A machine with a programmable controller, an HMI, an embedded computer or a network interface can fall under both the EU Machinery Regulation (Regulation (EU) 2023/1230) and the EU Cyber Resilience Act (Regulation (EU) 2024/2847). The CRA applies where the machine is a product with digital elements and its intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. A specific recital of the CRA names this dual-regime overlap and points to two Machinery Regulation sections that cover cybersecurity-driven safety, sections 1.1.9 and 1.2.1. This page covers what the recital says, how CRA evidence maps onto the Machinery side and where the two conformity assessments stay separate.
Summary
- Both regimes can apply at the same time. A machine in scope of the Machinery Regulation also needs CRA treatment where it is a product with digital elements with a direct or indirect data connection to a device or network. Machinery is not one of the CRA exclusions.
- The CRA anchors the dual-regime overlap. Manufacturers in scope of both regulations must comply with both, and the Machinery-side cybersecurity overlap concentrates in Machinery Regulation sections 1.1.9 and 1.2.1.
- The overlap is on cybersecurity-driven safety failures. A control system whose safety logic can be tampered with over the network is unsafe in the Machinery sense and insecure in the CRA sense. The same engineering controls (input validation, authentication, integrity protection of safety logic) speak to both regulations.
- CRA evidence can carry weight on the Machinery side, but you have to connect it. The CRA permits the synergy and points to harmonised standards as the bridge. The burden of demonstrating the link sits with the manufacturer, in the technical file.
- Each regime keeps its own conformity assessment. The Machinery Regulation runs its own routes, with notified-body involvement for higher-risk machinery categories; the CRA runs its own conformity routes. The same notified body can do both if it holds both designations.
The overlap in four numbers: two regulations, two Machinery Regulation sections, the CRA anchor that ties them together and the dates that put the dual regime into force.
Where the two regulations overlap
The Machinery Regulation regulates safety; the CRA regulates cybersecurity. The Machinery Regulation governs the safety of machinery placed on the EU market. The CRA governs products with digital elements whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. A modern machine that contains a PLC, an HMI, an embedded controller, or a network interface will often meet both tests, but the CRA scope check still has to be made.
The overlap is on cybersecurity-driven safety failures. A control system whose safety-relevant logic can be tampered with over the network is unsafe in the Machinery Regulation sense and insecure in the CRA sense. The same engineering controls (input validation, authentication, integrity protection of safety logic) speak to both regulations.
The CRA pins the overlap in two Machinery Regulation sections:
Machinery Regulation §1.1.9
Protection against corruption of control systems. Cyber tampering with safety-relevant logic, like code injection into a PLC, signal spoofing of an interlock, or unauthorized firmware writes, is a Machinery Regulation safety failure as well as a CRA cybersecurity failure. The same engineering controls (integrity protection, signed updates, input validation) speak to both regulations.
Machinery Regulation §1.2.1
Safety and reliability of control systems, including against deliberate manipulation. Control logic that loses integrity under attack, like an emergency stop bypassed remotely or a guard interlock disabled in software, is unsafe under the Machinery Regulation and insecure under the CRA. The cybersecurity engineering controls and the functional-safety controls converge on the same hardening.
Both sections carry cybersecurity content because corruption and deliberate manipulation of control systems are cybersecurity threats with safety consequences.
- Mechanical hazard guarding (fences, light curtains, interlocks).
- Emergency stop circuits and safety-related stop functions.
- Operator ergonomics, visibility and reach.
- Noise, vibration and emission limits.
- Operator instructions for safe handling, transport and maintenance.
- Mechanical stability and structural integrity.
- Protection of control systems against corruption.
- Safety and reliability of control systems against deliberate manipulation.
- Risk assessment of cyber-driven safety failures.
- Technical documentation of secure control-system design.
- Vulnerability handling for safety-relevant control logic.
- Software bill of materials covering control-system components.
- Active vulnerability handling for the full support period.
- Vulnerability and severe-incident reporting to the coordinating CSIRT and ENISA.
- Coordinated vulnerability disclosure policy.
- Software bill of materials produced for market surveillance authorities on reasoned request.
- Security update commitments throughout the support period.
- Free security updates for the support period.
CRA and Machinery Regulation overlap. The two regimes apply concurrently to a machine with digital elements. The cybersecurity content of the Machinery side concentrates in Machinery Regulation sections 1.1.9 and 1.2.1. CRA artefacts (risk assessment, technical file, vulnerability handling process, software bill of materials) bridge into the Machinery technical file once the manufacturer demonstrates the link.
What the CRA says about the machinery overlap
The CRA ties the two regimes together through Recital 53. In plain English it tells the manufacturer of a machine with digital elements four things:
| What the recital says | What it means in practice |
|---|---|
| Both regimes can apply, with no machinery exemption | A machine in scope of Regulation (EU) 2023/1230 that is also a CRA product with digital elements has to meet the cybersecurity essential requirements of the CRA and the essential health and safety requirements of the Machinery Regulation. Machinery is not one of the CRA exclusions. |
| The same cybersecurity risks can show up in both | The two regulations address similar cybersecurity threats from different angles: the Machinery Regulation through safety, the CRA through cybersecurity. Where they overlap, the same engineering controls (input validation, authentication, integrity protection of safety logic) speak to both. |
| CRA work can carry weight on the Machinery side, but only where they overlap | The CRA risk assessment (Article 13(2)), the technical documentation (Annex VII) and the vulnerability handling process (Annex I Part II) generate evidence that maps onto Machinery Regulation §1.1.9 (protection against corruption) and §1.2.1 (safety and reliability of control systems). On every other part of the Machinery Regulation, you still do the Machinery work the Machinery way. |
| The manufacturer connects the dots in the technical file | The recital is permissive, not automatic. To use CRA evidence as Machinery Regulation evidence, the manufacturer maps CRA-driven controls to the specific Machinery Regulation sections and cites harmonised standards that cover both regimes. |
The recital closes with one further instruction the article repeats below: each regime keeps its own conformity assessment procedure, and both have to be followed.
