A machine with a programmable controller, an HMI, an embedded computer or a network interface falls under both the EU Machinery Regulation (Regulation (EU) 2023/1230) and the EU Cyber Resilience Act (Regulation (EU) 2024/2847). Recital 53 of the CRA names the overlap and points to two Annex III sections of the Machinery Regulation, 1.1.9 and 1.2.1, where the cybersecurity content concentrates. This page covers what Recital 53 says, how CRA evidence maps onto the Machinery side and where the two conformity assessments stay separate.
Summary
- Both regimes apply at the same time. A machine that contains a programmable controller, an HMI or a network interface is regulated by the Machinery Regulation for safety and by the CRA for cybersecurity. There is no exemption: Article 2 of the CRA carves out medical devices, motor vehicles, civil aviation and marine equipment, and machinery is not on that list.
- Recital 53 is the dual-regime anchor. It tells manufacturers in scope of both regulations to comply with both, and names Annex III sections 1.1.9 and 1.2.1 of the Machinery Regulation as where the cybersecurity content of the Machinery side concentrates.
- The overlap is on cybersecurity-driven safety failures. A control system whose safety logic can be tampered with over the network is unsafe in the Machinery sense and insecure in the CRA sense. The same engineering controls (input validation, authentication, integrity protection of safety logic) speak to both regulations.
- CRA evidence can carry weight on the Machinery side, but you have to connect it. Recital 53 permits the synergy and points to harmonised standards as the bridge. The burden of demonstrating the link sits with the manufacturer, in the technical file.
- Each regime keeps its own conformity assessment. The Machinery Regulation runs its own routes (with notified-body involvement for higher-risk machinery in its Annex I); the CRA runs Article 32 with the modules in Annex VIII. The same notified body can do both if it holds both designations.
The overlap in four numbers: two regulations, two Annex III sections, the recital that ties them together and the dates that put the dual regime into force.
Where the two regulations overlap
The Machinery Regulation regulates the safety of machinery placed on the EU market. The CRA regulates the cybersecurity of products with digital elements placed on the EU market. A modern machine that contains a PLC, an HMI, an embedded controller, or a network interface meets both definitions and triggers both regimes.
Where they overlap is on requirements that address cybersecurity-driven safety failures. A control system whose safety-relevant logic can be tampered with over the network is unsafe in the Machinery Regulation sense and insecure in the CRA sense. The same engineering controls (input validation, authentication, integrity protection of safety logic) speak to both regulations.
The CRA pins this overlap in two places:
- Annex III §1.1.9 of Regulation (EU) 2023/1230 addresses protection against corruption of control systems.
- Annex III §1.2.1 of Regulation (EU) 2023/1230 addresses the safety and reliability of control systems, including against deliberate manipulation.
Both sections carry cybersecurity content because corruption and deliberate manipulation of control systems are cybersecurity threats with safety consequences.
What CRA Recital 53 says, in plain terms
Recital 53 is the line in the CRA that ties the two regimes together. In plain English it tells the manufacturer of a machine with digital elements four things:
| What the recital says | What it means in practice |
|---|---|
| Both regimes apply, no exemption | A machine in scope of Regulation (EU) 2023/1230 that is also a product with digital elements has to meet the cybersecurity essential requirements of the CRA and the essential health and safety requirements of the Machinery Regulation. Article 2 of the CRA carves out medical devices, motor vehicles, civil aviation and marine equipment; machinery is not on that list. |
| The same cybersecurity risks can show up in both | The two regulations address similar cybersecurity threats from different angles: the Machinery Regulation through safety, the CRA through cybersecurity. Where they overlap, the same engineering controls (input validation, authentication, integrity protection of safety logic) speak to both. |
| CRA work can carry weight on the Machinery side, but only where they overlap | The CRA risk assessment (Article 13(2)), the technical documentation (Annex VII) and the vulnerability handling process (Annex I Part II) generate evidence that maps onto Annex III §1.1.9 (protection against corruption) and §1.2.1 (safety and reliability of control systems). On every other part of the Machinery Regulation, you still do the Machinery work the Machinery way. |
| The manufacturer connects the dots in the technical file | Recital 53 is permissive, not automatic. To use CRA evidence as Machinery Regulation evidence, the manufacturer maps CRA-driven controls to specific Annex III sections and cites harmonised standards that cover both regimes. |
The recital closes with one further instruction the article repeats below: each regime keeps its own conformity assessment procedure, and both have to be followed.
