In the European machine-building landscape, cybersecurity discussions are more often anchored in the new Machinery Regulation than the Cyber Resilience Act (CRA). This is no coincidence. The Machinery Regulation is tightly integrated into established OEM engineering lifecycles, making it the practical and operational starting point for addressing cyber risks.
Why the Machinery Regulation is the starting point
Machinery Regulation connects naturally to familiar pillars such as Conformité Européenne (CE) marking, safety risk assessments, and the technical documentation file that underpins conformity. In that sense, the framework feels well understood and operationally embedded. What has fundamentally changed is the assumption that digital risk can remain separate from this structure. That separation is no longer sustainable.
The Machinery Regulation (EU) 2023/1230 – adopted in 2023 and applicable from January 20, 2027 – makes this shift explicit. It introduces a formal obligation for OEMs to assess, mitigate, and document safety-related risks arising from digital technologies. For many engineering and compliance teams, this is the first time cybersecurity appears in a structured, auditable way within the machinery compliance workflow. What was once treated as an IT or aftermarket concern now sits fully within the product safety lifecycle.
How NIS2 and the CRA fit into the regulatory landscape
This development does not stand alone. Other regulatory initiatives are progressing in parallel, most notably NIS2. Unlike the Machinery Regulation, NIS2 is a directive and must be transposed into national law by each Member State. This has resulted in variations in interpretation, enforcement, and implementation maturity across Europe. Although the formal transposition deadline was October 17, 2024, the practical obligations continue to evolve and differ by country.
The Cyber Resilience Act follows a different model. As an EU regulation, it applies directly and uniformly across all Member States. It entered into force in December 2024, with its main obligations becoming applicable from December 11, 2027, and its vulnerability and incident reporting requirements applying from September 11, 2026.
When viewed together, a clear sequence emerges. NIS2 raised expectations around organizational cybersecurity and governance. The Machinery Regulation brought digital risk firmly into the machinery safety domain. The CRA then completed the picture by establishing a harmonized European framework for product cybersecurity. These are not isolated initiatives or competing requirements, but interlocking layers of a broader regulatory transition.
When a machine falls within the scope of the CRA
The CRA applies to products with digital elements, a term defined with precision. It refers to products whose intended or reasonably foreseeable use involves a logical or physical data connection to another product, device, or network.
A machine is not automatically in scope. But once it incorporates software, connectivity, or data exchange capabilities, it may fall within the CRA’s remit. Recital 53 of the CRA is particularly important in this context, as it clarifies that where a product is already covered by sector-specific legislation, such as the Machinery Regulation, the manufacturer must comply with both frameworks where applicable. In practice, this requires alignment rather than substitution.
As of writing, harmonized standards under the CRA are still under development, and the European authorities have not yet finalized the certification scheme for products classified as critical. Machinery does not currently fall into categories requiring mandatory third-party conformity assessment under the CRA. For most machines, manufacturer self-assessment is expected to remain sufficient.
Even so, the impact on conformity assessment processes is significant. You must integrate cybersecurity-related evidence into the technical documentation that supports conformity assessment, CE marking, and continued access to the European market.
The role of NIS2 for OEMs
NIS2 plays a different but increasingly influential role for OEMs. It does not regulate machines as products, but organizations operating in essential and important sectors.
Some machine builders will fall directly under NIS2 depending on their size, sector, and role in critical value chains.
In these cases, obligations focus on governance, risk management, incident reporting, and supply chain security. More commonly, however, the impact is indirect. Customers subject to NIS2 are placing growing demands on their suppliers for structured, verifiable evidence of cybersecurity practices. Requests for information on vulnerability handling, security support periods, embedded software components, and security advisory processes are becoming standard.
As a result, the distinction between product cybersecurity and organizational cybersecurity is eroding. Engineering decisions, lifecycle support commitments, and internal governance are increasingly assessed as part of a single, connected system.
A shift that goes beyond compliance
The real challenge for OEMs is therefore not to manage the Machinery Regulation, the CRA, and NIS2 as separate compliance exercises. It is to build a coherent operating model in which engineering workflows, lifecycle thinking, and internal processes collectively support all three.
The real test is consistency: the ability to demonstrate, through clear and structured evidence, how safety, cybersecurity, and lifecycle management are systematically interconnected.
This transition extends beyond regulatory compliance. It lays the foundation for a more resilient engineering culture, one that reduces complexity, improves product maturity, and strengthens long-term customer trust. Discover how Schneider Electric Advisory Services can help achieve your goals.
Schneider Electric’s approach to digital policy implementation:
Add a comment