The CRA and the machinery regulation impose new requirements on machine manufacturers. This explains how to implement those requirements in a structured and efficient way.
Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) is a European regulation that defines basic cybersecurity requirements for products with digital elements. Its goal is to ensure that hardware and software placed on the EU market can be operated securely throughout their entire lifecycle.
Key elements of the CRA include:
- Uniform security requirements for all products with digital elements.
- Mandatory security updates and vulnerability management.
- A risk-based approach to product security - from design to decommissioning.
- Higher conformity requirements for certain product categories.
The CRA takes a horizontal approach: it applies to all products with digital elements regardless of their intended use and requires manufacturers to consider security measures already during the development process.
Harmonized standards are currently being developed to help meet the requirements. Until they are published, established standards such as IEC 62443-4-1 (secure development process) and EN 18031 (technical requirements for radio equipment) can serve as practical reference frameworks.
The Machinery regulation replaces the previous Machinery Directive and extends basic safety requirements to include aspects of cybersecurity. Manufacturers will now also need to specifically address risks from digital manipulation.
Important updates in the machinery regulation include:
- Cybersecurity as part of the essential safety requirements.
- Protection against intentional and unintentional manipulation of control systems (Annex III, Section 1.1.9).
- Requirements for the reliability of control systems (Annex III, Section 1.2.1).
- Documentation obligations to ensure traceability of security measures.
A technical standard, EN 50742 ("Safety of Machinery - Electrotechnical aspect - Protection against corruption"), is currently being developed. It specifies the requirements from Annex III and addresses measures against unwanted interference - both technical and organizational - across the entire lifecycle.
Similarities and differences between CRA and the machinery regulation
Both the CRA and the machinery regulation aim to establish a high level of security for connected devices and machines. They both require security measures throughout the product lifecycle and emphasize documentation and demonstrability.
The CRA regulates the security of all products with digital elements regardless of their purpose. The machinery regulation, by contrast, focuses specifically on safety requirements for machines and their control systems. While the CRA therefore has a broad scope, the machinery regulation goes into more detail and addresses industry-specific risks.
For machines that contain digital elements and fall under both regulations, manufacturers can leverage synergies. The CRA's requirements for vulnerability management and security updates support compliance with the machinery regulation, particularly in areas such as tamper protection and reliable control systems.
Standards for implementation - IEC 62443, EN 18031 and EN 50742
To practically implement the requirements of the Cyber Resilience Act (CRA) and the machinery regulation, several standards and technical specifications are currently in focus - even though no CRA-harmonized standards have been published yet.
The IEC 62443 series is an internationally established set of standards for industrial automation and control systems. In particular, IEC 62443-4-1 (requirements for secure development processes) and IEC 62443-4-2 (technical requirements for components) are regarded by experts and standards bodies as central references for many CRA requirements. They also form a basis for developing future harmonized standards under the CRA.
EN 18031 was developed in the context of the delegated regulation for the Radio Equipment Directive (RED) and contains concrete cybersecurity requirements for connected products. Although not explicitly aimed at the CRA, its structure and level of detail already make it a practical reference, especially for devices with radio or network interfaces.
For the machinery regulation, EN 50742 is being developed. It specifically addresses the requirements from Annex III of the regulation, particularly regarding tamper protection and the integrity of control systems. Once finalized, it will likely be listed as a harmonized standard for the machinery regulation.
Practical implications for manufacturers
Manufacturers of machines with digital components must consider both the Cyber Resilience Act and the machinery regulation. Cybersecurity will become an integral part of product development, risk management and technical documentation.
In practice, this means that security requirements such as vulnerability management, security updates and tamper protection must be planned early and implemented throughout the entire lifecycle. At the same time, requirements for evidence and conformity assessment will increase.
Standards like IEC 62443, EN 18031 and, in the future, EN 50742 help to implement these requirements systematically and to exploit synergies between the two legal acts.
Conclusion - a holistic approach is essential
The Cyber Resilience Act and the machinery regulation make it clear that cybersecurity cannot be considered in isolation. Security requirements must be embedded in development from the outset, maintained throughout the product lifecycle and thoroughly documented.
Applying established standards such as IEC 62443, EN 18031 and the forthcoming EN 50742 will be crucial to meeting regulatory requirements efficiently while sustainably improving the security of machines and control systems.
Support with implementation
The Cyber Resilience Act and the machinery regulation define cybersecurity requirements for products and machines. Implementing them can be resource-intensive for many manufacturers, whether in technical hardening, internal process adjustments or evidence provided to authorities and testing bodies.
Secuvi supports companies in classifying regulatory requirements in a clear way and implementing them systematically. Whether you need initial orientation, concrete implementation steps or preparation for a conformity assessment - we help to find practical solutions that meet the requirements and integrate with existing development processes.
More at: secuvi.com