All comparisons

Cyber Resilience Act (CRA)

VS

Machinery Regulation (EU) 2023/1230

CRA vs. Machinery Regulation

Cybersecurity and machine safety — two regulations, one product

Cybersecurity (Security)

Protects products against malicious digital attacks — vulnerabilities, malware, unauthorized access

Machine Safety

Protects people from physical hazards posed by machinery — mechanical, electrical, and functional safety

Both regulations apply in parallel. Connected machinery must meet both Safety (MR) and Security (CRA) requirements. One does not replace the other.

0 Covered3 Partial6 Not covered

You comply with the Machinery Regulation — what else do you need for CRA?

As a machinery manufacturer, you are experienced with CE conformity and risk assessment. The CRA adds an entirely new dimension: cybersecurity for the digital components of your machines. Your existing safety expertise helps — but the substantive requirements are fundamentally different.

036
CRA RequirementCoverage by Machinery Regulation
Safety risk assessment
Partial

Your Machinery Regulation risk assessment covers physical hazards. The CRA requires a separate cyber risk assessment per Art. 13(2) — different threat scenarios, different methodology.

CE conformity process
Partial

You know modules and notified bodies. The CRA uses similar procedures (Annex VIII), but assessment criteria are cybersecurity-specific.

Technical documentation
Partial

You already prepare comprehensive technical documentation. CRA documentation (Annex VII) requires additional cybersecurity-specific content.

Cybersecurity-specific risk assessment
Not covered

The Machinery Regulation focuses on physical hazards. The CRA requires a dedicated cyber risk assessment: threat modeling, attack vectors, software vulnerabilities.

SBOM
Not covered

The Machinery Regulation has no SBOM requirement. The CRA requires a machine-readable Software Bill of Materials for all embedded software components.

Vulnerability management
Not covered

The Machinery Regulation requires no ongoing vulnerability management. The CRA demands systematic detection, assessment, and remediation throughout the entire support period.

ENISA reporting obligations
Not covered

The Machinery Regulation has no reporting obligations for cybersecurity incidents. The CRA requires reporting to ENISA within 24/72 hours.

Cybersecurity update obligations
Not covered

Machinery previously had no obligation for software updates. The CRA requires free security updates throughout the entire support period.

Digital product lifecycle management
Not covered

The Machinery Regulation largely ends at placing on the market. The CRA requires ongoing management of digital components throughout the entire lifecycle.

01

Two regulations, different protection objectives

The CRA and Machinery Regulation pursue different protection objectives that overlap for connected machinery. New in MR 2023/1230: cybersecurity is explicitly recognized as a safety factor.

  • CRA: Cyber risks — access control, data integrity, availability, tamper protection
  • MR: Physical risks — mechanical, electrical, thermal hazards, ergonomics
  • MR Annex III, 1.1.9 and 1.2.1: New cybersecurity requirements for control systems
02

Overlap and precedence rules

Where cybersecurity requirements overlap, a clear precedence rule per CRA Recital 53 applies. The reverse does not hold.

  • CRA conformity covers MR cyber: Annex III, 1.1.9 and 1.2.1 automatically satisfied
  • MR cyber alone is not enough for CRA: SBOM, vulnerability management, and ENISA reporting are missing
  • Recommendation: CRA conformity as the starting point — covers cybersecurity of both regulations
03

Additional CRA obligations beyond the Machinery Regulation

The CRA introduces several obligations not provided for in the Machinery Regulation.

  • SBOM: Software Bill of Materials for all machine control software components
  • Vulnerability management: Systematic process throughout the support period (min. 5 years)
  • ENISA reporting: 24h for actively exploited vulnerabilities, 72h for severe incidents
  • Security updates: Free throughout the entire support period
  • Standalone CRA Declaration of Conformity alongside the MR Declaration of Conformity
04

Additional Machinery Regulation obligations beyond the CRA

The Machinery Regulation imposes extensive requirements the CRA does not cover. Both conformity areas must be fulfilled independently.

  • Physical safety: Emergency stops, guards, protection against mechanical/electrical/thermal hazards
  • Ergonomics: Requirements for operator stations and human-machine interfaces
  • Risk assessment: MR-specific with focus on personal injury
  • High-risk machinery (Annex I MR): Mandatory third-party conformity assessment required
05

Affected product categories

All connected machinery with embedded software falls under both regulations. The MR applies from January 20, 2027; the CRA from December 11, 2027.

  • Examples: CNC machines, industrial robots, cobots, automated production lines, conveyor systems with PLCs, packaging machines, printing machines, excavators with telematics
  • MR from 20 Jan 2027: Including new cybersecurity requirements
  • CRA from 11 Dec 2027: More comprehensive cybersecurity — subsumes MR cyber (Recital 53)

Synergies Between CRA and Machinery Regulation

Both regulations can be efficiently implemented together through an integrated compliance strategy.

Cybersecurity Precedence Rule

CRA conformity automatically satisfies the cybersecurity requirements of the Machinery Regulation (Recital 53).

Shared CE Marking

One CE marking covers both regulations — two separate Declarations of Conformity, but one marking.

Integrated Technical Documentation

Technical documentation for physical safety and cybersecurity can be merged into a coordinated package.

