What are the implications of the Cyber Resilience Act (CRA) for machinery manufacturers - and what steps must you take?

Cyber Resilience Act (CRA) and Machinery - what applies and what do you need to do?
If you manufacture machinery with digital components, the Cyber Resilience Act (CRA) is highly likely to affect your operations.
Download the guide "From requirements to practical implementation - 6 steps to comply with CRA"
Most modern machinery today includes:
PLC systems
HMI panels
Industrial PCs
Communication modules
Cloud connectivity
Remote support solutions
Third-party software
Open-source components
This means that cybersecurity is no longer merely a technical issue. It is becoming a regulatory requirement.
For many machinery manufacturers, this entails new requirements for documentation, vulnerability management, security updates, and monitoring long after the machinery has been placed on the market.
In this article, we outline what the CRA means for machinery manufacturers and the six areas you need to control.
Does my machinery fall within the scope of the CRA?
The first question many ask is:
"Does the CRA really apply to our machinery?"
The answer is frequently yes.
The CRA covers products with digital elements. Machinery containing software or capable of communicating electronically is normally covered by the regulations.
Examples:
✅ Production machinery
✅ Robotic cells
✅ Packaging machinery
✅ Automation equipment
✅ Mobile machinery with connected functions
✅ Machinery with remote support capability
✅ Machinery with industrial networks
For many machinery manufacturers, the CRA will therefore become as relevant as the Machinery Regulation.
How does the CRA align with the Machinery Regulation?
The Machinery Regulation focuses on:
Mechanical risks
Functional safety
Protective measures
Safe operation
In contrast, the CRA focuses on:
Cybersecurity risks
Vulnerabilities
Security updates
Incident reporting
Lifecycle security
In practice, both perspectives must be addressed in tandem.
A cyberattack affecting a machine's safety integration or functional safety can lead to the same hazardous consequences as a mechanical failure.
Consequently, cybersecurity is becoming an integral part of the overall risk assessment.
What do you need to do in practice?
To comply with the CRA, you need to establish a process that functions throughout the full product lifecycle.
The six areas below outline how to structure this work.
1. Gain control of all components
Many machinery manufacturers know exactly which mechanical components are in their machines.
Fewer have equivalent control over:
PLC programs
Operating systems
Libraries
Open-source software
Communication modules
Supplier software
To achieve CRA compliance, you must know exactly what software and hardware components the machinery contains.
Outcome: SBOM (Software Bill of Materials) and component inventory. There are several SBOM tools available, both open-source and commercial.
2. Monitor new vulnerabilities
When a vulnerability is discovered in, for example:
Linux
Windows IoT
Codesys
OpenSSL
Node.js
Third-party libraries
you must be able to determine whether your machinery is affected.
This requires a defined process for continuous monitoring.
Outcome: Early detection of new risks.
3. Perform consequence assessments
Not all vulnerabilities are critical.
You need to be able to assess:
Is the machine affected?
Could safety functions be compromised?
Is there a risk of production downtime?
Can users be harmed?
Is regulatory notification required?
Outcome: Prioritised corrective actions.
4. Remediate and verify
If a vulnerability impacts the product, you must:
Develop patches/remediations
Verify and test the solution
Document the outcome
Ensure that new risks are not introduced
For machinery manufacturers, this often merges cybersecurity workflows with traditional safety verification.
Outcome: Reduced risk and documented compliance.
5. Notify clients and users
When a security vulnerability is identified, affected clients must receive relevant information.
For example:
Which machinery is affected
Which software versions are concerned
What actions are required on their part
When security updates will be available
Outcome: Clients can take proactive measures before a vulnerability is exploited.
6. Manage the machine throughout the support period
This represents the biggest shift for many machinery manufacturers.
The CRA requires continuous post-market surveillance and support after delivery.
Among other duties, you are required to:
Deliver security updates
Manage reported vulnerabilities
Maintain technical documentation
Provide notification of the end of the support period
Consequently, cybersecurity becomes a continuous lifecycle process rather than a one-time project.
Common gaps among machinery manufacturers
When assessing organizational readiness for the CRA, we frequently identify the same gaps:
No SBOM in place
Undefined roles and responsibilities
No process for vulnerability handling
No documented support period
Inadequate control over open-source components
No centralized documentation for cybersecurity processes
Are you ready for the CRA?
If you can answer "yes" to the following questions, you are well-prepared:
Do we know exactly which software components are integrated into our machinery?
Can we identify if a newly disclosed vulnerability affects our products?
Do we have an established process to assess cybersecurity risks?
Are we able to distribute security updates to machines in the field?
Can we effectively notify clients of security advisories?
Do we have the resource capacity to support the product throughout the defined support period?
If the answer to any of these questions is no, there is likely still work to be done to ensure alignment with the CRA in time.
Does the CRA apply to machinery?
Yes, if the machine incorporates digital elements, it is generally covered by the CRA.
How does the CRA differ from the Machinery Regulation?
The Machinery Regulation focuses on safety.
The CRA focuses on cybersecurity.
Both regulatory frameworks must be addressed.
Is it mandatory to compile an SBOM?
In practice, yes.
It is highly challenging to achieve CRA compliance without systematic inventory and control of the components integrated into the product.
When does the CRA come into force?
The reporting obligations will apply from 11 September 2026.
The remaining requirements will apply from 11 December 2027.
Are we prepared for the CRA?
If you can answer "yes" to the following questions, you have made significant progress:
Do we have an accurate inventory of all software components integrated into our machinery?
Can we quickly identify if a newly disclosed vulnerability affects our products?
Do we have an established process for conducting cybersecurity risk assessments?
Can we securely deploy security patches and updates?
Do we have channels to notify customers about security incidents and vulnerabilities?
Do we have the allocated resources to maintain product support throughout its entire expected lifecycle?
Download the comprehensive guide
From compliance to implementation - 6 steps to achieve CRA compliance

What are the implications of the Cyber Resilience Act (CRA) for machinery manufacturers - and what steps must you take?

Annex IV becomes Annex I in the Machinery Regulation - what are the implications of this change?

Noex and SIS enter into a licensing agreement - standards integrated directly into the platform