Technical article

FAQs on the CRA: Implications for mechanical engineering companies

Don't miss out on any news and changes relating to CE! Register now for the CE InfoService

DGUV information on guards and protective devices


Share Article
Share Button Linkedin Share Button Xing Share Button X Share Button Email

With the Cyber Resilience Act (CRA) coming into force, cyber security will become a mandatory requirement for the CE marking of networked products for the first time. However, there is uncertainty in the industry about the exact interpretation of the abstract legal texts. In particular, the question of where the line between a simple mechanical component and a regulated ‘product with digital elements’ lies has been a topic of discussion.

The FAQs on the CRA published on 3 December 2025 finally specify these requirements. They serve as a crucial link between the theory of the regulation text and the technical reality. Manufacturers receive important interpretation aids in some areas. Below, we provide a summary of questions that are of particular concern to machine manufacturers.

 

When does a machine fall within the scope of the CRA?

The applicability of the CRA is determined by three cumulative criteria. Only if all three elements are met simultaneously is the product subject to the legal requirements. This is reflected in the FAQ document in section 1.1:

  • Product status: The product must meet the definition of a ‘product with digital elements’.
  • Market availability: The product is made available on the Union market in the course of a commercial activity.
  • Connectivity: The intended purpose or foreseeable use involves a direct or indirect logical or physical data connection to a device or network.

     

When is a machine a ‘product with digital elements’?

For manufacturers, the CRA defines a broad product concept (see section 1.2 in the FAQs). This encompasses not only the physical end product, but the entire functional unit. It is also crucial that the CRA considers not only end products, but the entire supply chain:

  • Hardware spectrum: The regulation applies at all levels – from basic components such as sensors and microchips to complex industrial IoT devices and machines that can process, store or transmit digital data.
  • Control technology (OT): Firmware and software embedded in hardware (e.g. PLC software, drive controls).
  • System integration: Firmware or embedded software placed on the market separately and intended for integration into information systems is also subject to the requirements.
  • Software solutions: Tools for programming FPGAs, driver software for peripheral devices (e.g. industrial printers) or operating systems for industrial PCs.
  • Remote maintenance: Solutions for remote data processing that support the functionality of the machine are also covered by the CRA.
  • Extended infrastructure: Digital solutions for remote data processing that are essential for the functioning of the hardware are also covered. Purely informative websites that do not affect the functionality of the machine are excluded.

Important: Purely mechanical components without electronic data processing are not included. Similarly, isolated cloud services (SaaS) that are not the direct responsibility of the machine manufacturer must be considered separately.
 

What is a direct or indirect logical or physical data connection to a device or network?

In an industrial context (IoT), the term ‘connection’ should be interpreted broadly; details can be found in section 1.3 of the CRA FAQs.

Manufacturers must take into account that even supposedly ‘isolated’ components can serve as a gateway.

Physical and logical interfaces

  • Physical: Any wired (Ethernet, USB, fieldbuses such as PROFIBUS/PROFINET) or wireless connection (WLAN, Bluetooth, NFC).
  • Logical: Interfaces via software (APIs, network sockets) through which data flows.

The relevance of indirect connections

A product does not necessarily have to have direct access to the internet to fall under the CRA. An indirect connection is sufficient. For example, if a control system communicates via an industrial PC (host system), it is considered to be indirectly connected. Since cyber threats can move laterally through factory networks, these ‘internal’ components must also meet the security requirements.

Products without a data connection

On the other hand, a product with digital elements does not have a direct or indirect data connection if its intended use or reasonably foreseeable use does not include such a connection to other devices or networks. Such products without any data connection are exempt. In mechanical engineering, these are mostly self-sufficient legacy systems or purely mechanical devices.

Examples of this are:

  • Self-contained machines with hard-wired logic without any communication interface.
  • Simple hand tools with a battery charging station, provided that they do not transmit any data (e.g. battery status to an app).
     

Does the CRA apply to machinery with digital elements that was placed on the market before 11 December 2027?

Products with digital elements that were placed on the market before 11 December 2027 are only subject to the CRA requirements if they undergo a significant change after that date (Art. 69(2) and 1.4 in the FAQs).

Practical example for distinguishing between substantial changes

  • Case 1 – No substantial intervention: Machine is placed on the market in mid-2027; in 2028, a bug fix update is released that only resolves stability issues → CRA does not apply.
  • Case 2 – Significant change: Update in 2029 that activates new functions and thus changes or extends the originally intended functions → CRA applies, the manufacturer must ensure product conformity.

Reporting obligations for products before the CRA comes into force

Regardless of the other transitional rules, an exception applies to the reporting obligations under Article 14. The reporting obligations of the CRA apply from 11 September 2026. Manufacturers must, in particular, report actively exploited vulnerabilities and serious security incidents for all products with digital elements that fall within the scope of the CRA, including those placed on the market before 11 December 2027.
 

Do machines manufactured solely for internal use fall within the scope of the CRA?

Explanations can be found in section 1.5 of the FAQ document. Placing on the market is not considered to have taken place if a product is manufactured exclusively for personal use. The Blue Guide on the implementation of EU product regulations 2022 clarifies that products manufactured and used internally by the operator (e.g. own operating resources or test benches) are not covered by the CRA as long as they are not placed on the market separately or made available to third parties.

However, market availability may change the situation. If such products are later distributed externally or made available as stand-alone products, the CRA obligations apply from the date of placing on the market.
 

How do the CRA and the Machinery Regulation (MR) interact?

Manufacturers whose products fall under both the CRA and the new Machinery Regulation (EU) 2023/1230 (MR) must comply with both sets of regulations (see section 2.4 of the CRA FAQs). There is some overlap in terms of content when it comes to cybersecurity risks (e.g. protection against corruption, safety of control systems). Compliance with CRA requirements can therefore facilitate compliance with certain MVO requirements. Compliance with the requirements of one regulation does not automatically replace compliance with the requirements of another regulation. Manufacturers must demonstrate that the implementation of CRA requirements also covers the relevant requirements of the MR. Suitable means of verification are harmonised standards or other technical specifications based on a risk analysis.

A food packaging machine is cited as an example. This can be both a machine within the meaning of the MR and a product with digital elements within the meaning of the CRA. In such cases, both the essential health and safety requirements of the MR and the cybersecurity requirements of the CRA must be checked and, if necessary, fulfilled.
 

Which conformity assessment procedure should I use?

Both the CRA and the MR prescribe independent conformity assessment procedures, as outlined in section 2.4.3 of the CRA FAQs. If a product falls under both sets of regulations, manufacturers must ensure compliance with the respective procedures specified separately in each legal act. Compliance with the procedures of one legal act does not automatically replace compliance with the other.
 

What does the CRA require from manufacturers with regard to the assessment of cybersecurity risks?

Under the New Legislative Framework, manufacturers must carry out a documented risk assessment and implement the essential requirements of the applicable Union harmonisation legislation. For products with digital elements, the cybersecurity risk assessment must cover the entire product, including the components for remote data processing and all supporting functions that are part of the product placed on the market. Details can be found in section 4.5 of the FAQs.
 

Posted on: 2026-01-16


Share Article
Share Button Linkedin Share Button Xing Share Button X Share Button Email

Support by IBF

CE Software Safexpert

Details

CE software for systematic and professional safety engineering

Seminars

Seminar programs

Practical seminars on aspects of risk assessment and ce marking

Stay Up-to-Date!

Register

With the CE InfoService you stay informed about important developments in the field of product safety.