On June 29, 2023, the European Parliament and the Council of the European Union introduced Regulation (EU) 2023/1230, which replaces the existing Machinery Directive 2006/42/EC. This new regulation expands the scope of products covered and updates conformity assessment procedures. Products falling under its scope must now comply with cybersecurity requirements outlined in Sections 1.1.9 and 1.2.1 of Annex III. While the regulation took effect on July 19, 2023, full implementation is scheduled for January 14, 2027.

Exploring the Relationship Between the CRA and Regulation (EU) 2023/1230

Alongside this regulation, the European Union has introduced the Cyber Resilience Act (CRA), which establishes cybersecurity standards for a wide range of digital products, including software, IoT devices, and mechanical equipment. By covering “products with digital elements,” the CRA extends cybersecurity obligations to machinery that incorporates components such as chips, software, and smart devices. Meeting the CRA’s security requirements can also help manufacturers comply with Regulation (EU) 2023/1230.

This marks the first time the EU has mandated cybersecurity requirements across the entire lifecycle of both hardware and software products. The CRA ensures that CE-marked products adhere to baseline cybersecurity standards and receive security updates for at least five years, enhancing long-term protection.

The Act:

• Sets rules for introducing products with digital elements to the market, focusing on their cybersecurity.
• Defines basic requirements for the design, development, and production of these products, and outlines what responsibilities economic operators have in fulfilling them.
• Establishes essential guidelines for how manufacturers should manage vulnerabilities in these products throughout their lifecycle, including the responsibilities of economic operators.
• Includes measures for market surveillance and enforcement of the rules and requirements mentioned above.

Current Status of the EU’s Cyber Resilience Act

On November 30, 2023, the European Parliament and Council reached a political agreement on the CRA, originally proposed by the European Commission in September 2022. The European Parliament formally approved new cybersecurity standards on March 12, 2024, but the act still requires final approval from both the European Parliament and the Council.

Once adopted, industries will have 36 months to comply with the new rules, while reporting obligations will begin earlier—just 21 months after the CRA is passed. The act is expected to be approved by Q2 2024, meaning the new requirements will take effect between April and June 2027, with reporting duties starting between January and April 2026.

Key Highlights of New Cybersecurity Requirements

The CRA will impact manufacturers, importers, and distributors of hardware and software products in the EU. Key obligations for manufacturers include:

• Incorporate cybersecurity at every stage—from planning and design to development, production, delivery, and maintenance.
• Document all cybersecurity risks.
• Actively report any exploited vulnerabilities and incidents.
• Ensure that vulnerabilities are managed effectively throughout the product’s expected lifespan or for five years, whichever is shorter.
• Provide clear and easy-to-understand instructions for using products with digital elements.
• Make security updates available for at least five years.

To discuss the latest innovations, research and technology for automotive sensors in Europe network with peers and solution providers and attend talks from industry leaders, book your place to attend the 4th Autonomous Off-Highway Machinery Technology Summit will be taking place May 21-22, 2025 in Berlin, Germany.

For more information, click here or email us at info@innovatrix.eu for the event agenda.