Ahead of the Curve: How RTX Is Approaching Cybersecurity

The EU Cyber Resilience Act (CRA) introduces additional mandatory cybersecurity requirements for products with digital elements made available on the European market, in order to establish a common cybersecurity baseline. RTX supports these objectives through a structured, evolving approach to product cybersecurity that helps customers meet rising expectations.

Legal Context: What is CRA and why is it important?

As digital technologies become increasingly interconnected, cybersecurity has become a critical priority for organizations and society alike. To address this challenge, the European Union introduced the Cyber Resilience Act (EU) 2024/2847, which establishes cybersecurity requirements for products with digital elements made available on the European market.

The CRA strengthens product security throughout the entire product lifecycle (including design, development, maintenance, and post-market activities) by requiring manufacturers to follow a secure development lifecycle model, manage vulnerabilities, respond to security incidents, and provide security updates within the defined support period for the product. CRA compliance is also a prerequisite for legally affixing the CE mark to a product with digital elements.

The regulation entered into force on 10 December 2024. Certain obligations, including vulnerability and incident reporting requirements under CRA Article 14, apply from 11 September 2026, while the remaining CRA obligations apply from 11 December 2027.

RTX’s Approach: How does the CRA legislation change our way of working and our solutions?

As a supplier of products with digital elements to customers operating in regulated markets, RTX will continue to ensure cybersecurity is incorporated into the way we design and deliver products. To support evolving regulatory expectations, RTX has established the RTX Security Framework, which defines our structured approach to product security. 

The RTX Security Framework integrates cybersecurity throughout the product lifecycle. It is based on recognized standards such as ISO/IEC 27001/2, IEC 62443, EN 18031, as well as emerging CRA-harmonized standards as they become available (e.g., the EN 40000 series). This framework incorporates core security elements, such as secure development practices, along with structured management of security-related issues (i.e., vulnerabilities and incidents).

RTX applies a risk-based approach to cybersecurity management and will continue to evolve the RTX Security Framework to ensure products and processes are always aligned with regulatory requirements, emerging cybersecurity standards, and evolving security expectations across global markets. In doing so, RTX helps customers respond to changing requirements without unnecessary complexity or added compliance burden.

Broader Impact: How will CRA impact my business?

The Cyber Resilience Act reflects a global shift toward stronger cybersecurity accountability across the full product lifecycle. Because the CRA applies to products sold in the EU market regardless of where they are developed or manufactured, its impact extends well beyond Europe. Functionally, CRA will influence customer expectations, procurement decisions, and regulatory approaches in other regions as well. 

For customers, this means that the cybersecurity health of their suppliers matters more than ever, both for regulatory compliance and for long-term product confidence. Choosing a partner that already operates within recognized security standards, manages vulnerabilities responsibly, and is committed to long-term product support means less regulatory risk to manage internally.

RTX is well positioned to be that partner. By integrating recognized standards and structured security practices into product development and lifecycle management, RTX strengthens the resilience of our products against evolving cyber threats. RTX engages in responsible vulnerability reporting and works to address security issues in a structured and timely manner, aligned with the requirements and objectives of the CRA and other relevant legislation. Our approach helps ensure that RTX products meet evolving cybersecurity expectations across European and global markets, while supporting customers with resilient solutions.