Industrial machinery OEMs face one of the steepest EU Cyber Resilience Act (CRA) compliance curves: long product lifecycles, complex supply chains, embedded software from many vendors, and customers who increasingly demand cybersecurity evidence at procurement. This step-by-step guide walks machine builders through CRA compliance — what to do first, what each phase costs in time, and where Kunnus accelerates the path from gap analysis to EU declaration of conformity.
Why Machinery Is High on the CRA's Priority List
Modern industrial machines combine multiple products with digital elements: programmable logic controllers (PLCs), human-machine interfaces (HMIs), industrial routers, safety controllers, and connected sensors. Each of these can fall under the CRA independently — and the assembled machine itself faces conformity obligations.
Cyberattacks on connected machinery are no longer hypothetical. Production downtime measured in days, safety incidents involving robotic cells, and ransomware paralyzing entire plants have made cybersecurity a board-level concern at OEMs. The CRA codifies this concern into binding EU law: every product placed on the EU market after December 2027 must meet the essential cybersecurity requirements.
Most industrial automation components are classified as Class I "important products," meaning self-assessment is possible only when fully harmonized standards apply. Otherwise a notified body must be involved — and notified body capacity in 2026–2027 is the single biggest bottleneck industrial OEMs face.
Step 1 — Product Inventory and Classification (Weeks 1–4)
The CRA applies per-product, not per-company. The first step is a structured inventory of every product line that will be placed on or made available on the EU market after the deadline.
For each product, document:
Product identity. Model number, hardware revisions in active production, firmware versions currently shipping, intended use.
Digital elements. What software runs on the product? Operating system (Linux, FreeRTOS, VxWorks), middleware, application software, communication stacks, third-party libraries. This is the foundation for the SBOM.
Connectivity. Ethernet, WiFi, Bluetooth, 5G, OPC UA, MQTT, Modbus TCP. Any network interface — wired or wireless — pulls the product into CRA scope.
Risk classification. Use CRA Annex III and IV to determine whether the product is "important" (Class I or Class II) or falls under the default category. Industrial firewalls, identity and access management components, and safety controllers tend to be Class II — these require notified body involvement and have the longest lead times.
A 250-employee OEM with 30 active product variants typically needs 3–4 weeks to complete this inventory. Underestimating this phase is the most common mistake: gaps discovered here cost ten times as much to fix in Phase 3.
Step 2 — Gap Analysis Against Annex I (Weeks 4–10)
Annex I of the CRA lists the essential cybersecurity requirements. The gap analysis maps each Annex I requirement to your current product implementation and identifies where evidence is missing.
The core questions per requirement:
Is the requirement met technically? Example: Annex I requires protection against unauthorized access. Does the product enforce authentication on all administrative interfaces? Are default credentials disabled?
Is the requirement documented? A correct implementation without documentation will fail conformity assessment. The technical documentation (Annex VII) is what the notified body or market surveillance authority will request.
Does the implementation work across the support period? A 15-year industrial machine must receive security updates throughout its support period. If the current update architecture does not allow this — for example, machines installed without internet access — a compensating-measures plan is needed.
The output of Phase 2 is a prioritized backlog of gaps with effort estimates. For OEMs starting from a low baseline, expect 4–6 weeks of cross-functional work (engineering, product management, compliance, legal).
Step 3 — Closing Gaps and Building Evidence (Months 3–9)
Gaps fall into four typical categories, each with a distinct closure approach.
Software composition (SBOM). Generate a Software Bill of Materials in CycloneDX or SPDX format for every product. Automate generation in the CI/CD pipeline; do not rely on annual snapshots. Suppliers who cannot deliver SBOMs become a procurement risk — start the conversation with critical Tier-1 suppliers in this phase.
Vulnerability handling. Establish a coordinated vulnerability disclosure process: contact channel published on the company website, intake triage, severity scoring, fix prioritization, notification to affected customers, and the ENISA 24-hour early warning for actively exploited vulnerabilities. The vulnerability handling obligation begins on September 11, 2026 — ahead of the full December 2027 conformity deadline.
Secure-by-design retrofits. Many machinery products carry legacy authentication, hardcoded credentials, or unencrypted communication. Closing these gaps in firmware-revision-locked products is the most technically demanding phase. Compensating controls (network segmentation guidance, customer-deployable configuration hardening) can bridge the gap for products that cannot be redesigned.
Documentation and EU declaration of conformity. Annex VII defines the technical documentation. This is not a one-page form — it is a structured evidence package including risk assessment, design rationale, test reports, SBOM, vulnerability handling process description, and the EU declaration of conformity itself.
Step 4 — Conformity Assessment and Notified Body Engagement (Months 9–12)
For Class II products and for Class I products where harmonized standards are not fully applied, a notified body must validate conformity. The 2026–2027 notified body capacity bottleneck means OEMs should engage notified bodies as soon as Phase 2 is complete — booking a slot, even with an incomplete dossier, is more important than waiting for perfection.
For Class I products with full harmonized standard coverage, self-assessment under Module A (internal control) is possible. The CRA harmonized standards picture is still evolving in 2026, but IEC 62443 — particularly 62443-4-1 (secure development lifecycle) and 62443-4-2 (component technical requirements) — is expected to underpin much of the harmonized standards work. OEMs already aligned with IEC 62443 have a significant head start.
The conformity assessment output: a signed EU declaration of conformity, CE marking applied to the product, and the complete technical documentation retained for ten years.
Step 5 — Ongoing Compliance (Continuous)
CRA compliance is not a one-time project. Four ongoing processes must run for the entire product lifetime:
Continuous SBOM updates. Every firmware release regenerates the SBOM. Component changes, dependency upgrades, and security patches all flow through the SBOM pipeline.
Continuous vulnerability monitoring. Match new CVEs against the SBOM daily. The 24-hour ENISA notification clock starts when the manufacturer becomes aware of active exploitation — not when the CVE is published.
Security update delivery. Free security updates for the declared support period. For industrial machinery, support periods of 10–15 years are common; the security update infrastructure must be designed for that lifetime.
Documentation maintenance. Every substantial product change triggers a re-assessment. Keep the technical documentation current; do not let it freeze at the date of initial conformity declaration.
How Kunnus Accelerates Each Phase
The five phases above describe what CRA compliance requires. Kunnus is built to make each phase faster without compromising rigor.
Phase 1 inventory is captured in the product catalog with classification helpers built into the workflow. Phase 2 gap analysis maps directly against Annex I requirements, with evidence templates and reusable patterns across product variants. Phase 3 SBOM generation integrates into CI/CD pipelines (CycloneDX/SPDX), and the vulnerability monitoring engine matches CVEs against the SBOM continuously. Phase 4 documentation assembly is one-click — the technical documentation, the EU declaration of conformity, and the audit-ready evidence package are generated from the structured data already in the platform. Phase 5 ongoing compliance runs in the background: new CVEs trigger alerts, SBOMs regenerate on each release, and support-period clocks are tracked per product.
Start with our free CRA readiness assessment and find out exactly which phase your organization is in — and where the highest-leverage next step lies.