Your Next Steps

1High priority

Add cybersecurity risk assessment layer

Add a dedicated cyber risk analysis to your existing machinery risk assessment. Identify attack vectors via network, remote maintenance, and embedded software.

2High priority

Implement SBOM for machine controllers

Capture all software components in your machine controllers, PLC programs, and HMI systems in a machine-readable SBOM.

3High priority

Build vulnerability processes

Establish processes for ongoing monitoring, assessment, and remediation of vulnerabilities in your machines' embedded software.

4Medium priority

Plan update infrastructure

Create the technical infrastructure for secure OTA updates or guided update processes for your connected machines' software.

Frequently Asked Questions

Must connected industrial machinery comply with both the CRA and the Machinery Regulation?
Yes. Connected industrial machinery with embedded software falls under both regulations simultaneously. The Machinery Regulation covers physical safety (mechanical, electrical, thermal hazards, emergency stop devices, etc.), while the CRA governs cybersecurity (SBOM, vulnerability management, reporting obligations, security by design). Both conformity assessments must be conducted and documented independently, though CRA conformity per Recital 53 simultaneously satisfies the cybersecurity requirements of the Machinery Regulation.
Does CRA conformity automatically satisfy the cybersecurity requirements of the Machinery Regulation?
Yes. CRA Recital 53 clarifies that compliance with the essential cybersecurity requirements of the CRA simultaneously satisfies the relevant cybersecurity requirements of the Machinery Regulation (Annex III, Sections 1.1.9 and 1.2.1). However, the reverse does not apply: the cybersecurity requirements of the Machinery Regulation alone are not sufficient for CRA conformity, as the CRA imposes significantly more extensive requirements, including SBOM, reporting obligations, and systematic vulnerability management.
What is different about the new Machinery Regulation 2023/1230 compared to the old Machinery Directive?
The most significant change: Machinery Regulation 2023/1230 is a directly applicable EU regulation (no longer a directive requiring transposition into national law). Substantively, explicit cybersecurity requirements are added for the first time (Annex III, 1.1.9 and 1.2.1), addressing safety risks from digital manipulation. Additionally, requirements for high-risk machinery have been updated, digital documentation has been enabled, and market surveillance provisions have been strengthened. The regulation applies from January 20, 2027.
What additional obligations does the CRA bring for machinery manufacturers?
The CRA introduces four central obligations that go beyond the Machinery Regulation: (1) SBOM creation and maintenance for all software components of the machine control system, (2) systematic vulnerability management throughout the entire support period (minimum 5 years), (3) reporting obligations to ENISA for actively exploited vulnerabilities (24h) and severe incidents (72h), and (4) a standalone CRA Declaration of Conformity alongside the Machinery Regulation Declaration of Conformity. Additionally, free security updates and the obligation for security-by-design development per CRA Annex I apply.
How do the different application dates affect manufacturers?
The Machinery Regulation applies from January 20, 2027; the CRA (conformity obligations) from December 11, 2027. This means: from January 2027, machinery manufacturers must first fulfill the new Machinery Regulation including its cybersecurity requirements. Nearly eleven months later, the more comprehensive CRA requirements follow. Manufacturers should integrate both timelines into their compliance planning and ideally account for CRA requirements from the outset, as these subsume the cybersecurity requirements of the Machinery Regulation.
Do machinery manufacturers need two separate CE markings?
No. The CE marking is still applied once and indicates that the product complies with all applicable EU harmonization legislation. However, machinery manufacturers must prepare and maintain two separate Declarations of Conformity: an EU Declaration of Conformity under the Machinery Regulation and an EU Declaration of Conformity under the CRA. Both declarations reference different essential requirements and potentially different harmonized standards. The technical documentation must also cover both areas.
Which products are exempt from the CRA?
Not all products with digital elements fall under the CRA. Explicitly exempt are: medical devices and in vitro diagnostics (MDR/IVDR), motor vehicles and their type-approval (UN ECE R155/R156), aviation products, products for national security or defense, and certain open-source software not made available in the course of a commercial activity. If your product falls under one of these exemptions, the respective sector-specific cybersecurity requirements apply instead of the CRA.

Further Reading

Official Sources

CRA Full Text (EUR-Lex)

Regulation (EU) 2024/2847 — Cyber Resilience Act in the Official Journal of the EU

Machinery Regulation Full Text (EUR-Lex)

Regulation (EU) 2023/1230 — Machinery Regulation in the Official Journal of the EU

EU Commission — Machinery

EU Commission information page on machinery regulation with guides and updates

More on Kunnus

CRA Knowledge Base

All CRA articles, recitals, and annexes in full text with search functionality

Industrial Machinery & Automation

CRA requirements for PLCs, CNC machines, and robotics with embedded software

Industrial Components

CRA compliance for embedded controllers, sensors, and drive systems

CRA Readiness Assessment

Self-assessment of CRA compliance readiness for machinery manufacturers

CRA & CE Marking

How the CRA extends CE marking with cybersecurity requirements

CRA vs. IEC 62443

Comparison of CRA and the industrial standard IEC 62443 for industrial cybersecurity

Achieve dual conformity efficiently

Kunnus supports machinery manufacturers with parallel CRA and Machinery Regulation conformity. SBOM management, vulnerability monitoring, and documentation for both regulations.

Learn more