Overview


EU CRA Readiness Statement

Product security alignment with the EU Cyber Resilience Act (CRA)

PLANET is actively aligning its product security practices with the EU Cyber Resilience Act (CRA), having established the regulation's foundational capabilities and continuing to strengthen them ahead of full application. PLANET provides the certifications, security processes and documentation that support its customers' and partners' CRA-related requirements.

Scope of Statement

This statement applies to PLANET products with digital elements that are placed on the EU market and fall within the scope of the EU Cyber Resilience Act. Final applicability and conformity routes are determined on a product-by-product basis according to product function, software capability, intended use, and deployment scenario.

Secure Development & Product Security Foundation

PLANET is already certified to IEC 62443-4-1 (secure product development lifecycle) and EN 18031-1 (product-level security mechanisms: access control, secure defaults, secure update) - security foundations many vendors are only beginning to build. These mechanisms are embedded in PLANET’s product design as appropriate and substantially correspond to the essential cybersecurity requirements under CRA Annex I, providing an established baseline for conformity.

PLANET applies secure-by-design and secure-by-default principles across applicable product development activities, including access control, secure default configuration, secure firmware update, and vulnerability remediation.

⚠ 

Note: IEC 62443-4-1 and EN 18031-1 are recognized/harmonised standards under the IEC and RED frameworks; CRA-specific harmonised standards remain under development.

Vulnerability Handling, PSIRT & Coordinated Disclosure

Building on its public Security Advisories, PLANET has formed a dedicated Product Security Incident Response Team (PSIRT) to centralize triage and coordinated handling of product vulnerabilities.

PLANET is establishing a dedicated vulnerability reporting channel to receive security reports from customers, partners, researchers, and authorities. Reported vulnerabilities will be assessed by PLANET PSIRT, prioritized based on severity and product impact, and handled through a coordinated vulnerability disclosure process.

✔  Centralized vulnerability intake and triage
✔  Severity assessment based on product impact
✔  Coordinated disclosure policy preparation
✔  Security Advisory publication alignment
SBOM & Conformity Documentation

PLANET is generating SBOMs in CycloneDX format for in-scope products, giving visibility into third-party and open-source components to support continuous vulnerability monitoring.

Security Update & Product Lifecycle Support

PLANET is defining product security update and lifecycle support policies for in-scope products. These policies are intended to provide customers and partners with clearer information on security update availability, vulnerability remediation, firmware maintenance, and product end-of-support handling throughout the applicable support period.

✔  Security update availability for applicable products
✔  Firmware maintenance and vulnerability remediation
✔  Product lifecycle and end-of-support handling
✔  Customer-facing support information alignment
Supply-Chain Due Diligence

PLANET is rolling out security-focused service-level agreements (SLA) with component suppliers to strengthen third-party due diligence across the supply chain.

Preliminary Product Classification

Expected, preliminary and, as appropriate, subject to third-party confirmation

Unmanaged Devices

CRA Default Category

Unmanaged devices outside the Annex III network functions are expected to fall within the CRA Default Category - manufacturer self-assessment (Annex VIII, Module A) and self-declaration.

Managed Switches

Important Products - Class I

Managed switches, providing Annex III network functions, are expected to fall within Important Products - Class I. Conformity may be shown via internal production control where harmonised standards apply; however, the CRA-specific harmonised standards are still under development, so this route is not yet fully available. PLANET is therefore preparing the third-party conformity assessment pathway, and uses well-recognized, industry-trusted vulnerability scanning tools to validate product security.

⚠ 

CRA notified body designations and harmonised standards are still being finalized across the EU; PLANET is engaging accredited bodies early so the appropriate pathway can be completed once the framework is in place.

Classifications are preliminary and, as appropriate, subject to third-party confirmation; final pathways are determined per product by function and intended deployment.

CRA Implementation Timeline

PLANET is aligning its CRA readiness activities with the key implementation milestones of the EU Cyber Resilience Act.

December 2024

CRA Entered into Force
The EU Cyber Resilience Act became effective, initiating the transition period for manufacturers and economic operators.

September 2026

Vulnerability Reporting Readiness
Vulnerability and incident reporting obligations begin to apply, requiring stronger vulnerability intake, triage and notification readiness.

December 2027

Full CRA Application
Full CRA requirements are expected to apply to in-scope products with digital elements placed on the EU market.

Contact Us