prerequisite), 4-2 (component technical security requirements, product). Logic: manufacturers must comply with 4-1 before 4-2; system integrators need 2-4; asset owners need 2-1. Winners Consulting provides free sub-standard applicability diagnosis.
What is the difference between IEC 62443-4-1 and 4-2? Why is 4-1 a prerequisite for 4-2?▾
IEC 62443-4-1 defines "manufacturer security development lifecycle (SDL)" organizational capability requirements; it is organizational compliance. 4-2 defines "component product technical security requirements" and is product compliance. Prerequisite relationship: if the development organization hasn't established 4-1 SDL capability, developed products lack security assurance at the design source; Notified Bodies typically verify 4-1 compliance before certifying 4-2.
What are security levels (SL)? What are the differences between SL 1 and SL 3?▾
IEC 62443 defines four security levels: SL 0 (no specific cybersecurity requirements); SL 1 (protection against casual or unintentional attacks); SL 2 (protection against skilled, motivated attackers like industrial spies); SL 3 (protection against sophisticated attackers with specialized tools and resources like nation-state threats). Taiwan industrial equipment exported to the EU typically requires SL 1-2; energy/power critical infrastructure requires SL 2-3.
How can Taiwan OT/ICS equipment vendors enter the EU market through IEC 62443?▾
Compliance pathway for Taiwan OT/ICS vendors: (1) CRA conformity: industrial control equipment typically falls under CRA Class I/II; IEC 62443-4-2 certification is the most direct conformity proof pathway; (2) EU supply chain requirements: European OEMs increasingly require 4-1 organizational certification; (3) NIS2 supply chain obligations: critical infrastructure clients may require equipment meeting 62443-3-3 security level specifications.
How long does IEC 62443 certification take? What are the costs?▾
IEC 62443-4-1 SDL organizational certification typically takes 6-9 months; 4-2 product certification takes 4-8 months (excluding 4-1 build time); 2-1 management system takes 4-6 months; 2-4 service provider certification takes 3-5 months. Winners Consulting provides free applicability diagnosis to confirm minimum necessary certification combination before estimating timeline and cost.
How is Winners' IEC 62443 advisory different from going directly to a certification body?▾
Notified Bodies conduct certification testing and issue certificates but don't provide institution-building advisory. Winners Consulting as advisory consultant: (1) diagnoses applicable sub-standard combination; (2) builds SDL processes/management systems/technical documents per standard requirements; (3) conducts pre-certification review to maximize first-submission pass rates; (4) coordinates Notified Body communication. Winners Consulting has relationships with multiple Notified Bodies.
One Assessment to Confirm Which IEC 62443 Sub-Standards You Need
Free sub-standard applicability assessment: confirm minimum necessary certification combination based on enterprise role and target market, plan correct 4-1 → 4-2 sequence, integrate CRA conformity assessment, provide shortest-path timeline.
Related Deep Insights
In-depth analysis by Winners consultants, 6,000+ words per article
Insight: TISAX Implementation Methodology for Automotive Industry Sup
autoInsight: Building an automotive security assurance case using systema
autoCAN Fuzz Testing for Automotive Cybersecurity: ISO/SAE 21434 & TISAX Practical Implications
A 2019 study by Bryans, Cheah, and Fowler—cited 29 times—presents a replicable method for constructing automotive cybersecurity tests using CAN black-box fuzz testing. Their prototype fuzzer revealed real ECU software bugs and system design weaknesses invisible to static analysis. For Taiwan's automotive suppliers preparing for TISAX certification or UN R155 compliance, institutionalizing dynamic testing aligned with ISO/SAE 21434 Clauses 9–11 is the critical gap to close.
autoFOSS & Standardization in Automotive Cybersecurity: TISAX and ISO/SAE 21434 Guide for Taiwan Suppliers
Modern premium vehicles contain up to 100 million lines of code, making FOSS governance and E/E architecture standardization critical cybersecurity challenges. Guissouma (2024) warns that fragmented standards create systemic risks across automotive supply chains. Winners Consulting Services Co. Ltd. helps Taiwan suppliers achieve TISAX certification and ISO/SAE 21434 compliance within 90 days, protecting their access to European OEM markets under UNECE WP.29 requirements.
autoIntegrating TISAX into Agile Scrum: Key Insights for Taiwan Automotive Cybersecurity Compliance
A 2024 arXiv paper by Storz demonstrates that TISAX information security standards can be systematically integrated into Scrum agile development workflows through Security User Stories and a security-embedded Definition of Done. Taiwan automotive suppliers facing European OEM TISAX requirements must align with VDA ISA 6.0, ISO/SAE 21434, and UNECE WP.29 R155 while maintaining development velocity. Winners Consulting Services Co. Ltd. offers a 90-day integration advisory program.
autoSmart Manufacturing Meets Automotive Cybersecurity: TISAX & ISO/SAE 21434 for Taiwan Auto Suppliers
A 2023 field study at Schmidt Light Metal reveals how integrating machine learning with factory sensor data creates new cybersecurity attack surfaces. Winners Consulting Services Co. Ltd. analyzes the implications for Taiwan's automotive suppliers under TISAX, ISO/SAE 21434, and UNECE WP.29, providing actionable compliance guidance.
autoTISAX Audit Automation: How NLP Closes the 3-Year Cybersecurity Gap for Taiwan Auto Suppliers
TISAX's triennial audit cycle creates multi-year cybersecurity blind spots for Taiwan's automotive suppliers. Friedrichs (2022) presents an NLP-driven framework that transforms unstructured information security assessments into executable test specifications, enabling continuous compliance verification between formal audits. This research has critical implications for Taiwan manufacturers pursuing TISAX certification and compliance with ISO/SAE 21434 and UNECE WP.29 regulations.
autoSELFY CCAM Cybersecurity Framework: Implications for Taiwan Auto Supply Chain TISAX & ISO 21434 Compliance
The 2024 arXiv paper SELFY proposes a three-pillar cybersecurity toolbox for Connected, Cooperative and Automated Mobility (CCAM) ecosystems: SACP for situational awareness, CRHS for cooperative resilience and self-healing, and TDMS for trust and data management. These directly address ISO/SAE 21434 Clause 15 and UNECE WP.29 R155 continuous monitoring requirements. Taiwan's 2,000+ auto parts suppliers risk losing European OEM qualifications without dynamic cybersecurity mechanisms. Winners Consulting Services Co. Ltd. offers 90-day gap assessment and TISAX certification support.