Robot Machinery and Cyber Resilience Regulation

6/23/20251 min read

Machinery Regulation

Effective Date: January 20, 2027, replacing the Machinery Directive 2006/42/EC.

Scope: Focuses on physical and functional safety of machines, with new cybersecurity requirements for networked, software-driven machinery.

Key Requirements (Annex III-1.1.9):

  • Machines must ensure safe communication with other devices/networks to prevent dangerous situations.

  • Protection against data corruption via encryption, security protocols, and regular software updates.

  • Applies to manufacturers of machines/safety components and operators.

  • Impact: Requires integrating cybersecurity into design and operation, ensuring secure interfaces and updates to mitigate cyber risks.

Cyber Resilience Act (CRA)

Entered into force December 10, 2024; fully applicable from December 2027, with vulnerability reporting obligations starting September 2026.

Scope: Covers all products with digital elements (hardware/software) directly or indirectly connected to devices/networks, across their entire lifecycle (planning to maintenance).

Key Requirements:

  • Manufacturers are responsible for cybersecurity beyond the point of sale, ensuring protection throughout a product’s lifespan.

  • Products must comply with CE marking, indicating adherence to cybersecurity standards.

  • Mandates “Security by Design” (security integrated from the start) and “Security by Default” (secure settings out-of-the-box).

  • Requires secure update mechanisms, protected interfaces, and risk assessments for cyber threats (e.g., hacking).

  • Impact: Extends cybersecurity obligations across the value chain, affecting all connected products (e.g., vacuum robots to critical sector devices).

Complementary Nature

  • MVO ensures mechanical/functional safety with cybersecurity for machines, while CRA focuses on digital components/software security across all connected products.

  • Both impose strict manufacturer obligations, conformity assessments, and market surveillance, with significant fines for non-compliance.

Implications for Companies

  • Product Development: Designers must incorporate cybersecurity in the design phase, addressing cyber threats, secure communication, and updates. This shifts development processes to prioritize “Security by Design/Default.”

  • Early Preparation: Companies must act now, as CRA’s vulnerability reporting starts in 2026, and both regulations fully apply in 2027. Delaying compliance risks penalties and competitive disadvantages.