Precise Roles of IEC 62443 and ISO 26262 in CRA Compliance
This is the most common source of confusion in the market. The two standards play entirely different roles in CRA compliance. Clarifying this relationship — and preventing clients from taking the wrong path — is the core value Winners Consulting delivers.
| Standard | Nature | CRA Role | Target Clients |
|---|---|---|---|
IEC 62443-4-x | Cybersecurity standard | ✅ CRA Harmonised Standard — directly provides presumption of conformity for CE marking | All connected products, OT/ICS equipment, IoT manufacturers |
ISO 26262 | Functional safety standard | ⚠️ Not a CRA Harmonised Standard — cannot satisfy CRA alone; HARA results are essential input for Safety-Security integration | Automotive ECUs, ADAS, in-vehicle software suppliers |
Key insight: An automotive ECU supplier with ISO 26262 certification starts at zero for CRA purposes — IEC 62443-4-x must still be applied to obtain CE marking. However, integrating HARA and TARA through Safety-Security analysis allows one risk assessment to serve both functional safety and cybersecurity audits, saving 30–40% in duplicated costs.
Select Your Compliance Pathway by Product Type
Connected Products / OT Equipment
PLCs, SCADA components, industrial sensors, smart meters, IoT devices
Automotive ECU / ADAS / In-Vehicle Software
積穗差異化ECUs, ADAS controllers, OTA update systems, automotive gateways
AI Application Systems
Recruitment screening AI, predictive maintenance, medical decision support, credit scoring
ISO 26262 × IEC 62443: The Core Value of Safety-Security Integration
Cyberattacks can trigger functional safety hazards (e.g., attacking a brake ECU causing vehicle loss of control). CRA Recital 27 explicitly requires manufacturers to address this Safety-Security interface. Winners Consulting is one of the few consultancies in Taiwan capable of performing integrated dual-track analysis, eliminating the cost of engaging two separate specialist firms.
HARA × TARA Dual-Track Integration
ISO 26262 HARA identifies all hazard scenarios that could cause injury or death. IEC 62443 / ISO 21434 TARA identifies cyberattack scenarios. Winners Consulting runs an integrated workshop to determine "which attacks can trigger which HARA hazards," producing a Safety-Security interface list that simultaneously satisfies audit requirements for both standards.
ASIL Decomposition Directly Maps to IEC 62443 Security Level (SL)
ASIL D functions (highest safety integrity level) that can be influenced by cyberattacks require IEC 62443 Security Level SL 3 or above; ASIL A-B recommend SL 2. Winners Consulting maps ASIL decomposition results directly to IEC 62443-4-2 Component Requirements (CR), ensuring cybersecurity control intensity aligns precisely with functional safety needs — neither over-engineered nor under-designed.
Unified Technical Documentation (Built Once, Audited Twice)
ISO 26262 Safety Case and CRA Technical Documentation share significant structural overlap: system architecture description, risk assessment processes, verification test results, design change management. Winners Consulting designs a unified architecture built once to support both ISO 26262 certification bodies and CRA Notified Bodies, saving clients 30–40% in documentation costs.
Factory OT Security: SIS / BPCS Segregation Design
Automotive parts manufacturers also face factory OT security requirements: Safety Instrumented Systems (SIS) must be physically segregated from Basic Process Control Systems (BPCS), and active scanning of production OT equipment is absolutely prohibited (may trigger protective shutdowns). Winners Consulting provides factory-side IEC 62443-3-2 Zone & Conduit design in parallel with product-side CRA compliance.
Strategic Value of Early EU Compliance
✅ 做好合規的戰略收益
- ●Continued EU market access for connected products after 2027, securing a 3–5 year first-mover advantage
- ●ISO 26262 + CRA dual certification becomes a prerequisite on Tier 1 OEM procurement checklists
- ●One Safety-Security integration analysis eliminates costs of two separate specialist engagements
- ●Established SBOM enables supply chain vulnerability management, reducing cybersecurity incident liability
- ●IEC 62443-4-1 SDL implementation reduces per-product cybersecurity development costs by ~40%
- ●Complete EU documentation accelerates mutual recognition for Japanese and North American certifications
⚠️ 未合規的實際風險
- ●Connected products without CE marking banned from EU market sales from September 2027
- ●CRA violations: up to €15 million or 2.5% of global annual revenue, whichever is higher
- ●Automotive PPAP audit failure: immediate contract termination, business transferred to compliant competitors
- ●EU AI Act high-risk system violations: up to 3% of global annual revenue
- ●OT cybersecurity incidents causing production downtime: single-day losses often exceed three years of consulting fees
- ●GDPR violations for EU personal data: up to 4% of global annual revenue
Five-Regulation Compliance Framework
EU Cyber Resilience Act — Mandatory CE marking cybersecurity for connected products (Sept 2027)
Core RegulationIEC 62443-4-1/4-2 — Primary CRA Harmonised Standard; compliance creates presumption of conformity
CRA Harmonised StandardEU AI Act — Risk classification, high-risk obligations, GPAI requirements (Article 5 effective Feb 2025)
AI Product LayerISO 26262 — Road vehicle functional safety (HARA/ASIL); essential input for Safety-Security integration
Automotive LayerGDPR — Personal data protection, cross-border transfer mechanisms (SCCs) and DPA
Data Protection LayerWinners Consulting Integrated Compliance Methodology
Product Diagnosis & Regulatory Scope Confirmation
Winners Consulting senior consultants conduct a free initial assessment to confirm your product compliance pathway (CRA core / automotive Safety-Security / AI high-risk), identify applicable regulatory scope, assess current gaps, prioritize improvements, and produce a written diagnostic report.
