A new building block for product safety in the lift sector

Digital technologies have fundamentally changed the lift. However, this has also made them more vulnerable to cyber threats.

Whereas purely mechanical safety used to take pride of place, digital risks, such as inadequate updates, insecure interfaces or poorly-maintained software, are now an everyday reality. This is where the new EU Cyber Resilience Act (CRA) comes in – and its initial obligations will already apply within a few months.

By Dr Johannes Baur and Christian Schultz, LL.M. (King´s College London)

What is the CRA – and why does it apply to the lift sector? The CRA is a new European product safety law for the cyber security of “products with digital elements”. This includes all hard- and software components that are networked or process data. For lifts this means that every digital component – from controllers, door drives with electronic interfaces and communication gateways or monitoring systems – could be subject to the CRA.

The CRA prescribes conformity assessment procedures for the products affected with the details depending on the product’s risk class. A lift as a composite product will probably usually be in the standard category but individual components could be classified as “important” or “critical”. Consequently, manufacturers will in future have to closely examine how their components are to be classified and carry out a conformity assessment or have one carried out.

What must be done?

Manufacturers should above all clarify which of their products are covered by the CRA in the first place and in which risk class individual digital components belong. Based on this, they must draw up a cybersecurity risk assessment and integrate it in the technical documentation, which is maintained and preserved for the entire life cycle.

Parallel to this, functioning vulnerability management is required that ensures the identification, treatment and elimination of security gaps and the provision of regular updates. Internal reporting channels – both for authorities as well as for users – must be set up to ensure future reporting obligations can be met. Lastly, depending on the risk class, companies need to select the appropriate conformity assessment procedure and supplement the existing CE processes with the new CRA requirements.

Those who fail to meet the CRA’s requirements face the risk of market surveillance measures, sales bans and mandatory recalls. In addition, there is the risk of in part substantial fines if reporting or security requirements are infringed.

When does this apply?

The CRA only enters into force from 11 December 2027 but the reporting obligations will already apply to actively exploited vulnerabilities and severe incidents from 11 September 2026. Since a preliminary test for relevant involvement and preparation for the implementation of the obligations is necessary, manufacturers should not lose any time and already familiarise themselves with the new regulations.

The authors are specialist lawyers and consultants for IT law at the international business law firm Fieldfisher.

CiA statement on the CRA

The Board of Directors of the non-profit international user and manufacturer association CiA (CAN in Automation) has published a declaration on the EU Cyber Resilience Act (EU CRA) and its effects on CAN networks (including CANopen, the CAN communication platform for lift controller systems).

According to it, products that use CAN and are distributed on EU markets are subject to the European Cyber Resilience Act (EU CRA) if the relevant aspects of cyber security are not covered by application-specific EU legal regulations. In most cases, the risk evaluation required could be a self-evaluation unless the product was classified as critical according to the definition in Annex III of the CRA, the declaration continued.

You can find the complete declaration on the LIFTjournal website: lift-journal.com/cra-cia

More informations: fieldfisher.com