UNIFE, CER and UITP publish their guidance on the Cyber Resilience Act

UNIFE – together with its rail sector partners CER and UITP - are proud to present their guidance document on the application of the Cyber Resilience Act (CRA) in the rail sector.

This document represents a significant and unprecedented collaborative effort involving cybersecurity experts from the rail supply industry and the rail operating community who have worked together over the past year and a half.

As a horizontal legislation applicable to a variety of products, from smartphones to locomotives, the CRA can be challenging to translate for a sector like rail, with its own unique procedures and frameworks. The guidance explains the CRA's key concepts, as well as the requirements for secure products and the obligations of manufacturers. Numerous recommendations follow on the application of the legal provisions to the specific context of the rail sector, and on best practices to ease the transition towards CRA compliance. Among the many topics addressed are the scope of the CRA, vulnerability handling, SBOMs, substantial modifications, spare parts, product integration, and how to mitigate issues with ongoing projects.

A separate annex, published alongside the main guidance, outlines the expected relationship between the CRA and the vehicle authorisation process.

This is the first published version of the guidance (V1.0.0), meaning that further sections, corrections and topics will be added as updates over time.

For more information on UNIFE's work on Cybersecurity please contact:

Luca Cedric Biggiogera
Technical Affairs Manager IT & Cybersecurity
luca.biggiogera@unife.org / +32 2 626 12 69