Cyber Resilience Act (CRA) and Machinery - what applies and what do you need to do?


If you manufacture machinery with digital components, the Cyber Resilience Act (CRA) is highly likely to affect your operations.

Download the guide "From requirements to practical implementation - 6 steps to comply with CRA"

Most modern machinery today includes:

  • PLC systems

  • HMI panels

  • Industrial PCs

  • Communication modules

  • Cloud connectivity

  • Remote support solutions

  • Third-party software

  • Open-source components

This means that cybersecurity is no longer merely a technical issue. It is becoming a regulatory requirement.

For many machinery manufacturers, this entails new requirements for documentation, vulnerability management, security updates, and monitoring long after the machinery has been placed on the market.

In this article, we outline what the CRA means for machinery manufacturers and the six areas you need to control.

Does my machinery fall within the scope of the CRA?

The first question many ask is:

"Does the CRA really apply to our machinery?"

The answer is frequently yes.

The CRA covers products with digital elements. Machinery containing software or capable of communicating electronically is normally covered by the regulations.

Examples:

✅ Production machinery

✅ Robotic cells

✅ Packaging machinery

✅ Automation equipment

✅ Mobile machinery with connected functions

✅ Machinery with remote support capability

✅ Machinery with industrial networks

For many machinery manufacturers, the CRA will therefore become as relevant as the Machinery Regulation.

How does the CRA align with the Machinery Regulation?

The Machinery Regulation focuses on:

  • Mechanical risks

  • Functional safety

  • Protective measures

  • Safe operation

In contrast, the CRA focuses on:

  • Cybersecurity risks

  • Vulnerabilities

  • Security updates

  • Incident reporting

  • Lifecycle security

In practice, both perspectives must be addressed in tandem.

A cyberattack affecting a machine's safety integration or functional safety can lead to the same hazardous consequences as a mechanical failure.

Consequently, cybersecurity is becoming an integral part of the overall risk assessment.

What do you need to do in practice?

To comply with the CRA, you need to establish a process that functions throughout the full product lifecycle.

The six areas below outline how to structure this work.

1. Gain control of all components

Many machinery manufacturers know exactly which mechanical components are in their machines.

Fewer have equivalent control over:

  • PLC programs

  • Operating systems

  • Libraries

  • Open-source software

  • Communication modules

  • Supplier software

To achieve CRA compliance, you must know exactly what software and hardware components the machinery contains.

Outcome: SBOM (Software Bill of Materials) and component inventory. There are several SBOM tools available, both open-source and commercial.

2. Monitor new vulnerabilities

When a vulnerability is discovered in, for example:

  • Linux

  • Windows IoT

  • Codesys

  • OpenSSL

  • Node.js

  • Third-party libraries

you must be able to determine whether your machinery is affected.

This requires a defined process for continuous monitoring.

Outcome: Early detection of new risks.

3. Perform consequence assessments

Not all vulnerabilities are critical.

You need to be able to assess:

  • Is the machine affected?

  • Could safety functions be compromised?

  • Is there a risk of production downtime?

  • Can users be harmed?

  • Is regulatory notification required?

Outcome: Prioritised corrective actions.

4. Remediate and verify

If a vulnerability impacts the product, you must:

  • Develop patches/remediations

  • Verify and test the solution

  • Document the outcome

  • Ensure that new risks are not introduced

For machinery manufacturers, this often merges cybersecurity workflows with traditional safety verification.

Outcome: Reduced risk and documented compliance.

5. Notify clients and users

When a security vulnerability is identified, affected clients must receive relevant information.

For example:

  • Which machinery is affected

  • Which software versions are concerned

  • What actions are required on their part

  • When security updates will be available

Outcome: Clients can take proactive measures before a vulnerability is exploited.

6. Manage the machine throughout the support period

This represents the biggest shift for many machinery manufacturers.

The CRA requires continuous post-market surveillance and support after delivery.

Among other duties, you are required to:

  • Deliver security updates

  • Manage reported vulnerabilities

  • Maintain technical documentation

  • Provide notification of the end of the support period

Consequently, cybersecurity becomes a continuous lifecycle process rather than a one-time project.

Common gaps among machinery manufacturers

When assessing organizational readiness for the CRA, we frequently identify the same gaps:

  • No SBOM in place

  • Undefined roles and responsibilities

  • No process for vulnerability handling

  • No documented support period

  • Inadequate control over open-source components

  • No centralized documentation for cybersecurity processes

Are you ready for the CRA?

If you can answer "yes" to the following questions, you are well-prepared:

  • Do we know exactly which software components are integrated into our machinery?

  • Can we identify if a newly disclosed vulnerability affects our products?

  • Do we have an established process to assess cybersecurity risks?

  • Are we able to distribute security updates to machines in the field?

  • Can we effectively notify clients of security advisories?

  • Do we have the resource capacity to support the product throughout the defined support period?

If the answer to any of these questions is no, there is likely still work to be done to ensure alignment with the CRA in time.

Does the CRA apply to machinery?

Yes, if the machine incorporates digital elements, it is generally covered by the CRA.

How does the CRA differ from the Machinery Regulation?

The Machinery Regulation focuses on safety.

The CRA focuses on cybersecurity.

Both regulatory frameworks must be addressed.

Is it mandatory to compile an SBOM?

In practice, yes.

It is highly challenging to achieve CRA compliance without systematic inventory and control of the components integrated into the product.

When does the CRA come into force?

The reporting obligations will apply from 11 September 2026.

The remaining requirements will apply from 11 December 2027.

Are we prepared for the CRA?

If you can answer "yes" to the following questions, you have made significant progress:

  • Do we have an accurate inventory of all software components integrated into our machinery?

  • Can we quickly identify if a newly disclosed vulnerability affects our products?

  • Do we have an established process for conducting cybersecurity risk assessments?

  • Can we securely deploy security patches and updates?

  • Do we have channels to notify customers about security incidents and vulnerabilities?

  • Do we have the allocated resources to maintain product support throughout its entire expected lifecycle?


Download the comprehensive guide

From compliance to implementation - 6 steps to achieve CRA compliance