“Cybersecurity is becoming an integral part of product approval”

The Cyber Resilience Act and the EU Machinery Regulation: What Machinery Manufacturers need to know now – Interview with Jürgen Leng

The EU Machinery Regulation (2023/1230) and the Cyber Resilience Act (CRA) are setting new standards for machine safety. In the future, manufacturers must systematically consider and document not only functional safety, but also protection against cyber risks. In this interview, Jürgen Leng, business development manager at SCHLEGEL and expert for standards explains what companies need to look out for and how SCHLEGEL offers practical protection with 2BSecure.

Mr. Leng, how should companies prepare for the CRA and the Machinery Regulation in terms of machine safety?

Jürgen Leng: With the new EU Machinery Regulation (EU) 2023/1230 and the CRA, cybersecurity is becoming a mandatory component of machine safety for the first time ever. In addition to functional safety, manufacturers will also have to systematically consider and document protection against cyber risks in future. An important new requirement is protection against “corruption”, as defined in Annex III, Section 1.1.9 of the Machinery Regulation. This term originates from standardisation and refers to the manipulation or unauthorised alteration of machinery, software, or parameters that could compromise the safety-related functions of a machine.

What exactly does this entail?

The prEN 50742 standard, “Protection of machinery against corruption”, provides manufacturers with practical guidelines. It defines how machinery should be designed and operated to prevent both unintentional and deliberate tampering. The focus is particularly on:

Access protection for machines and control systems
securing external interfaces
protection against tampered software versions
ensuring the integrity of safety-critical functions

At the same time, the CRA requires clear evidence of the cybersecurity of networked machines – a first for the EU.

What specific requirements do the Cyber Resilience Act impose on manufacturers of machinery?

The CRA requires manufacturers to ensure cybersecurity throughout the entire product lifecycle. The most important requirements include:

Security by design & default: Cybersecurity must be taken into account right from the development stage. Products must not have default passwords and unused interfaces must be disabled.
Risk assessment and vulnerability management: A systematic cyber risk assessment is mandatory for the manufacturer prior to market launch. Any vulnerabilities found must be documented and rectified promptly.
Mandatory security updates: Security updates must be provided for at least five years or for the expected lifetime of the product.
Transparency: All software components (including open source) must be disclosed to ensure transparency across the supply chain (Software Bill of Materials – SBOM).
Reporting obligations: Serious security incidents must be reported to the relevant authorities.
Conformity assessment and CE marking: Depending on the risk class, either self-assessments or external audits are required.

Furthermore, the CRA requirements will form part of the CE conformity assessment. For mechanical engineers, this means that cybersecurity will become an integral part of product approval in the future.

Which products are affected by the CRA?

The CRA applies to all products containing digital elements that are manufactured, imported or distributed within the EU. Therefore, the scope is quite broad as it covers all products connected to networks or devices. These products are classified into different risk categories. Their potential to cause harm is a key factor in this classification. Those used in critical infrastructure, industrial production or the energy sector, for example, fall into a higher risk category. For manufacturers, this means that conformity assessment procedures will become more comprehensive and demanding.

How significant is the current risk of cyber-attacks?

The risk is already high today. Businesses are well aware of this. According to the industry association Bitkom's Economic Report 2025, 72 % of respondents rated the threat level as high. Furthermore, around 66 % of German companies were affected by data theft in the past twelve months. Around 70 % of these attacks are attributed to organised crime. The cost of damage caused by downtime, theft, or damage to information, production systems, and operational processes rose by almost 20 billion euros, reaching 73.3 billion euros between 2024 and 2025.

The issue is therefore highly relevant. This also applies to the CRA's timeline: mandatory reporting of vulnerabilities and security incidents under the CRA comes into force on 11 September 2026. By 11 December 2027, all new products must be fully CRA-compliant.

Securing external interfaces is standard practice for protection against corruption. So why are these interfaces so often overlooked?

The risk posed by physical interfaces on machines is often underestimated. As machines become increasingly networked as part of Industry 4.0, the risk of cyberattacks via USB or Ethernet ports is also rising. While these are often necessary service access points, they can also serve as entry points for cyberattacks. Malware can be introduced, data can be read out, and machine parameters can be altered via these access points. Technical protective measures can make a significant difference here.

SCHLEGEL has developed 2BSecure, a system that protects open interfaces. How does it work in practice?

2BSecure is a compact hardware solution designed to be installed between the interface and the end device. It is compatible with standard USB-A, USB-C and Ethernet interfaces. The system takes a preventive approach: interfaces are disabled by default and can only be enabled specifically by authorised personell via key switches or RFID technology. This means that only authorised users can activate ports and transfer data, making access controllable and effectively preventing tampering. The solution protects both machine control systems and sensitive data on the network.

Is much effort required to retrofit it?

No — the solution is designed to be easy to integrate. It can be used in both new and existing machines and integrated into existing machine and IT infrastructures with minimal effort. It thus follows the principle of “security by design”.

To what extent did legal requirements influence the development process?

The regulatory requirements imposed by the new Machinery Directive and the CRA were key drivers, as both demand verifiable protective measures against unauthorised access and tampering. By providing controlled protection for physical interfaces, 2BSecure can help to implement these requirements technically and demonstrably reduce risks.

Zip