Use Case Industrial IoT · Maxvorstadt + Neubiberg · CRA + IEC 62443 + NIS2

Cyber Resilience Act + IEC 62443 + EU AI Act for Industrial IoT - Siemens Maxvorstadt and Infineon Campeon cluster

Siemens Maxvorstadt + Infineon Neubiberg. Cyber Resilience Act EU 2024/2847 in force since 11.12.2024. IEC 62443 SL-Target. NIS2 + EU AI Act Annex III for Industrial AI. UK PSTI Act parallel.

Workshop at Grindelberg All 7 use cases ←

Chapter 1 - Four Compliance Worlds in Parallel

CRA + IEC 62443 + NIS2 + EU AI Act - in one Decision Chain per product release.

Munich Industrial-IoT corporates carry four parallel compliance worlds per product update: EU Cyber Resilience Act (CRA, EU 2024/2847) in force since 11.12.2024, with Conformity Assessment + SBOM + 24 h vulnerability disclosure. IEC 62443 with Security Level Target per Zone/Conduit (SL 1-4) and 7 Foundational Requirements. NIS2 (EU 2022/2555) transposed via NIS2UmsuCG since 10/2024 with 24 h incident reporting to BSI. EU AI Act for Industrial AI in Annex I (safety components of the Machinery Directive) or Annex III Point 8 (supply infrastructure).

Plus Munich supervision: BayLDA AI Checklist v0.9 from 24.01.2024 + DSK Orientation Guide AI and Data Protection 06.05.2024 for the GDPR layer. BSI Grundschutz + BSI KRITIS Ordinance for the KRITIS subset (Siemens Energy, Infineon semiconductor supplier). Machinery Regulation (EU 2023/1230) for Industrial Control Systems with AI components. UK parallel: UK manufacturers face the Product Security and Telecommunications Infrastructure Act 2022 + NIS Regs 2018 + UK GDPR Art. 22; CRA EU still applies for products sold into the EU.

Decision-Layer split typically for Industrial-IoT product release: 40% RULES (CRA conformity-assessment records, IEC 62443 FR validation, NIS2 risk-management measures, SBOM generation), 40% AI AUTONOMOUS (threat-model classification, vulnerability severity scoring, OT network topology analysis, conformity-assessment pre-triage), 20% HUMAN (CISO/CTO sign-off on SL-Target uplift, NIS2 incident classification, conformity-assessment final review).

Audit trail per product release: CRA conformity-assessment record ID (e.g. cra_ca_v2026_q2), IEC 62443 SL-Target + FR status, NIS2 risk-management records per Art. 21, SBOM hash, EU AI Act logging per Art. 12 (where applicable). At Notified Body audit (CRA) + BSI audit (NIS2) + AI conformity-assessment audit: 1-click export per audit format.

Chapter 2 - Decision Record for a CRA Conformity Assessment Decision

How an Industrial IoT sensor product release passes through the CRA.

Anonymised decision record for a CRA conformity-assessment decision at a Munich Industrial-IoT corporate (e.g. Siemens sensor product). Day 1 of 84 before planned product release. With IEC 62443 SL-Target choice + NIS2 risk management.

CRA-CA-2026-05-17-IOT-SENSOR-V4

CRA Conformity Assessment · Industrial IoT sensor v4.0 · received 17.05.2026 · planned release 10.08.2026

Result Self-Assessment path · IEC 62443 SL 2 · NIS2 reporting integrated
  1. 01 REGEL

    CRA product classification

    Product falls under CRA Annex III - sensor with digital elements, connected. Not in Annex III Critical Class (no PKI/Smart Card). Self-Assessment path possible. Rule cra_classification_v2.1.

    ✓ Self-Assessment path
  2. 02 REGEL

    SBOM generation (Software Bill of Materials)

    Automatic SBOM generation from build pipeline (CycloneDX format). All open-source components + versions + licences captured. SBOM hash persisted for product-release record. Rule sbom_cra_v3.4.

    ✓ SBOM persisted
  3. 03 KI

    Vulnerability scoring (model <code>cra-vuln-scoring-v2.1</code>)

    SBOM mapped against NIST NVD + ENISA Database. 3 known CVEs in dependencies (CVSS 4.2, 5.8, 7.1). Highest: CVE-2026-XXXX in libssl 3.0.x. The model classifies impact in product context (CVSS 7.1 in our use case = 4.5 due to isolated network segment).

