Quick guide for machine builders: how to recognize a valid cybersecurity certificate

In today’s industrial landscape, cybersecurity is no longer a competitive advantage but a market and regulatory requirement. However, not all documents that appear to be certifications actually are. Understanding the difference helps you choose reliable suppliers and avoid technical, legal, and reputational risks.

General certifications such as ISO 27001 certify the company’s organization, but do not attest that a specific product is secure against cyberattacks. This is why a specific product certification (IEC 62443-4-2) is required.
Therefore, you should not assume that a product is secure simply because the supplier holds ISO 27001 certification. Always verify the component’s specific IEC 62443 certification.

In this blog, we will go through:

• What is true certification
• Red flags of “self-declarations”
• How to quickly verify a supplier
• Support to machine builders

What is true certification

Taking, for example, the IEC 62443-4-2 certificate obtained by IXON’s SecureEdge gateways, one can identify the characteristics of a genuine industrial cybersecurity certification:

• It is issued by an accredited independent certification body (e.g. Bureau Veritas, TÜV, or UL)
• It follows an official international standard, such as the one managed by IECEE (IEC system of conformity assessment schemes for electrotechnical equipment and components):
  
• it can be publicly verified through global databases:
  
  
  Example of search using IXON's IEC 62443-4-2 certificate
  
  
• It clearly indicates:

the certified standard (for example, a specific section of the standard) and the Security Level or Maturity Level achieved, depending on the type of certification

• The product or component covered by the certification
  

Think of a driver’s license.
A “Declaration” is simply a friend saying you’re a good driver.
A “Certification” is the official document issued by the competent authority after you’ve passed the test.

Read more about our IEC 62443-4-2 certification.

Red flags of "self-declarations"

A declaration of conformity or an unaccredited declaration:

• May be issued by consulting firms or unauthorized third parties
• Does not involve recognized independent audits
• Often lists numerous standards (e.g., NIST, BSI, OWASP) without actually certifying any of them
• Cannot be verified in official registries.

In short: it is a declaration, not proof.

How to quickly verify a supplier

 When a supplier claims to be certified, always request the following elements, which can be found for example in our IEC 62443-4-1 certificate on secure software development:

• The official certificate number

• the certifying body
• standard and Security Level or Maturity Level achieved (depending on the certification)
•  verify through global databases: certificates.iecee.org 

Example of search using IXON's IEC 62443-4-1 certificate. Read more.

If they are unable to provide this information, or a direct link to the certificate in the registry, it is likely not a genuine certification.

Support to machine builders

A genuine certification demonstrates compliance verified by independent third parties. IXON’s SecureEdge gateways are among the first IEC 62443-4-2 certified edge gateways in the world. Using certified industrial components simplifies the IEC 62443-3-3 certification process for the machine, which is increasingly required by end customers in the industrial sector.

In fact, new European regulations increasingly refer to IEC requirements. By using components that are already IEC-certified, it is possible to more quickly demonstrate compliance with the obligations set forth by NIS2, the Cyber Resilience Act (CRA), and the new Machinery Regulation (EU) 2023/1230.