CRA & Machinery regulation
Similarities, differences — and how to efficiently meet the security requirements of both regulations
Machine manufacturers have long been required to affix a CE mark to their machines. Until now, to get a CE mark, the machines had to meet safety requirements: protect the health of people and the environment. The basis for this was the European Union’s Machinery Directive (2006/42/EC).
From 2027, these CE markings will include more, namely security requirements: The machine must also be protected against cybersecurity attacks. This will be ensured by two new EU regulations that will apply from 2027: The Machinery Regulation (2023/1230), which replaces the Machinery Directive, and the Cyber Resilience Act (CRA) (2024/2847). Machinery manufacturers must comply with both EU regulations — recital 53 in the preamble to the CRA makes this unmistakably clear.
What are the similarities and differences between the two regulations and, crucially: how can the cybersecurity requirements of both regulations be brought under one roof?
Legal aspects
Shared legal framework
Both the CRA and the Machinery Regulation are EU regulations, which means that they apply directly to all EU member states. Unlike EU directives, they no longer need to be translated into national law. This also distinguishes the Machinery Regulation from its predecessor, the Machinery Directive.
However, there is another important similarity between the two regulations: Both are part of the “EU harmonization legislation”. These are regulations for certain products that apply throughout the EU and are intended to ensure that the same safety standards apply to products in all member states. There is a common legal framework for all of these regulations, the „New Legislative Framework“ (NLF). The CRA and the Machinery Directive therefore have a common basis.
This explains why both the CRA and the Machinery Directive require a CE mark and why the same rules apply for both:
- Requirements: The core of both regulations are certain requirements for products within their scope. In the CRA they are listed in Annex I, in the Machinery Regulation in Annex III. For more information, see “Content-related aspects”.
- CE mark: What both regulations have in common is that from a cut-off date in 2027, the affected products can no longer be sold (more precisely: no longer “be placed on the market”) in the EU without a CE mark.
- EU Declaration of Conformity: To affix the CE mark, an EU Declaration of Conformity must be drawn up for the product. This declaration must name the applied regulations.
In practice, for a machine sold at the end of 2027, both the Machinery Regulation (2023/1230) and the CRA (2024/2847) must be referenced in its the EU Declaration of Conformity, plus any harmonized norms applied. - Harmonized norms (hEN): Harmonized European norms satisfy the “presumption of conformity” for a specific EU harmonization legislation.
This means that if a harmonized norm for the Machinery Regulation is met, conformity with the requirements of the Machinery Regulation can be assumed. Harmonized standards therefore help with the interpretation of the often vaguely formulated requirements and provide legal certainty.
Harmonized norms often exist for specific products, which is why there are so many of them. There are already more than 800 harmonized norms for the old Machinery Directive (2006/42/EC).
As the CRA has only just come into force, it does not yet have a single harmonized norm.
The existing harmonized norms for the Machinery Directive are to be updated and, if necessary, supplemented by 20 January 2026. A norm that specifies the newly introduced security requirements is also under development: EN 50742 — Safety of machinery — Protection against corruption.
The first harmonized standards for the CRA are also due to be published in 2026. However, the focus will initially be on the important and critical products in Annex III and IV of the CRA, which generally do not include machinery. - Conformity assessment: The conformity assessment procedures for CRA and Machinery Regulation are generally the same.
They can be roughly divided into procedures that require the involvement of an external conformity assessment body (modules H, B, C, G) and “internal production control” (module A), in which the manufacturer carries out the conformity assessment itself (“self-declaration”).
Each regulation defines which conformity assessment procedures are applicable.
For the Machinery Regulation, the procedure options depend on the type of machine.
For the CRA, the self-declaration (module A) is usually sufficient for machines, as they do not fall under the “important” or “critical” products (Annex III or IV).
Specific questions on placing on the market, the CE mark, the EU Declaration of Conformity and the conformity assessment procedures are answered by the EU’s “Blue Guide”, which applies equally to the CRA and the Machinery Regulation.
Deadlines
It is a coincidence that both regulations apply “from 2027”. And although the cut-off dates are both in 2027, they are far apart: January 20, 2027 for the Machinery Regulation, December 12, 2027 for the CRA.
Both are “hard deadlines” without transitional provisions: If a machine is sold and delivered on January 19, 2027, the old Machinery Directive still applies, and the new Machinery Regulation will apply from January 20. If a machine is sold and delivered on December 10, 2027, it does not yet have to meet the CRA requirements, but it does on December 11, 2027. Some of the CRA requirements also apply earlier: exploited vulnerabilities in the products in accordance with Art. 14 of the CRA must already be reported from September 11, 2026.
Content-related aspects
Scope
The core of any EU harmonization legislation is the definition of a product group and the definition of requirements for this product group.
The Machinery Regulation applies to machinery. More precisely: to machinery, partly completed machinery and associated products (interchangeable equipment, safety components, lifting accessories, chains, ropes and webbing and removable mechanical transmission devices). There are explicitly named exceptions if a type of machinery is already regulated elsewhere, and a distinction is made between different types of machinery for which, depending on their criticality, a conformity assessment involving an external body is required, for example.
The Cyber Resilience Act applies to products with digital elements with a data connection. More specifically, products with digital elements whose intended or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network. Here, too, there are explicitly named exceptions for products that are already regulated elsewhere.
Machines fall under the Cyber Resilience Act if they contain digital elements and data connections — for example controllers. The machine as a whole falls under the Cyber Resilience Act, but so does every component that is in turn a product with digital elements — i.e. the controller, but also the controller’s CPU, and so on. What is important is how the product is “placed on the market”.
