All you need to know about CE Marking
Need answers fast? Book a free 30-min consultation
The EU Machinery Regulation and the CRA: A Plain-Language Guide for Machine Manufacturers
If you manufacture machines that contain software, connect to a network, or allow remote access, two EU regulations will govern how you handle cybersecurity. Both are approved and published. Both have defined application dates. Together, they represent the most significant change to the compliance landscape for machine manufacturers in a generation.
This guide explains both regulations in plain language, what each one requires, and what you need to do before the deadlines arrive.
Your Machine Has Software. That Changes Everything.
If your machine has a PLC, a safety controller, firmware, an HMI, a remote maintenance connection, a gateway, or a mobile app that controls or monitors it, your machine is a digital product.
It falls within the scope of two EU cybersecurity regulations simultaneously.
The Cyber Resilience Act is published and has defined application dates starting in 2026. The new Machinery Regulation becomes mandatory on 20 January 2027. The time to understand what each one requires is now.
Same Machine, Two Different Questions
The easiest way to understand why two regulations apply to the same machine is to understand the question each one is asking.
The Machinery Regulation (EU) 2023/1230 asks: can someone interfere with your machine digitally and cause a physical accident?
Can a cyberattack corrupt the safety software, override the control system, or put a person at risk? This regulation is fundamentally about physical safety. Cybersecurity enters the picture only when a digital threat could translate into a physical hazard.
The Cyber Resilience Act (EU) 2024/2847 asks a broader question: is your product digitally secure throughout its entire life? Does it have known vulnerabilities? Can you fix them? Do you know what software components it contains? Will you support it for years after it leaves the factory?
The CRA applies even when a cybersecurity failure would not cause a physical accident. Data exposure, loss of availability, or an exploited vulnerability in the control interface all fall within its scope.
A machine can satisfy the Machinery Regulation’s cybersecurity requirements and still fail the CRA’s, because the two regulations cover different ground. The rule for connected machinery is: both apply, and both must be satisfied.
What the Machinery Regulation Says About Cybersecurity
The Machinery Regulation’s cybersecurity requirements are found in two specific sections of Annex III, the part of the regulation that sets out the essential health and safety requirements every machine must meet.
The first is section 1.1.9, which covers protection against corruption. In plain terms, this means that connecting another device to your machine, or allowing remote communication with it, must not create a dangerous situation. The software and data that your machine relies on to operate safely must be identified and protected against both accidental and intentional tampering. If someone installs a modified version of your safety firmware, the machine must be able to detect it. If someone tries to interfere with a safety-critical signal, the system must resist it. Any legitimate or illegitimate intervention relevant to safety must be logged and traceable.
The second is section 1.2.1, which covers the safety and reliability of control systems. Control systems must withstand foreseeable external interference, including reasonably foreseeable malicious attempts by third parties. The regulation also requires that the versions of safety software loaded onto the machine after it leaves the factory remain traceable for five years. This is a real obligation, not a recommendation. It means version control, change logging, and evidence retention are now part of the compliance process for any machine with safety-relevant software.
For a detailed overview of what the new Machinery Regulation changes and when it applies, the New Machinery Safety Regulation page covers the full scope of the regulation including its cybersecurity provisions.
What the Cyber Resilience Act Adds on Top
The CRA starts from a different premise. It treats your machine as a digital product and requires that it meet a general standard of cybersecurity, not just the safety-specific subset that the Machinery Regulation addresses.
The core obligation is this: your product must be placed on the market without known exploitable vulnerabilities, with a secure default configuration, and with the ability to receive security updates.
Beyond the product itself, the CRA requires manufacturers to maintain a complete inventory of all software components in the product, including dependencies. This inventory, known as a Software Bill of Materials or SBOM, must be prepared and kept updated. It is the digital equivalent of a bill of materials for physical components, and it enables both the manufacturer and authorities to understand the product’s exposure to known vulnerabilities.
The CRA also requires a formal process for managing vulnerabilities discovered after the product is on the market. When a vulnerability is found, it must be remediated without undue delay. Security updates must be provided free of charge, distributed securely, and remain available for at least ten years or the duration of the support period, whichever is longer. At the point of purchase, customers must be informed of when support will end.
Finally, the CRA requires manufacturers to have a public channel through which anyone can report a vulnerability in their product, and a coordinated vulnerability disclosure policy explaining how those reports will be handled.
What the Machinery Regulation Leaves Out
The Machinery Regulation focuses on preventing physical harm and does not establish a general framework for post-market vulnerability management, security updates, or incident reporting equivalent to what the CRA requires.
The most significant gap is in incident and vulnerability reporting. From 11 September 2026, the CRA’s Article 14 requires manufacturers to notify their national CSIRT and ENISA when they become aware of an actively exploited vulnerability or a serious incident affecting the security of their product. The timelines are strict: an early warning within 24 hours, a full notification within 72 hours, and a final report within 14 days of identifying a corrective measure.
This obligation applies from September 2026, before the CRA’s general application date of December 2027, and it applies to products already on the market at that point. Manufacturers of connected machinery who do not yet have an incident detection and reporting process need to build one before that date.
It is worth noting that the CRA’s cybersecurity framework is relevant beyond machinery. Any product with radio functionality that connects to the internet also falls under the RED cybersecurity requirements and the EN 18031 standard family. The relationship between these overlapping frameworks is explained in the article on internet-connected radio equipment and EN 18031.