How CRA evidence maps to the Machinery Regulation
A pragmatic mapping for the overlap:
| Machinery Regulation requirement | CRA evidence that supports it |
|---|---|
| Annex III §1.1.9 (protection against corruption) | CRA risk assessment (Article 13(2)), Annex I Part I (b) secure-by-default configuration, (d) authentication and access control, (f) data integrity protection |
| Annex III §1.2.1 (safety and reliability of control systems) | CRA Annex I Part I (h) availability of essential functions, (k) exploitation mitigation, (l) security event recording; Annex I Part II (3) regular security testing |
| Machinery Regulation technical file | CRA technical documentation under Annex VII (cross-referenceable), CRA SBOM, CRA vulnerability handling policy |
This mapping is informative, not normative. The manufacturer must justify the link in the technical file for each specific machine, and Recital 53's "such synergies have to be demonstrated" language puts that burden on the manufacturer.
Conformity assessments stay separate
Recital 53 closes with a clear instruction: "The manufacturer should also follow the applicable conformity assessment procedures set out in this Regulation and in Regulation (EU) 2023/1230." The Machinery Regulation has its own conformity assessment routes (including notified-body involvement for higher-risk machinery in its Annex I); the CRA has its own (Article 32 and Annex VIII modules). The same machine can require notified-body involvement for both regimes, possibly with the same notified body if it holds both designations.
For the CRA conformity assessment route decision, see CRA conformity assessment. For the technical documentation requirements, see CRA technical documentation.
Frequently Asked Questions
Does the CRA replace or override the Machinery Regulation?
No. The two regulations apply concurrently. Recital 53 of the CRA states the dual obligation in plain terms: a manufacturer of products in scope of Regulation (EU) 2023/1230 that are also products with digital elements must comply with the cybersecurity essential requirements of the CRA and the essential health and safety requirements of the Machinery Regulation. The Machinery Regulation continues to govern safety; the CRA adds the cybersecurity layer and pins the overlap to Annex III sections 1.1.9 and 1.2.1.
Can a single CE marking cover both regimes?
One CE marking on the product, but two underlying conformity assessments. The CE mark is the manufacturer's declaration that the product meets every applicable Union harmonisation regulation. For a machine with digital elements that means the Machinery Regulation conformity assessment under its own Annex IV (or whichever route applies) and the CRA conformity assessment under Article 32 with the modules in Annex VIII. Both EU declarations of conformity must exist; the CE mark is single but the paperwork behind it is two.
When do the two regulations apply from?
The Machinery Regulation (Regulation (EU) 2023/1230) applies in full from 20 January 2027, replacing the Machinery Directive 2006/42/EC for products placed on the market from that date. The CRA (Regulation (EU) 2024/2847) applies in full from 11 December 2027, with Article 14 manufacturer reporting obligations starting earlier on 11 September 2026. A machine placed on the EU market between 20 January and 11 December 2027 is already under the new Machinery Regulation; from 11 December 2027 it is also under the CRA.
Does my Machinery Regulation notified body also cover the CRA?
Only if the body holds a CRA designation in addition to its Machinery designation. Notified bodies are designated regulation by regulation. A body listed for Module B/C2/H under the Machinery Regulation does not automatically appear on the CRA notified-body list under Article 43. Check the EU NANDO database for both regulations against the body's number; if both designations are present, one body can run both assessments, which is operationally simpler than splitting them.
What if my machine has no network interface? Does the CRA still apply?
Probably yes. Article 3(1) of the CRA defines a product with digital elements as a software or hardware product and its remote data processing solutions. The trigger is digital functionality, not connectivity. A machine with embedded software, firmware or a programmable controller is in scope even without a network interface, because the embedded software itself is the digital element. The narrow case where the CRA does not apply is purely mechanical machinery with no software, no firmware and no programmable logic, which is increasingly rare for products in scope of the new Machinery Regulation.