The Cyber Resilience Act (CRA) came into force across Europe in December 2024. By the end of 2027 at the latest, companies must be able to prove that their digital products are fully secure. According to the manufacturer’s press release dated March 18, 2025, Bosch Rexroth’s ctrlX OS operating system is already equipped to meet the requirements of the CRA.
The Cyber Resilience Act obliges manufacturers of products with digital components to guarantee the cyber security of such products on the one hand and to address vulnerabilities in such a way that cyber security is ensured for the entire life cycle on the other. In addition to a thorough risk assessment, cyber risks must be taken into account as early as the engineering stage. Products must be designed to be secure and updatable as standard. According to the CRA, critical security incidents and vulnerabilities used for attacks must also be reported within 24 hours and quickly rectified with updates.
Steffen Winkler, Sales Manager of the Automation & Electrification Solutions business unit at Bosch Rexroth, explains: “The Cyber Resilience Act sets out mandatory cyber security requirements for both manufacturers and distributors across the entire product lifecycle – for all products that are connected to another device or network. With ctrlX OS, we are already well prepared for the requirements of the CRA. Customers can rest assured that they are future-proof with our products.
The Linux-based operating system ctrlX OS is at the heart of Bosch Rexroth’s automation world and the ctrlX AUTOMATION platform. ctrlX OS is “Secure by Design” and “Secure by Default” and certified by TÜV Rheinland according to IEC 62443-4-2 Security Level 2.
Data that is stored, transmitted or processed is protected. The fast and reliable distribution and application of security patches takes place during ongoing, unaffected operation.
The operating system can also be used by other providers on their automation components. All devices running on ctrlX OS – whether from Bosch Rexroth or third-party providers – already meet very high standards in terms of cyber security.
The Linux operating system ctrlX OS is ready for the requirements of the CRA and certified according to IEC 62443-4-2. (Image source: Bosch Rexroth AG, created with the help of AI)
The ctrlX CORE control unit, for example, is designed to be secure. All user access to the devices is subject to particularly strong password rules as standard. If required, the level of protection can be increased even further. Updates for functional enhancements and vulnerability fixes are provided regularly via a secure channel. Access to device data always requires authentication and authorization.
The control system can also be expanded as required with additional security applications from the ctrlX OS Store, such as security scanner, firewall and VPN client apps. This means that users can also meet the requirements of the CRA for their machines. The firewall app reduces attack surfaces to a minimum. The VPN client ensures secure remote maintenance and protected device access from external networks. Access can be restricted based on the machine status and on-site approval. As part of machine acceptance tests at network level, the Security Scanner enables a complete inventory of all components and an assessment of the security status of the entire machine fleet. Potential areas of attack can thus be identified and targeted.
The ctrlX CORE controller brings cyber security to both new and existing industrial environments. “In order to meet the requirements of the CRA and especially in the context of increasing cyber attacks, it is essential to secure existing machines as well. The ctrlX CORE can also be used as a security gateway in automation solutions with third-party hardware and software to make them secure. With the ctrlX CORE, modern cyber security functions can also be integrated into older systems. This is a decisive advantage in the brownfield environment,” says Winkler.
Bosch Rexroth also supports companies with comprehensive cyber security consulting and services. This includes, for example, carrying out threat analyses and risk assessments, security scans and training to build IT security skills. Individual cyber security concepts are developed and implemented together with the users.
“We are currently consistently aligning all products and services to ensure that companies comply with regulations and can therefore make their systems secure and robust in the long term – this is the only way to ensure their future viability,” says Winkler.