The Dates You Need to Know
Three dates define the compliance calendar for manufacturers of connected machinery.
11 September 2026. The CRA’s vulnerability and incident reporting obligations under Article 14 become mandatory. From this date, manufacturers must be able to detect, assess, and report actively exploited vulnerabilities and serious incidents within the prescribed timeframes. This applies to products already on the market.
20 January 2027. The new Machinery Regulation becomes mandatory. All machinery placed on the EU market from this date must comply with the new regulation, including its cybersecurity requirements in Annex III sections 1.1.9 and 1.2.1.
11 December 2027. The CRA’s full obligations apply to all in-scope products. This is the general application date for the regulation’s product requirements, conformity assessment procedures, and documentation obligations.
The window between now and early 2027 is the time to integrate cybersecurity into product design, build the vulnerability management process, prepare the technical documentation, and establish the incident reporting capacity.
Side by Side: A Simple Comparison
| Obligation | Machinery Regulation | Cyber Resilience Act | What you need to do |
|---|---|---|---|
| Secure design | Yes, when digital risks could cause physical harm | Yes, for all digital products | Design must address both physical safety and general cybersecurity |
| Risk assessment | Yes, general product risk assessment | Yes, specific cybersecurity risk assessment | One integrated assessment covering both |
| Protection against tampering | Yes, Annex III 1.1.9 and 1.2.1 | Yes, access control, integrity, attack surface reduction | Safety software and control systems must be protected and logged |
| Vulnerability management after sale | Not specified as a full framework | Yes, SBOM, remediation, disclosure, updates, support period | Build a post-market vulnerability process |
| Security updates | Not specified | Yes, free, secure, available for years | Plan update architecture and support model |
| Incident and vulnerability reporting | Not specified | Yes, 24h/72h/final report to CSIRT and ENISA | Build reporting capacity before September 2026 |
| Technical documentation | Yes, including software logic if required | Yes, including SBOM, architecture, vulnerability process | Two documentation sets that must be aligned |
| Importers and distributors | Verify conformity; substantial modification risk | Verify conformity, act on vulnerabilities, inform users if manufacturer ceases | Supply chain obligations are denser under CRA |
Three Machines, Three Real Scenarios
| Machine type | Machinery Regulation applies? | CRA applies? | Key obligations |
|---|---|---|---|
| Industrial machine with PLC, safety controller, HMI, and remote maintenance access | Yes. Safety-relevant software and remote connectivity are in scope. | Yes. The product has digital elements placed on the market. | Machinery Reg: prove remote access cannot cause a dangerous situation; protect and log safety software versions for 5 years. CRA: manage vulnerabilities, provide security updates, prepare SBOM, report exploited vulnerabilities and incidents from September 2026. |
| Smart machine with mobile app and cloud-based supervision | Yes. The Machinery Regulation covers the parts of the digital chain that could compromise physical safety. | Yes. The CRA covers the remote data processing that is necessary for the product to function, including the cloud service and the app. If the cloud is optional and not required for core functionality, its inclusion under the CRA depends on the specific product architecture. | Machinery Reg: assess whether app or cloud access can affect safety functions. CRA: include remote components in SBOM, vulnerability management, and support commitments where they are necessary for product function. |
| Industrial digital component placed on the market independently — for example a router, safety PLC, authentication module, or OT gateway integrated into a third-party machine | Yes, if the component qualifies as a safety component under the Machinery Regulation. The component manufacturer has its own obligations independent of the machine manufacturer who integrates it. | Yes. The component is a product with digital elements placed on the market in its own right and must meet CRA requirements independently. | Both the component manufacturer and the machine manufacturer carry separate compliance obligations. The component manufacturer must prepare its own technical documentation, manage vulnerabilities, and support the component for its expected lifetime. The machine manufacturer must exercise due diligence when integrating third-party components, including open-source software. |
What If You Are Not the Original Manufacturer?
The compliance obligations under both regulations extend beyond the original equipment manufacturer. Importers must verify that products carry the CE mark, that the technical documentation has been prepared, and that the required information has been provided to users. Under the CRA, importers who become aware of a vulnerability must inform the manufacturer without delay and, if a significant cybersecurity risk is identified, notify the relevant authorities.
Distributors have parallel verification obligations and must not make non-compliant products available. If the original manufacturer ceases operations and can no longer fulfil the CRA’s post-market obligations, both importers and distributors have an obligation to inform authorities and users.
The practical implication for anyone in the supply chain of connected machinery is that due diligence on compliance documentation is no optional. A certificate of conformity is not sufficient. The underlying documentation, the vulnerability management process, and the support commitment all need to be verified.
How GetReady Compliance Can Help
Managing compliance under the Machinery Regulation and the Cyber Resilience Act simultaneously requires integrating safety engineering, cybersecurity, documentation, and post-market processes in a way that avoids duplication and covers both regulatory frameworks completely.
GetReady Compliance supports manufacturers of connected machinery through the full compliance process: regulatory scoping, risk assessment integration, technical documentation under both regulations, conformity assessment strategy, and preparation for the CRA’s incident reporting obligations ahead of the September 2026 deadline.
If you are assessing your compliance obligations for connected machinery or planning your documentation strategy for 2027, request a quote for a product-specific discussion.
Read this far? The next step is a free 30-min consultation
Category: CE Marking
