Cybersecurity

Method A vs Method B: Choosing Your EN 50742 Dual Compliance Path

pr EN 50742 offers two compliance paths: Method A (self-contained requirements) and Method B (referencing IEC 62443). This article compares both approaches to help you make the right choice.

10 min read
Method A vs Method B: Choosing Your EN 50742 Dual Compliance Path

Method A vs Method B: Choosing Your EN 50742 Dual Compliance Path

When you begin exploring the pr EN 50742 standard, you’ll immediately face a critical question: which compliance path should you choose? The standard provides two equivalent but distinct paths—Method A and Method B. This choice impacts not only the certification process but also your timeline, costs, and long-term maintenance strategy.

What is Dual-Path Compliance?

pr EN 50742 considers different manufacturer backgrounds and requirements by designing two equivalent compliance paths:

┌────────────────────────────────────────────────────────────────────┐
│                      pr EN 50742 Dual-Path Architecture            │
├────────────────────────────────────────────────────────────────────┤
│                                                                    │
│                    Common Foundation Requirements (Mandatory)      │
│         ┌────────────────────────────────────────┐                │
│         │  • EN ISO 12100 Risk Assessment         │                │
│         │  • Clause 4 - Corruption Protection      │                │
│         │  • Clause 9 - Use Information           │                │
│         └────────────────────────────────────────┘                │
│                              │                                     │
│              ┌───────────────┴───────────────┐                     │
│              │                               │                     │
│              ▼                               ▼                     │
│  ┌───────────────────┐           ┌───────────────────┐            │
│  │    Method A       │           │    Method B       │            │
│  │  (Clauses 5, 7)   │           │ (Clauses 6, 8)   │            │
│  ├───────────────────┤           ├───────────────────┤            │
│  │ • Self-contained  │           │ • Reference       │            │
│  │   requirements    │           │   IEC 62443 series│            │
│  │ • SRSL level      │           │ • SL security     │            │
│  │   system          │           │   levels          │            │
│  │ • Independent     │           │ • Complete        │            │
│  │   and complete    │           │   integration     │            │
│  └───────────────────┘           └───────────────────┘            │
│                                                                    │
└────────────────────────────────────────────────────────────────────┘

Both paths are completely equivalent in compliance effectiveness, satisfying the essential requirements of EU machinery regulations. The choice depends on your organizational context, product characteristics, and strategic objectives.

Method A vs Method B: Core Differences Comparison

Overall Comparison Table

Comparison DimensionMethod A (Self-contained)Method B (Referencing IEC 62443)
Standard ReferencesOnly pr EN 50742 requiredAdditionally requires EN IEC 62443-3-3, 4-1, 4-2
Level ConceptSRSL (0-3)SL (SL-C0 to SL-C4)
Target AudienceManufacturers without cybersecurity experienceManufacturers with existing industrial cybersecurity frameworks
ComplexityLower, self-contained requirementsHigher, requires understanding 62443 framework
Certification CostLowerHigher
Certification TimelineShorter (2-3 months)Longer (3-4 months)
Documentation Effort~20-38 person-days~30-50 person-days
ScalabilityIndependent systemCan reuse 62443 investment
Market RecognitionEU machinery sectorGlobal industrial automation sector

Detailed Comparison Analysis

1. Conceptual Framework Differences

Method A: SRSL (Safety-Related Security Level)
┌─────────────────────────────────────────────────────────────┐
│  SRSL0    │  Complete isolation, no special requirements     │
│  SRSL1    │  Low attack potential - password auth, boot      │
│           │    checksum, boundary checking                   │
│  SRSL2    │  Medium attack potential - regular verification, │
│           │    strict input validation, signature verification│
│  SRSL3    │  High attack potential - multi-factor auth,      │
│           │    encryption, secure boot                       │
└─────────────────────────────────────────────────────────────┘

Method B: SL (Security Level - based on IEC 62443)
┌─────────────────────────────────────────────────────────────┐
│  SL-C0   │  No special security requirements                 │
│  SL-C1   │  Protection against accidental errors or chance   │
│           │    attacks                                       │
│  SL-C2   │  Protection against simple intentional attacks    │
│  SL-C3   │  Protection against organized professional attacks│
│  SL-C4   │  Protection against government-level targeted     │
│           │    attacks                                       │
└─────────────────────────────────────────────────────────────┘

2. Process Requirements Comparison

PhaseMethod A RequirementsMethod B Requirements
Risk AssessmentBased on EN ISO 12100Based on EN ISO 12100
Threat AssessmentStandard Annex B guidanceIEC 62443 methodology
Level DeterminationAP = (EL × WoO) + AC → SRSLSL based on 7 Foundational Requirements (FR)
Security MeasuresClause 7.4 detailed listReferences 62443-3-3/4-2 specific requirements
LifecycleCovers full lifecycleFollows 62443-4-1 SDL

