Cyber Resilience Act for Machinery & Industrial Automation
The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, introduces horizontal cybersecurity requirements for "products with digital elements" for the first time. For machinery and industrial automation this is more than a legal question: controllers, network components, embedded firmware and connected components are, as a rule, within scope once they have a direct or indirect logical or physical data connection to a device or network (Art. 2(1)). This page offers technical and organisational orientation – not legal advice; how your specific products are classified always depends on the individual case.
In brief: The CRA entered into force on 10 December 2024, but applies in stages. General application including CE marking begins on 11 December 2027. Check your exposure via the non-binding eligibility check and get the big picture in the CRA overview.
Timeline: the deadlines that matter for machine builders
The CRA does not apply "from entry into force". Its obligations phase in (Art. 71(2)). For machinery product planning, two dates matter most – and the sequence relative to the Machinery Regulation is deliberate.
| Date | What applies |
|---|---|
| 10 December 2024 | Entry into force (Art. 71(1)) – no enforceable product obligations yet |
| 11 June 2026 | Provisions on notified bodies / conformity assessment bodies (Chapter IV) |
| 11 September 2026 | Manufacturer reporting duties for actively exploited vulnerabilities and severe incidents (Art. 14) |
| 20 January 2027 | Application of the Machinery Regulation (EU) 2023/1230 – before general CRA application |
| 11 December 2027 | General application: essential requirements (Annex I), conformity assessment, CE marking |
Note: the Art. 14 reporting duties already apply from 11 September 2026 – and they cover products already on the market. For machines in the field this means vulnerability-handling processes must be in place early.
Product classification: where do automation components typically land?
The CRA has four tiers (Art. 32, Annex VIII): the default case (self-assessment), important products Class I (Annex III-I), important products Class II (Annex III-II), and critical products (Annex IV). The following classification is deliberately hedged – the individual case is decisive, together with the category descriptions in Implementing Regulation (EU) 2025/2392.
- Many industrial components – such as microcontrollers with security functions, network management, routers/modems/switches or operating systems – can frequently be classified as an important product of Class I.
- Certain security components – firewalls, IDS/IPS and tamper-resistant micro-processors/-controllers – typically fall into Class II.
- The vast majority of products may self-assess (Module A). Class I may self-assess where harmonised standards or common specifications are applied in full; otherwise a third party must be involved (Module B+C or H). A notified body is mandatory only for Class II and critical products.
A robust classification cannot be replaced by this overview. Details and examples are in our article on the CRA product classes.
What the CRA substantively requires (Annex I)
Regardless of class, all products in scope must meet the essential requirements of Annex I. Part I concerns product properties: an appropriate level of cybersecurity based on a risk assessment, delivery without known exploitable vulnerabilities, a secure default configuration, protection of confidentiality and integrity, and minimisation of the attack surface. Part II concerns vulnerability handling across the entire support period – including an SBOM, a mandatory coordinated vulnerability disclosure (CVD) policy, and secure update distribution.
For connected machinery it is especially relevant that these requirements do not end at shipping. The Annex I risk assessment must be documented and mapped to concrete measures in the technical documentation (Annex VII) – a continuous line of evidence "from design to the field".
Interplay with the Machinery Regulation (EU) 2023/1230
Machinery manufacturers must, as a rule, meet both frameworks: the Machinery Regulation (EU) 2023/1230, which applies from 20 January 2027, and the CRA from 11 December 2027. Both address overlapping cybersecurity risks; the CRA explicitly acknowledges this interplay (Recital 53).
Practical benefit: A certificate under the Cybersecurity Act (Regulation (EU) 2019/881) can establish a presumption of conformity for the Machinery Regulation's cybersecurity requirements. Building your security architecture once, along CRA logic, can avoid duplicated effort across both regulations.
Because the Machinery Regulation becomes applicable before the CRA, it is advisable to design cybersecurity requirements from the outset so that they carry both frameworks – rather than retrofitting twice.
Specific challenges for machines in the field
Machinery brings conditions the CRA only partly reflects – and this is where the real pressure to act arises:
- Long product lifetimes vs. the support period: the manufacturer must handle vulnerabilities across a support period of at least 5 years (or the shorter expected use). Machines often run far longer – support strategy and contractual arrangements should address this.
- SBOM for embedded firmware: Annex I Part II requires a software bill of materials (SBOM) in a commonly used, machine-readable format, at least for top-level dependencies. For embedded systems with many supplier components this is a genuine data-management task. The Regulation does not mandate a specific format.
- Secure updates in the field: security updates must be provided without delay and free of charge and distributed securely; security updates should be separated from feature updates where feasible. Machines without permanent connectivity need robust processes for this.
- Technical documentation (Annex VII): product description, architecture, SBOM, CVD policy, risk assessment against Annex I, support-period information. Retain for at least 10 years or for the duration of the support period.
Action areas and a realistic roadmap
1. Exposure & classification
Review the product portfolio: which components are products with digital elements? Provisional classification per Annex III/IV – hedged and with documented reasoning.
2. Vulnerabilities & reporting
Establish a vulnerability-handling process, coordinated disclosure (a CVD policy is mandatory) and reporting channels under Art. 14 – in good time before 11 September 2026.
3. SBOM & secure updates
Establish an SBOM for firmware and supplier components, secure the update distribution, and separate security from feature updates.
4. Documentation & conformity
Prepare technical documentation (Annex VII), the EU declaration of conformity (Art. 28, Annex V) and the right conformity-assessment route (Art. 32) – aligned with the Machinery Regulation.
- By mid-2026: complete exposure and classification analysis, introduce a vulnerability-handling and reporting process (Art. 14 from 11 Sep 2026).
- 2026–2027: build the SBOM, secure updates, technical documentation and Annex I risk assessment; design cybersecurity in line with the Machinery Regulation (from 20 Jan 2027).
- Before 11 Dec 2027: carry out the conformity assessment, draw up the EU declaration of conformity, prepare CE marking – plan for a notified body for Class II and critical products.
The penalties are material: infringements of the essential requirements and the manufacturer and reporting duties (Art. 13, 14) can incur up to EUR 15 million or 2.5% of worldwide annual turnover – whichever is higher. Reason enough to start early and in a structured way.
Frequently asked questions
Does an industrial controller even fall under the Cyber Resilience Act?
Does my machine need a notified body for conformity assessment?
From when must I report vulnerabilities and incidents?
How do the CRA and the Machinery Regulation (EU) 2023/1230 relate?
What does the support period mean for long-lived machinery?
Let's talk about your CRA readiness
Want to know which of your components the CRA affects and what a realistic roadmap to 2027 looks like? In a first, non-binding consulting call, Christian Gebhardt of Blackfort Technology will help you assess your starting point and outline the sensible next steps.
Request a first call Check eligibility