    Confidence 0.93 · threshold 0.85

    ✓ 3 CVEs identified
  4. 04 REGEL

    IEC 62443 SL-Target choice

    Product use case: smart manufacturing sensor with OT network integration. Threat model: industrial espionage + sabotage. SL-Target recommendation: SL 2 (Skilled Attacker Protection). Foundational Requirements FR 1-7 checklist. Rule iec62443_sl_target_v2.0.

    ✓ SL 2 proposed
  5. 05 KI

    FR status pre-check per Foundational Requirement

    FR 1 (I&A): X.509 cert-based ✓. FR 2 (Use Control): RBAC implemented ✓. FR 3 (System Integrity): SBOM + code-signing ✓. FR 4 (Data Conf): TLS 1.3 ✓. FR 5 (Restricted Data Flow): network segmentation ✓. FR 6 (Timely Response): logging + alerting ✓. FR 7 (Resource Availability): redundancy + failover ✓. Model iec-fr-checker-v1.7.

    Confidence 0.94 · threshold 0.85

    ✓ FR 1-7 satisfied
  6. 06 MENSCH

    CISO sign-off on SL-Target choice

    Mandatory stop on SL-Target. CISO Mr M. (Industrial Security, 12 years Siemens) receives the decision record with threat model, SL-Target recommendation, FR status, CVE list. Decides SL 2 (confirmed) vs. SL 3 (which would cost re-certification). Documented with reasoning.

    ✓ SL 2 confirmed
  7. 07 REGEL

    NIS2 risk-management records update

    Product update + 3 CVEs + SL 2 confirmation → NIS2 Art. 21 risk-management records updated. BSI notification not required (CVEs are in dependencies, not actively exploited, no Significant Incident). Rule nis2_risk_v2.3.

    ✓ Records updated
  8. 08 REGEL

    CRA Conformity Assessment final sign-off

    Self-Assessment complete: Annex I Essential Cybersecurity Requirements (Security by Design, Vulnerability Handling, Conformity Assessment) + Annex II Information Requirements (User Documentation). Conformity-assessment records per annex documented. CE-marking eligibility confirmed. Rule cra_conformity_v3.1.

    ✓ Self-Assessment complete
  9. 09 REGEL

    Audit trail persist (CRA + IEC 62443 + NIS2)

    Complete decision record persisted with SBOM hash, CVE list, SL-Target reasoning, FR status, CISO sign-off, NIS2 records. 1-click export for CRA Notified Body format (if audit required), IEC 62443 assessment view, BSI reporting format. EU AI Act logging if AI is in the product. Rule audit_v1.4.

    ✓ Audit trail persisted

Chapter 3 - Workshop at Munich Urban Colab or at Siemens/Infineon

Engineering from Hamburg, workshop in Maxvorstadt or Neubiberg.

Engineering head office Hallerstraße 8 Hamburg. Workshop in Munich: Munich Urban Colab (Freddie-Mercury-Straße 5, Kreativquartier) as neutral ground, or directly at Siemens (Werner-von-Siemens-Straße 1, Maxvorstadt) or Infineon (Am Campeon 1-15, Neubiberg-Campeon campus). Separate rooms for CISO session, engineering workshop, compliance/DPO briefing, works-council session. Workshop under EUR 10,000.

Industrial-IoT workshop pattern: Day 1 = threat-model mapping (Siemens/Infineon engineering + CISO + OT security + compliance). Day 2 = Decision-Layer demo with Industrial-IoT use cases (CRA Self-Assessment, IEC 62443 SL-Target choice, NIS2 incident reporting, EU AI Act logging). Day 3 = integration workshop with OT tooling (e.g. Siemens SIMATIC SCADA, Infineon tools, OPC UA gateways). Plus Konzernbetriebsrat session with IG Metall expert (Industrial Security is works-council-relevant because of behaviour/performance data capture).

Integration with Industrial IT/OT: Decision-Layer integrates with Industrial-IoT platforms: Siemens MindSphere/Insights Hub, AWS IoT, Azure IoT, IBM Maximo Application Suite. OT protocols: OPC UA, MQTT, Modbus, PROFINET. SBOM tools: CycloneDX, SPDX, Anchore Grype, Snyk. CRA compliance tools: not yet standardised, the Decision-Layer can serve as a conformity-assessment workbench. Source code of the adapters is handed over with the repository to Siemens/Infineon - no vendor lock-in of the interfaces.

