Interview with Luca Cedric Biggiogera

Luca Cedric Biggiogera has a background in digital policy and European affairs. Since the beginning of 2025 he fills the role of Technical Affairs Manager IT & Cybersecurity at UNIFE, the European rail supply industry association. In this position, he manages UNIFE’s Cybersecurity Working Group, the UNIFE Safety Assurance and ECM Working Group, and the inter-association initiative Cybersecurity Rail Sector Group, in which UNIFE collaborates with CER, EIM and UITP on the Cyber Resilience Act.

The Cyber Resilience Act (CRA) is a major new EU regulation on cybersecurity. Can you briefly explain its key objectives and why it is relevant for rail companies?

The CRA has been a challenging and singular endeavour for rail: while it applies to us on many levels, it was not written with the sector in mind. Interpreting it and understanding how to implement it for rail has been a top priority for us in the past few months.The CRA’s goal is to increase the level of cybersecurity for all digital products, from the most basic to more complex ones. It is part of an overall push by the EU to secure the European digital infrastructure on which our society increasingly depends. Think of connected home assistants or toys. These are often sold with little to no security, and no capability of receiving security updates. In the wrong environment, they can become an easy entry point for hostile actors. The CRA introduces essential cybersecurity requirements for all these digital products. As rail – unlike aviation and shipping – has not previously had an equivalent sector-specific EU cybersecurity legislation, it now falls in scope of the CRA.

Which types of rail-related products, systems or companies fall under the scope of the CRA? How is it decided which products are considered critical or regulated?

This is the very question that sparked our sector-wide effort to form the Cybersecurity Rail Sector Group, whose goal is to analyse the CRA and provide expert guidance on the topic in the form of a detailed document. The scope of the CRA is very broad, as it applies to any software or hardware product. The definition, particularly the “product with digital elements” is not easy to map onto the rail sector and initially caused much uncertainty. By analysing the law and existing EU practice, our experts have concluded that the CRA will apply to all rail products which contain digital elements (software or hardware) that were placed on the EU market as a unit. From sensors to rolling stock and even up to block trains, the whole rail supply chain will need to pay attention to CRA requirements. “Critical” and “Important” are categories for products which require special assessment procedures. Only the products mentioned in the CRA itself belong to these categories, and they are generally not rail products. Although the list could be expanded in the future, for now most rail products belong in the default self-assessment category.

The CRA introduces requirements like ongoing security updates throughout a product’s lifecycle. In the rail sector, products are often in use for 30 years or more. How can companies realistically manage such long-term obligations?

The CRA mandates security updates for a minimum of five years, or for the full lifetime of the product if it is expected to last less than five years. For long-lasting products, which are common in rail, the support period should instead cover a reasonable portion of the expected lifecycle of the product. In determining the support period, manufacturers should consider the purpose of the product, user expectations and other factors, such as the support periods of third-party integrated components and of the operating environment. The CRA requirements certainly will cause a broad shift in how the rail sector handles cybersecurity, and particularly updates. However, the regulation also offers some flexibility to manufacturers to define with their customers how long the support periods shall be for such long-lasting products.

For many companies, cybersecurity compliance is still unfamiliar territory. What practical first steps do you recommend?

The first step for every company is preparing in due time: before the application date of the regulation, in December 2027, companies should familiarise themselves with the CRA and find out in which capacity it applies to their products. Adapting processes can take time, and it is essential that the sector arrives well-prepared and with a common understanding of the regulation to avoid uncertainty and inefficiencies. It is to this end that UNIFE and the sector are developing an explanatory guidance document resulting from a common understanding of the text between operators, manufacturers and infrastructure managers. This will be a key resource for the whole sector, forming the base of a coherent application of the CRA in the sector, and providing a more manageable resource for companies who cannot delve into the legal text itself.

UNIFE plays a key role in the EU regulatory process. How are you engaging with the European Commission on the CRA and what priorities or concerns are you raising on behalf of the rail supply sector?

The CRA has been one of UNIFE’s most prominent topics for the past year and even earlier, and we have developed a two-pronged approach to the European Commission to obtain more clarity on the legislation and to allow for a smoother implementation. On the one side, UNIFE is very active in contributing to guidelines and implementation guidance. We actively participate in the Commission’s CRA Expert Group, and we are also coordinating the Cybersecurity Rail Sector Group’s effort to provide guidance to the sector for an effective and reasoned rail implementation of the CRA. On the other side, UNIFE has recently published a position paper requesting the inclusion of the CRA, Data Act and AI Act in the upcoming Digital Omnibus for Simplification, an initiative by the Commission to make the EU’s digital landscape more navigable. Notably, the paper asks for the exclusion of running projects from CRA obligations. Discussions are ongoing and the result uncertain, but a successful inclusion of the CRA in the Omnibus may lead to some much-needed adaptations of the text to better reflect the constraints of industrial sectors.

Thank you for this interview!