3. Product Requirements Comparison

Security DomainMethod A (SRSL)Method B (IEC 62443)
AuthenticationSRSL1: Entity authentication
SRSL3: Unique authentication
FR1 (IAC): SL-C2 requirements
AuthorizationSRSL1+: Authorization required for interventionFR2 (UC): SL-C2 requirements
IntegritySRSL1: Verification at boot
SRSL2: Regular verification
SRSL3: Encrypted verification
FR3 (SI): SL-C2 requirements
Data FlowRequirements implied in integrityFR5 (RDF): SL-C1 requirements
AvailabilityRequirements implied in safety functionsFR7 (RA): SL-C2 requirements

4. Documentation Requirements Comparison

Document TypeMethod AMethod B
Threat AssessmentTÜV provides dedicated templates62443 standard format
Level AssessmentSRSL assessment templateSL target level table
Security RequirementsSRSL requirements checklistFR/SR mapping table
Evidence CollectionClause 7.3 detailed specifications62443-4-2 common requirements
LoggingClause 7.3 detailed specificationsCR2.8 auditable events

Use Case Analysis

Method A: When It’s Right for You

┌────────────────────────────────────────────────────────────────┐
│                   Method A Use Case Assessment                 │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  ✅ First-time cybersecurity certification                     │
│  ───────────────────────────────────────────────────────────  │
│  If your team hasn't done cybersecurity certification before,  │
│  Method A provides complete guidance without needing to learn  │
│  the 62443 framework.                                          │
│                                                                │
│  ✅ No dedicated cybersecurity team                            │
│  ───────────────────────────────────────────────────────────  │
│  Method A templates and support can be completed by mechanical │
│  engineers with minimal cybersecurity support.                 │
│                                                                │
│  ✅ Product is relatively independent, not requiring           │
│     integration with larger systems                            │
│  ───────────────────────────────────────────────────────────  │
│  If your machinery is a standalone product not requiring       │
│  integration into large ICS systems.                           │
│                                                                │
│  ✅ Want to reduce certification complexity and costs          │
│  ───────────────────────────────────────────────────────────  │
│  Method A has shorter certification cycles and lower costs.    │
│                                                                │
│  ✅ Target market is primarily EU                              │
│  ───────────────────────────────────────────────────────────  │
│  EN 50742 directly addresses EU machinery regulation requirements.│
│                                                                │
└────────────────────────────────────────────────────────────────┘

Typical Product Types:

  • Small to medium industrial machinery (packaging machines, machine tools, food processing equipment)
  • Standalone automated equipment
  • Mechanical equipment used internally in factories
  • Standard products with 5-10 year lifecycle

Method B: When It’s Right for You

┌────────────────────────────────────────────────────────────────┐
│                   Method B Use Case Assessment                 │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  ✅ Existing EN IEC 62443 certification experience             │
│  ───────────────────────────────────────────────────────────  │
│  If your organization is already familiar with the 62443       │
│  framework, Method B can leverage existing experience.         │
│                                                                │
│  ✅ Have a dedicated cybersecurity team                       │
│  ───────────────────────────────────────────────────────────  │
│  Requires understanding requirements from multiple standards:  │
│  62443-3-3, 4-1, 4-2.                                          │
│                                                                │
│  ✅ Need to integrate with 62443-compliant industrial control  │
│     systems                                                    │
│  ───────────────────────────────────────────────────────────  │
│  If your product is part of a larger ICS, Method B ensures     │
│  compatibility.                                                │
│                                                                │
│  ✅ Already have a 62443-based security framework              │
│  ───────────────────────────────────────────────────────────  │
│  Method B can reuse existing security processes and documents. │
│                                                                │
│  ✅ Target markets recognize 62443 certification               │
│  ───────────────────────────────────────────────────────────  │
│  North America, Asia, and other markets more widely recognize  │
│  IEC 62443 certification.                                      │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Typical Product Types:

  • Large industrial control system components (PLCs, DCSs, SCADA components)
  • Critical equipment requiring integration into automated production lines
  • Intelligent machinery connecting to enterprise networks or cloud services
  • Complex automation products sold globally

Decision Tree

                                Do you have
                              62443 experience?