Integrated Risk Assessment (HARA × TARA × SRA)
Execute the appropriate risk assessment by product pathway: IEC 62443-3-2 SRA for standard connected products; ISO 26262 HARA integrated with IEC 62443 TARA to produce the Safety-Security interface list for automotive ECUs; EU AI Act Article 9 risk management system design for AI systems.
Cybersecurity Controls Implementation & SDL
Implement IEC 62443-4-1's eight Secure Development Lifecycle practices (SM/SR/SD/SI/SVV/DM/PM/SD): threat modeling, secure code review, SAST/DAST testing, penetration testing, SBOM construction — ensuring the product meets all CRA Essential Requirements.
Unified Technical Documentation
Build complete technical documentation per CRA Annex I: system architecture, risk assessment process, test results, SBOM, security update plan. For automotive clients, the architecture simultaneously supports ISO 26262 Safety Case — one document built, two audits satisfied, 30–40% cost reduction.
CE Marking & Ongoing Compliance
Support Notified Body selection, complete conformity assessment (self-assessment for standard / third-party for Class I-II important products), obtain CE marking, establish post-market vulnerability management (ENISA 72-hour disclosure) and security update procedures with 90-day post-certification tracking.
Frequently Asked Questions
Can IEC 62443 or ISO 26262 satisfy EU CRA requirements?▼
They play completely different roles. IEC 62443 (parts 4-1 and 4-2) is a primary CRA Harmonised Standard — compliance creates a presumption of conformity enabling CE marking. ISO 26262 is a vehicle functional safety standard addressing random electronic failures; it is not a CRA Harmonised Standard and cannot satisfy CRA alone. Automotive ECU suppliers need both: ISO 26262 for functional safety and IEC 62443 for cybersecurity, integrated through Safety-Security analysis to enable CE marking.
How can automotive ECU suppliers avoid duplicating effort across ISO 26262 and EU CRA?▼
Winners Consulting's Safety-Security integration pathway saves 30–40% in costs. ISO 26262 HARA results feed directly into IEC 62443 TARA, identifying which attacks can trigger functional safety hazards and producing a Safety-Security interface list satisfying both standards' audit requirements. The unified documentation architecture is built once to support both ISO 26262 certification bodies and CRA Notified Bodies.
When does EU CRA become mandatory for Taiwan exporters?▼
EU CRA entered into force in December 2024 with a 36-month transition. From September 2027, all connected products exported to the EU must meet CRA requirements and bear CE marking or face a market ban. Taiwan exporters should initiate compliance projects in 2025–2026 to allow time for testing, verification, and Notified Body review.
Which IEC 62443 clauses map to CRA Essential Requirements?▼
IEC 62443-4-2 maps to: no known exploitable vulnerabilities (CR 7.2), secure-by-default configuration (CR 3.1), authentication and access control (CR 1.x), data encryption (CR 4.1), security update mechanisms (CR 7.3). IEC 62443-4-1 maps to SBOM obligations (SM-9) and secure development process requirements. IEC 62443-2-3 maps to the 72-hour vulnerability disclosure mechanism. Conformance creates presumption of conformity with corresponding CRA requirements.
How does the ASIL rating affect IEC 62443 Security Level (SL) requirements?▼
Higher ASIL ratings with network attack exposure require higher IEC 62443 Security Levels. General principle: ASIL C-D functions recommend SL 3 or above; ASIL A-B recommend SL 2. Winners Consulting maps ASIL decomposition results directly to IEC 62443-4-2 Component Requirements (CR), ensuring control intensity aligns precisely with functional safety needs.
Which products are classified as CRA Important Products Class I or Class II?▼
Class I (third-party review required): operating systems, routers, industrial controllers, mobile device management software, automotive ECUs. Class II (strict third-party certification): industrial firewalls, HSMs, smart meters, automotive gateways, security chips. Class I/II products cannot self-assess and must engage a Notified Body. Winners Consulting provides product classification diagnosis and Notified Body selection support.
Do EU AI Act and EU CRA overlap in scope?▼
Yes, both apply simultaneously to connected AI systems (e.g., automotive AI driving assistance, factory AI predictive maintenance). EU AI Act Annex IV technical documentation and CRA technical documentation share significant structural overlap — Winners Consulting designs a unified architecture built once to satisfy both regulatory audits.
How does Winners Consulting's integrated service differ from hiring multiple specialist consultants?▼
Most consultants specialize in only one standard, forcing clients to engage multiple firms and leaving the Safety-Security integration interface unmanaged. Winners Consulting, backed by an academic partnership with National Taiwan University of Science and Technology's cybersecurity center, provides VP/Director-level consultants proficient in both functional safety and cybersecurity, executing integrated analysis, designing unified documentation, and providing full accompaniment through CE marking with 90-day post-certification tracking.
Request a Free Compliance Assessment
Our senior consultants will confirm your product pathway and identify exactly what steps remain before CE marking
Request Free Assessment