LOADING…

Herholdt’s Lab Log · May 14 2026

Cybersecurity for an industrial meter: what changes by December 2027

An energy meter is no longer a device. It is a node.

It has an IP address, exposes a Modbus port, accepts firmware updates, synchronizes its clock with a network server, and shares logs with SCADA platforms or cloud energy management systems. Everything that makes it useful also makes it attackable.

For years, the security of an industrial meter was treated as a separate subject, owned by the end customer’s IT manager and distinct from the technical requirements written into OEM specifications. Over the last eighteen months, that separation has ended. Cyber risk has entered the product perimeter. For those who design, build, and sell industrial meters in Europe, the 2024–2027 regulatory framework has already set the deadlines.

The nature of the risk has changed

European manufacturing has long been among the top three sectors by number of recorded cyber incidents, alongside finance and energy. What has changed over the last two years is the nature of the risk.

They are no longer primarily opportunistic ransomware attacks on corporate IT systems. Those still exist, but they have become background noise. The structural risk today is the supply chain: the attacker no longer targets only the final victim, but a supplier in the chain, knowing that from that position they can reach hundreds or thousands of installed systems.

Layered onto this shift over the last eighteen months is the effect of generative artificial intelligence on attack scale. Tools that until 2023 required a skilled human attacker — fuzzing network parsers, generating payload variants, automatically searching for vulnerabilities in proprietary firmware — are now economically accessible to an average attacker. The sophistication of the individual attack has not changed; what has changed is the frequency with which a connected device is actually probed in production.

For an OEM meter manufacturer, this translates into two operational facts. First, the company’s own security posture has become a supplier qualification parameter: utilities, data center operators, and EVSE integrators now include a formal assessment of the manufacturer’s cyber maturity in their onboarding process. Second, the product itself has become a potential attack vector into the customer: a vulnerability in the firmware of a meter installed in five thousand charging stations is not a firmware issue; it is operational exposure for five thousand delivery points. Responsibility — technical, contractual, and now regulatory — returns to the manufacturer.

Three regulations, three deadlines, one direction

Europe has published, over the last eighteen months, the world’s most structured regulatory framework for the security of digital products. For manufacturers of industrial meters, the three relevant sources are converging.

The Cyber Resilience Act (EU Regulation 2024/2847) entered into force on 10 December 2024. It applies to any product with digital elements placed on the EU market: connected meters clearly fall within scope. The operating calendar has already been written. From 11 September 2026, actively exploited vulnerabilities must be reported to the national coordinating CSIRT and to ENISA with an early warning within 24 hours, details within 72 hours, and a final report within 14 days of patch release. From 11 December 2027, the entire Regulation becomes fully applicable: every product placed on the market must be compliant. Penalties reach up to 2.5% of global turnover, a threshold that changes the risk calculation even for companies that have traditionally treated cybersecurity as a secondary budget item.

The RED 2014/53/EU (Radio Equipment Directive) has already reached its deadline on 1 August 2025. For any device with a radio interface (Wi-Fi, Bluetooth, cellular) placed on the European market, Articles 3.3(d), 3.3(e), and 3.3(f) impose specific cybersecurity requirements. The harmonized standard for compliance is EN 18031, in three parts: 18031-1 on network protection, 18031-2 on protection of personal data and privacy, and 18031-3 on protection against financial fraud. For an OEM selling meters with Wi-Fi or cellular connectivity, RED is not a prospect: it is already a legal requirement for CE marking.

IEC 62443 is the international technical standard for the security of industrial automation systems. Part 4-1 defines process requirements for secure product development (the Security Development Lifecycle). Part 4-2 defines the technical requirements for individual components: authentication, integrity, confidentiality, credential management, interface protection. It is not mandatory by law in Europe. However, it is the technical vocabulary in which the draft harmonized standards for the CRA (expected publicly in the fourth quarter of 2026) will be written. A company that today structures its product development process around IEC 62443-4-1 and its products around 62443-4-2 is not merely anticipating good practice: it is pre-aligning with the text that will become mandatory eighteen months later.