If the machine manufacturer sells the machine as a whole, then it must also comply with the CRA for the machine as a whole. If they purchase individual components (the controller, for example), they must ensure that these individual components also comply with the CRA. As a minimum, they need to check whether a CE mark with reference to the CRA is affixed to the purchased controller.
Similarly, there are also certain products in the CRA that must undergo a conformity assessment by an external party due to their criticality. These are the products defined as “critical” or “important” in Annex III and Annex IV. These products are usually very fundamental (operating systems, network infrastructure, hypervisors) or security products (password managers, firewalls). Entire machines are generally not considered “important” or “critical” products. Even if the machine does contain “important” or “critical” products, that doesn’t make it “important” or “critical” itself, as Art. 7(1) of the CRA makes clear. Therefore, for most machinery, a self-declaration (Module A) will be sufficient as a CRA conformity assessment procedure.
Focus of requirements
The main difference between the CRA and the Machinery Regulation is the focus of the requirements.
The Machinery Regulation deals with safety respectively functional safety: the protection of the health and safety of persons, in particular of consumers and professional users, and, where appropriate, of domestic animals and property and, where applicable, of the environment. Its core are extensive safety requirements (Annex III).
The Cyber Resilience Act deals with cybersecurity of products with digital elements throughout their lifecycle. Its core are extensive security requirements (Annex I).
Conversely, the Cyber Resilience Act does not contain any safety requirements and the Machinery Directive (2006/42/EC) does not contain any security requirements — at least that’s how it used to be.
However, some cybersecurity requirements have now been added to the new Machinery Regulation (2023/1230). Because a hazard for the health and safety of persons cannot only be caused by technical failure and misuse (as before, safety perspective) but also by malicious attempts by third parties (new, security perspective).
In short, for the CE mark, machine manufacturers must now also consider what someone with malicious intent could do with the machine to cause harm to people and the environment.
The cybersecurity requirements to be met are set out in two sections:
Annex III, section 1.1.9 — Protection against corruption:
- Connection to other systems or remote access must not lead to a hazardous situation
- Safety-relevant software, data and hardware components that transmit signals or data must be identified as such and protected against corruption
- Interventions must be documented
Annex III, section 1.2.1 — Safety and reliability of control systems:
- Control systems must withstand reasonably foreseeable malicious attempts by third parties leading to a hazardous situation.
- Logs of interventions in the safety software must be kept for 5 years
A harmonized norm (EN 50742) for the specification of these requirements is currently in progress.
Risk assessment
The different focus also explains why, although a risk assessment must be carried out for both regulations, these are two completely different processes that require different methods and expertise.
For the Machinery Regulation, a safety risk assessment must be carried out (Annex III, section 1). The focus is on hazards that can emanate from the machine and its (mis)use and that can lead to possible injuries or damage to health. An additional security risk assessment is not explicitly required. It can nevertheless be useful (in a condensed form) to identify and think through the “reasonably foreseeable malicious attempts by third parties to cause a hazardous situation” (see above).
For the CRA, a security risk assessment must be carried out (Art. 13 (2) and (3) and Annex I). The focus is on risks arising from possibly malicious interference with the digital elements of a product.
How do I efficiently meet both the cybersecurity requirements of the CRA and the Machinery Regulation?
If you want to compare the volume of cybersecurity requirements of both regulations, the Cyber Resilience Act is a supertanker and the Machinery Regulation is a dinghy. It therefore makes sense to generally gear the implementation of the cybersecurity requirements towards CRA conformity and include some particularities to also ensure conformity with the security portion of the Machinery Regulation. These particularities are as follows:
Documentation
When documenting the machine and its intended use (necessary for the CRA anyway), safety-relevant software, data and hardware components can be explicitly marked as such in accordance with the Machinery Regulation. This is also useful for the subsequent risk assessment.
If a Software Bill of Materials (SBOM) is created for CRA conformity, safety-relevant software components can also be marked there — this is also useful information for the vulnerability management required for the CRA.
Risk assessment
For the CRA, a cybersecurity risk assessment must be carried out for the machine. As part of this risk assessment, the risk scenarios that the Machinery Regulation requires to be taken into account can be explicitly considered: Attacks via remote access or other “connected systems”, attacks on controllers to cause hazardous situations and, in general, attacks involving the corruption of safety-relevant components.
Overall, it is advisable — for CRA and the Machinery Directive — to pay particular attention in the risk assessment to scenarios that lead to health and safety hazards for machine users.
Processes
For the CRA, processes for secure product development (and vulnerability management) must be defined anyway. These processes can include the required documentation for interventions in control software and any remote access, as specified in the Machinery Regulation.
Conformity assessment
Theoretically, the conformity assessment for the CRA and the Machinery Regulation can be carried out by the same conformity assessment body, provided that the assessment body is “notified” for both regulations.
However, it is likely that a machine will have to undergo different conformity assessment procedures for the CRA and the Machinery Directive: While the self-declaration (Module A) will be sufficient for the CRA in most cases, the applicable procedure for the Machinery Regulation depends on the type of machine.
Also, the conformity assessment for CRA and the Machinery Regulation requires fundamentally different skills. For the Machinery Regulation, the focus is on safety and functional safety with a few selected security requirements. For the CRA, the focus is exclusively on security requirements.
In practice, it is therefore more realistic in most cases for a machine to undergo separate conformity assessment procedures for the CRA and the Machinery Regulation.
Further reading
More information on the Cyber Resilience Act:
- 5-minute introduction to the CRA
- Longer introduction to the CRA, CE marking, and the regulatory ecosystem around it
- Explanation how harmonised European norms (hENs) are defined
- Longer description of the essential requirements outlined in the CRA
- Overview of the global product security regulation landscape and how the CRA fits into it
- Good-practice example for the “information and instructions to the user” required by the CRA