Group works council co-determination for Industrial IoT: Industrial IoT data capture in a production environment captures employee data (workplace sensors, machine-operation logs). § 87 (1) No. 6 BetrVG (German Works Constitution Act - mandatory co-determination on technical systems for behaviour/performance monitoring) applies. The Munich Siemens KBR has experience with IIoT co-determination negotiations since around 2019 (MindSphere introduction). Group works agreement (Konzernbetriebsvereinbarung) templates for IIoT-with-AI must have measurable escalation thresholds + audit-trail UI for experts + a technically enforced anonymisation path for behaviour-relevant data. The Decision-Layer fulfils this. UK equivalent: ICE Regulations + works-council consultation + ACAS Code on AI in workplace decisions.

Related use cases

Frequently asked questions

Which Munich Industrial-IoT corporates does this spoke address?
Siemens AG (group HQ Werner-von-Siemens-Straße 1, 80333 Munich-Maxvorstadt, sole group HQ since 2016 - no Berlin co-HQ), Infineon Technologies AG (Am Campeon 1-15, 85579 Neubiberg, Munich district - NOT inside the city of Munich). Plus other Munich industrial players: Rohde & Schwarz (measurement technology, Munich-Riem), Krones, Wacker Chemie (Industrial IoT for chemical production). Plus Linde Engineering Pullach for process-industry IoT. UK manufacturers face the same regime if products are sold into the EU: CRA applies regardless of UK domicile.
What is the Cyber Resilience Act (CRA) concretely and what does it mean for Industrial IoT?
EU CRA Regulation 2024/2847, in force since 11.12.2024. Full application December 2027 (with reporting obligations transitioning from 11.06.2026). Covers all products with digital elements (PDE): from smart sensors via IoT gateways to Industrial Control Systems (ICS). Obligations: Conformity Assessment (Self-Assessment + Notified Body depending on risk class), vulnerability disclosure obligation (24 h for actively exploited vulnerabilities), Software Bill of Materials (SBOM), CE marking as conformity proof. For Siemens/Infineon: every connected product falls under CRA. Decision-Layer documents conformity-assessment records per product version with audit trail. UK parallel: UK manufacturers face the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) + NIS Regs 2018 + UK GDPR Art. 22; CRA EU still applies for products sold into the EU.
How is the IEC 62443 SL-Target mapped in the Decision-Layer?
IEC 62443 (Industrial Communication Networks - Network and System Security) defines four Security Levels (SL 1-4) for the Zone + Conduit architecture. The SL-Target is a mandatory decision per system component. Decision-Layer pattern: RULES validate the SL-Target against the Foundational Requirements (FR 1-7: Identification & Authentication, Use Control, System Integrity, Data Confidentiality, Restricted Data Flow, Timely Response to Events, Resource Availability). AI AUTONOMOUS classifies OT network topology + threat model. HUMAN mandatory on SL-Target uplift (e.g. SL 2 → SL 3) because of re-certification cost risk. Audit trail per component update with IEC 62443 audit-format export.
What does NIS2 mean for Munich Industrial-IoT corporates?
The EU NIS2 Directive (EU 2022/2555) was transposed in Germany via NIS2UmsuCG from October 2024. It covers essential and important entities, which captures both Siemens and Infineon as a KRITIS semiconductor supplier. The core obligations are risk-management measures (Art. 21) and a 24-hour reporting duty for significant incidents (Art. 23), backed by fines up to EUR 10M or 2% of group turnover. The Decision-Layer audit trail supports NIS2 reporting through automated incident classification and an escalation path to BSI. The UK equivalents are the NIS Regs 2018 with NCSC incident reporting.
How is EU AI Act Annex III mapped for Industrial AI?
Annex III does not explicitly cover typical Siemens Industrial AI such as Predictive Maintenance or Production Optimisation - its Points 5(a) and 8 target creditworthiness and supply-infrastructure consumption. The high-risk hook here is Annex I instead: Industrial Control Systems with AI components can qualify as safety components of the Machinery Directive. The Decision-Layer satisfies the resulting obligations - risk management (Art. 9), logging (Art. 12), human oversight (Art. 14) and accuracy/robustness (Art. 15) - plus conformity-assessment records per Annex VI/VII. The EU AI Act applies in full from 02.08.2026. The UK route is the AI White Paper 2023 with sector guidance (HSE for industrial machinery).

Schedule workshop at Grindelberg

3-day discovery: Day 1 process analysis, Day 2 Decision-Layer mapping, Day 3 use-case prioritisation. Concrete deliverable.

Schedule meeting

Discovery workshop below EUR 10,000. Pilot fixed price discussed after the workshop.

← Back to overview: AI Agents Hamburg (7 use cases)