What will happen to the market between September 2026 and December 2027

The market for connected industrial products is currently in an asymmetric condition that will not survive these deadlines.

A large share of the industrial meters currently installed in Europe was designed under an assumption that was not unreasonable at the time: cybersecurity is a function configured at the customer’s network perimeter, not a feature to be embedded in the firmware of the individual device. Unsigned bootloaders, unencrypted firmware images, provisioning credentials shared across units, clear-text network communications, no formal channel for vulnerability disclosure: these were widely used design practices until 2022 and are still common in commercially active product portfolios.

The operational problem for manufacturers in this situation is that the CRA does not apply only to new products. It applies to any product placed on the market after December 2027, including products that have been established for years and remain in current production. Modifying the hardware and firmware of an established line to make it compliant is not a marginal technical exercise: it affects the BOM, the production process, customer contracts that specified that product, and stock that has already been manufactured.

One specific concern involves the most widely used fieldbus in industrial environments: Modbus. Hundreds of thousands of devices in energy management, building automation, and process control systems communicate today via Modbus RTU over RS-485 or Modbus TCP over Ethernet. The protocol, created in the 1970s, provides neither authentication nor encryption natively. Compliance with CRA requirements on a Modbus node requires either adoption of Modbus Secure (a recent extension, still scarcely deployed in installed devices) or encapsulation of traffic in a TLS channel managed at application level. In both cases, this is a significant change that cannot be solved with a firmware update.

The market appears largely unprepared for this transition. The reasons are predictable: the December 2027 horizon seems distant in commercial planning; the draft harmonized standards expected in Q4 2026 feed the belief that waiting is possible; CRA certification for Important Class products will require a Notified Body (Member States must notify them by 11 June 2026), and European third-party assessment capacity is currently limited. Those who start the process in mid-2026 will find queues, long lead times, and rising costs.

What it means today to be a prepared supplier

Working today on future compliance means applying to the product and process the two standards that, in substance, anticipate the technical content of the CRA harmonized standards: IEC 62443-4-1 for the development lifecycle, and IEC 62443-4-2 for product requirements.

A gap analysis carried out today against 62443-4-1 and 4-2 produces two strategically valuable outcomes: it establishes where a product is already aligned with the text that will become mandatory in 2027, and it identifies precisely which actions are still required while there is time to plan them.

Herholdt Controls is conducting this analysis on its products and development processes, in continuous dialogue with Notified Bodies that will participate in conformity assessment once Member States have completed the notifications scheduled for June 2026. This is not a marketing position: it is the work schedule imposed by the convergence of CRA, RED, and the evolution of harmonized standards on anyone who wants to continue supplying connected products to the European market after December 2027.

Security does not start on the shop floor

Building a secure product is not only a matter of product architecture. It is a matter of the architecture of the organization that builds it.

Firmware is secure if, and only if, the chain of custody leading from code to the installed binary is secure: who accesses the source code, who can sign the released binary, where signing keys are stored, how privileged access to the development network is managed, how anomalies are tracked and reported, and how build artifacts are retained for the product’s lifetime. If any one of these links fails, the resulting product may be technically impeccable and materially compromised.

For this reason, the European regulatory framework does not merely require technical features from the product. It requires the manufacturer to demonstrate the existence of a structured internal information security management system: access control, data classification, supplier management, incident response, periodic audits, continuous improvement. Professionals in the field will recognize the vocabulary: it is the language of internationally certifiable management systems, now an implicit prerequisite for companies operating in critical supply chains.

A serious supplier of a product intended for integration into connected infrastructures cannot simply build a secure meter. It must build it inside an organization that applies the same principles of discipline to itself. This work does not show up in a datasheet, but it is visible during due diligence, and it becomes visible in the specifications of customers regulated by NIS2, who, under their own obligations, must qualify their critical suppliers using formal cybersecurity posture criteria.

Product Manager workflow for RED compliance.

A concrete step: M3PRO IP+ and RED 2014/53 compliance

At The Smarter E Europe (Munich, 23–25 June 2026), we will present the M3PRO IP+, an evolution of the wired network interface line to which Wi-Fi connectivity has been optionally added. The integration of Wi-Fi triggers the applicability of Directive RED 2014/53/EU for the product.

