The European Union’s Cyber Resilience Act (CRA) marks a significant change in how cybersecurity is regulated across digital products and services – and the rail sector is no exception. While majority of the headlines have focused on consumer technologies, its impact for the rail sector are both immediate and far-reaching.
Global Railway Review recently hosted a webinar to deep dive into what this looks like in practice. Industry experts and Nomad Digital specialists examined how the CRA will reshape rail cybersecurity, supply chains, and operational resilience.
Industry Collaboration: Who was in the room
The webinar brought together voices across the industry with rail and cybersecurity expertise, highlighting the collaborative effort required to address CRA compliance.
Together, they explored practical strategies for meeting CRA requirements and shared real-world perspectives from across operators, suppliers, and academia.
A New Baseline for Cybersecurity
At its core, the Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements. This includes obligations around secure design, vulnerability management, incident reporting, and ongoing support – meaning manufacturers will need to build it in from day one.
For the rail industry, this is especially significant. Modern rail systems rely on a complex ecosystem of connected technologies—from onboard connectivity and passenger Wi-Fi to signalling systems and remote monitoring platforms.
The CRA establishes a new baseline: cybersecurity must be embedded from the outset, not added later.
Lifecycle Accountability: A Critical Shift
One of the most important themes discussed in the webinar is lifecycle responsibility. The CRA requires organisations to ensure that products remain secure throughout their operational life, including patching, updates, and vulnerability handling.
In rail, that’s a real challenger. Trains and infrastructure don’t get replaced ever frew years and assets can remain in service for decades. Legacy systems must be reassessed, while new deployments must be designed with long-term resilience in mind.
As highlighted in the session, adopting a secure-by-design approach, aligned with frameworks such as IEC 62443 and ISO 27001, provides a strong foundation for meeting these requirements.
Supply Chain Transparency and Risk
Rail runs on complex, layered supply chains The CRA tightens the expectations here significantly, pushing for greater visibility through things like Software Bills of Materials (SBOMs), and structured vulnerability tracking.
This means organisations must:
- Understand what components are in their systems
- Assess third-party risks more rigorously
- Ensure suppliers meet consistent cybersecurity standards
For rail operators and technology providers, supply chain assurance will become a critical differentiator.
Incident Reporting and Operational Resilience
The CRA also introduces stricter requirements for incident and vulnerability reporting within defined timeframes.
In rail, cyber incidents are not just IT issues—they can directly impact operations, service availability, and safety. As discussed by the panel, this reinforces the need to integrate cybersecurity into operational processes, ensuring rapid detection, response, and recovery.
What This Means for Rail Connectivity Providers
For Nomad Digital, the CRA reinforces the importance of delivering secure, resilient connectivity solutions across the rail environment.
Meeting these expectations involves:
- Embedding security into product design and development
- Maintaining continuous monitoring and patch management
- Securing remote access and segmenting networks
- Providing transparency to customers and partners
The webinar highlighted how Nomad Digital is already aligning its internal processes and frameworks to meet these evolving requirements, ensuring customers are supported throughout the full lifecycle of their systems.
Turning Compliance into Competitive Advantage
While the CRA introduces new regulatory obligations, it also presents an opportunity.
Organisations that proactively align with its principles can:
- Build stronger customer trust
- Improve system reliability
- Reduce long-term operational risk
- Differentiate themselves in a competitive market
As the rail sector continues its digital transformation, cyber resilience will be a foundational enabler, not just another box to tick.
Looking Ahead
The Cyber Resilience Act is a clear signal that cybersecurity expectations are evolving to match an increasingly connected world.
The insights shared during the Global Railway Review webinar reinforce a key message: rail organisations must take a proactive, lifecycle-driven approach to cyber resilience.
By acting now, the industry can not only meet regulatory demands but also build safer, more reliable, and future-ready rail networks.
Thanks to our Cyber specialists, Eddy Thésée (Alstom), David Oswald (Durham University), Callum Robinson, (Nomad Digital), Ian Wilson (Nomad Digital) and Global Railway Review for hosting this webinar.
For more information regarding the CRA contact our experts: [email protected], alternatively please find our Cybersecurity product flyer and CRA Checklist below for.
This article was originally published by Nomad Digital.