                    ┌─────────────┴─────────────┐
                    │No                          │Yes
                    ▼                            ▼
           Does product need to           │      Target market?
         integrate into large            │     Primarily EU
              ICS systems?               │              │
                    │              │              ▼
            ┌───────┴───────┐      │          ┌─────┐
            │Yes             │No     │          │Method B│
            ▼               ▼       │          └─────┘
        ┌─────┐         ┌─────┐    │
        │Method B│      │Method A│   │
        └─────┘         └─────┘    │

                        Have dedicated
                     cybersecurity team?

                    ┌─────────┴─────────┐
                    │Yes                  │No
                    ▼                    ▼
                ┌─────┐              ┌─────┐
                │Method B│           │Method A│
                └─────┘              └─────┘

Not sure? Start with Method A → Can upgrade to Method B later

Cost and Time Comparison

Certification Timeline Comparison

ItemMethod AMethod B
Preparation Phase2-4 weeks3-5 weeks
Documentation Preparation2-3 weeks3-4 weeks
Document Review1-3 weeks2-4 weeks
On-site Audit1-2 weeks2-3 weeks
Certification Decision1-2 weeks2-3 weeks
Total2-3 months3-4 months

Effort Comparison (Client Side)

Complexity LevelMethod AMethod B
Simple Product10-15 person-days15-25 person-days
Medium Complexity20-38 person-days30-50 person-days
Complex Product40-60 person-days50-80 person-days

Certification Fee Comparison (TÜV Side)

Complexity LevelMethod AMethod B
Simple Product6-8 person-days8-10 person-days
Medium Complexity8-10 person-days10-14 person-days
Complex Product10-14 person-days14-20 person-days

Note: Actual fees depend on product complexity; above are estimates

Switching Possibilities

Switching from Method A to Method B

┌─────────────────────────────────────────────────────────────┐
│              Method A → Method B Transition Path             │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  Current State: Certified via Method A                      │
│                                                             │
│  Transition Steps:                                          │
│  1. Establish IEC 62443 knowledge foundation                │
│  2. Perform SRSL to SL level mapping                        │
│  3. Supplement 62443-specific requirement documents          │
│  4. Implement additional security measures (if required)    │
│  5. Apply for Method B certification                        │
│                                                             │
│  Advantages:                                                │
│  ✅ Complete threat assessment and security measure          │
│     foundation already established                          │
│  ✅ Most documentation can be reused                        │
│  ✅ Security measure implementation experience is            │
│     transferable                                            │
│                                                             │
└─────────────────────────────────────────────────────────────┘

Level Correspondence

Method A SRSLMethod B SLCorrespondence
SRSL0SL-C0Equivalent
SRSL1SL-C1Equivalent
SRSL2SL-C2Equivalent
SRSL3SL-C2Functionally equivalent

Case Examples

Case A: Packaging Machinery Manufacturer Chooses Method A

Background:

  • Sino-German joint venture producing food packaging machinery
  • Products primarily sold to European markets
  • No dedicated cybersecurity team
  • First-time cybersecurity certification

Choice: Method A

Results:

  • Certification timeline: 1.5 months
  • Effort invested: 25 person-days
  • Successfully obtained SRSL1 certification
  • Good customer recognition

Key Measures:

  • Password authentication
  • Boot-time checksum verification
  • Input boundary checking
  • Tamper-evident seals

Case B: PLC Manufacturer Chooses Method B

Background:

  • Internationally renowned industrial automation company
  • Products as large ICS components
  • Already holds IEC 62443-4-1 certification
  • Global sales

Choice: Method B

Results:

  • Reused existing 62443 framework
  • Certification timeline: 3 months
  • Integrated with existing product line certifications
  • Unified certification for global markets

Key Takeaways

  1. Both paths are equivalent—Method A and Method B are completely identical in compliance effectiveness
  2. Method A suits beginners—self-contained requirements, comprehensive templates, shorter certification cycle
  3. Method B suits experts—requires 62443 knowledge but can leverage existing investments
  4. Paths can be switched—start with Method A, upgrade to Method B in the future
  5. Strategic considerations—long-term product line planning should influence path selection

Next Steps

After selecting your compliance path, the next steps are:

  1. Determine security level: Conduct threat assessment, determine SRSL/SL target level
  2. Assemble project team: Appoint project manager and core engineers
  3. Prepare foundation documents: Collect technical specifications, system architecture, etc.
  4. Contact certification body: Conduct pre-assessment communication, confirm certification scope
  5. Begin assessment work: Fill out threat assessment and level assessment templates

Choosing the appropriate compliance path is the first and most important strategic decision in EN 50742 certification. Make a wise choice based on your organizational situation, product characteristics, and market requirements.

Tags

#EN 50742 #Method A #Method B #IEC 62443 #Compliance Path