As the EU Cyber Resilience Act (CRA) sets a new benchmark for digital product security across Europe, industrial automation companies must adapt their cybersecurity practices to meet the upcoming 2027 compliance deadline. In a timely new Master’s thesis, Jarkko Kortemaa—under the supervision of Dr. Mikko Salmenperä and Dr. Hamed Badihi—presents a practical roadmap for doing just that.
The thesis, titled “Developing a Vulnerability Management Service for an Automation System Based on the Cyber Resilience Act”, examines how industrial control system suppliers can design risk-based patching and vulnerability handling services aligned with CRA mandates. Conducted in collaboration with Valmet, the research assesses the company’s current vulnerability management (VM) capabilities and develops a service concept focused on risk prioritization, lifecycle-based asset tracking, and integration of modern VM tools.
The result is a clear, actionable model that bridges regulatory requirements with operational realities—helping automation vendors deliver secure, CRA-compliant systems without compromising performance or continuity.
J. Kortemaa, Developing a Vulnerability Management Service for an Automation System Based on the Cyber Resilience Act, M.Sc. Thesis, Tampere University, May 2025.