M3PRO 80 IP+ MID.

We are currently completing the product certification procedure under Article 3.3(d) of RED 2014/53/EU in compliance with the harmonized standard EN 18031-1. The process includes firmware code review, assessment of component robustness, and penetration testing carried out with state-of-the-art methodologies in an accredited laboratory. The M3PRO IP+ is the first product in the Herholdt Controls line to complete this process in full.

From the perspective of an OEM or integrator specifying it in their systems, the value of this certification is not the presence of the CE mark itself (RED marking has already been mandatory since 1 August 2025 for any wireless product placed on the European market). The value lies in the documentary trail of the process: EN 18031-1 technical file, laboratory test reports, evidence of penetration testing. This is the type of documentation that, eighteen months from now, will be required much more stringently under the CRA, and that today distinguishes a supplier that is already prepared from one that will have to build it while the calendar tightens.

What this means for an OEM

For an OEM currently writing a specification for a meter intended for a connected application, technical questions for the supplier are no longer an appendix. They are the core of the assessment.

  • Is the product certified or self-declared compliant with IEC 62443-4-1 (development process) and 62443-4-2 (technical product requirements)? Is Security Development Lifecycle documentation available during qualification?
  • For products with a radio interface: is RED 2014/53 compliance (Articles 3.3 d/e/f) certified under EN 18031, with which specific part and which Notified Body?
  • Does the bootloader implement secure boot with cryptographic signing of the application firmware? Are signing keys managed in an HSM or physical secure element, and where physically?
  • Is there a Software Bill of Materials automatically generated as a build artifact and updated at every release?
  • Does the supplier provide a Coordinated Vulnerability Disclosure channel compliant with the draft CRA? What is the stated patch management process? Are the CSIRT notification deadlines (24h early warning, 72h notification, 14 days after patch) embedded in the internal process?
  • For how many years after the last sale does the supplier guarantee security support? How are updates distributed to fleets already deployed in the field, and with what integrity guarantees?
  • Does the supplier operate within an information security management system structured according to recognized international standards?

A supplier that answers these questions with the same structure — regulatory reference, technical evidence, documented process, time horizon — has done the work. A supplier that answers with generic statements of principle is declaring a compliance posture that will have to be built after contract signature, in a market where third-party assessment capacity will be limited and congested between 2026 and 2027.

Eighteen months before the full applicability of the Cyber Resilience Act, cybersecurity for an industrial meter has ceased to be an optional attribute. It has become, for both product and organization, the dividing line between those who will continue to operate in European markets and those who will not.

Contact our team for more information

Related articles

May 21 2026
Corporate Cybersecurity: what it means to be a NIS2 Important Entity for an electrical equipment manufacturer

Corporate Cybersecurity: what it means to be a NIS2 Important Entity for an electrical equipment manufacturer
May 7 2026
The Firmware Architecture of a Meter: four levels of customization, one word used for all of them

The Firmware Architecture of a Meter: four levels of customization, one word used for all of them
Apr 30 2026
DC and Bidirectional Measurement in Energy Meters: where the architecture inherited from AC breaks down

DC and Bidirectional Measurement in Energy Meters: where the architecture inherited from AC breaks down
Apr 23 2026
Current Sensors in Energy Meters: Shunt, CT, Rogowski, Hall Effect. Why the measurement front end defines the entire design

Current Sensors in Energy Meters: Shunt, CT, Rogowski, Hall Effect. Why the measurement front end defines the entire design
Apr 16 2026
Thermal Management in Energy Meter Design: why your measurement element is also your biggest heat source

Thermal Management in Energy Meter Design: why your measurement element is also your biggest heat source
Apr 9 2026
EMC Compliance for Energy Meters: the invisible problem that kills projects

EMC Compliance for Energy Meters: the invisible problem that kills projects
Read all the news

Get in touch

Whether you have a technical question, need support for a specific project, or are interested in partnering with us on a tailored solution, we'd be glad to hear from you.

Are you interested in joining our team? Click here ↗