How CRA evidence maps to the Machinery Regulation
A pragmatic mapping for the overlap:
| Machinery Regulation requirement | CRA evidence that supports it |
|---|---|
| Machinery Regulation §1.1.9 (protection against corruption) | CRA risk assessment (Article 13(2)), Annex I Part I secure-by-default configuration, authentication and access control, data integrity protection |
| Machinery Regulation §1.2.1 (safety and reliability of control systems) | CRA Annex I Part I availability of essential functions, exploitation mitigation, security event recording; Annex I Part II regular security testing |
| Machinery Regulation technical file | CRA technical documentation under Annex VII (cross-referenceable), CRA software bill of materials, CRA vulnerability handling policy |
This mapping is informative, not normative. The manufacturer must justify the link in the technical file for each specific machine, and the recital's "such synergies have to be demonstrated" language puts that burden on the manufacturer.
Conformity assessments stay separate
Each regime keeps its own conformity assessment procedure. Recital 53 says the manufacturer should follow the applicable procedures under both the CRA and Regulation (EU) 2023/1230. The Machinery Regulation has its own routes, including notified-body involvement for higher-risk machinery categories; the CRA has its own routes under Article 32 and Annex VIII.
One notified body can run both, only if it holds both designations. The same machine can require notified-body involvement for both regimes, possibly with the same body if it has been designated under both regulations. Notified bodies are designated regulation by regulation; a Machinery Regulation designation does not extend to the CRA.
For the CRA conformity assessment route decision, see CRA conformity assessment. For the technical documentation requirements, see CRA technical documentation.
Common Pitfalls
| Claim | Why it fails |
|---|---|
| "One CE mark means we only do one conformity assessment." | The CE mark sits once on the product, but each applicable regime still needs its own conformity assessment, technical documentation and declaration. |
| "Our Machinery Regulation notified body automatically covers the CRA." | Notified bodies are designated regulation by regulation. A body listed under the Machinery Regulation does not automatically become a CRA notified body; check the Commission NANDO listing for both regulations against the body's number. |
| "No internet interface means the CRA does not apply." | Embedded software, firmware or a programmable controller can make the machine a product with digital elements; an indirect data connection through a connectable system also brings the machine into scope. |
| "Machinery Regulation section 1.1.9 alone proves CRA cybersecurity compliance." | Section 1.1.9 addresses protection against corruption, which is one slice of cybersecurity-driven safety. The CRA essential requirements are broader and the manufacturer must still demonstrate compliance with the full CRA set. |
| "The synergy recital lets us reuse CRA evidence on the Machinery side automatically." | The recital is permissive, not automatic. The manufacturer must map CRA-driven controls to the specific Machinery Regulation sections and cite harmonised standards that cover both regimes in the technical file. |
Frequently Asked Questions
Does the CRA replace or override the Machinery Regulation?
No. The Machinery Regulation still governs machinery safety, and the CRA adds cybersecurity duties where the machine is also a product with digital elements. A manufacturer in scope of both must comply with the cybersecurity essential requirements of the CRA and the essential health and safety requirements of the Machinery Regulation. The CRA pins the overlap to protection against corruption and safety and reliability of control systems (Recital 53).
Can a single CE marking cover both regimes?
One CE marking can sit on the product, but the underlying conformity work remains separate. The CE mark indicates that the product meets the applicable Union harmonisation legislation. For a machine with digital elements, that means the Machinery Regulation conformity assessment plus the CRA conformity assessment. The mark is single, but each applicable regime still needs its own conformity evidence and declaration (Article 32).
When do the two regulations apply from?
The Machinery Regulation (Regulation (EU) 2023/1230) applies in full from 20 January 2027, replacing the Machinery Directive 2006/42/EC for products placed on the market from that date. The CRA (Regulation (EU) 2024/2847) applies in full from 11 December 2027 for products placed on the market from that date (Article 71(2)). Products with digital elements placed on the market before 11 December 2027 are subject to the CRA requirements only if substantially modified from that date, although Article 14 reporting obligations still apply to all in-scope products from 11 September 2026 (Article 69(2); Article 69(3)).
Does my Machinery Regulation notified body also cover the CRA?
Only if the body holds both designations. Notified bodies are designated regulation by regulation, so a body listed for a Machinery Regulation module does not automatically become a CRA notified body. Check the official European Commission NANDO listing for both regulations against the body's number; if both designations are present, one body can run both assessments (Article 43).
What if my machine has no network interface? Does the CRA still apply?
Maybe. No internet interface does not automatically take a machine outside the CRA, but the scope test still requires a data connection. A machine is in CRA scope only where its intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. Embedded software, firmware or a programmable controller can make the machine a product with digital elements, but a machine with no such data connection needs a careful scope analysis rather than an automatic yes (Article 2(1)).