The Machinery Regulation and the Cyber Resilience Act will apply from 2027 and are intended to strengthen cybersecurity in the EU. The new regulations pose major challenges for companies, which they should already begin to address today.
The requirements of the Machinery Regulation and the Cyber Resilience Act will significantly change the product development process.
The numbers are alarming: According to the industry association Bitkom, cyberattacks such as ransomware, phishing, and other digital attacks cause damage of around 191 billion dollars to the German economy annually, with the total damage from cybercrime amounting to 285 billion dollars in 2024. Two-thirds of German companies (65 percent) see their existence threatened by a successful cyberattack, according to Bitkom.
For all of Europe, there is no unified official total sum for the damage caused by cybercrime in 2024. However, the available figures from Germany—as Europe's largest economy—illustrate the scale. Since similar threats and attack patterns also occur in other European countries, it can be assumed that the Europe-wide damage from cybercrime in 2024 is significantly higher than this value.
Enhanced Protection Against Cybercrime
Against this backdrop, the European Union has decided to supplement the new Machinery Regulation (EU) 2023/1230 with specific cybersecurity requirements for machinery and their digital components. This reflects the EU's acknowledgment of the trend that modern machines are increasingly networked and use software-driven safety functions. However, the MVO still focuses primarily on the physical and functional safety of machines and their components. It replaces the previous Machinery Directive 2006/42/EC and will come fully into force on January 20, 2027.
The requirements of the Machinery Regulation
Specifically, Annex III—1.1.9 of the new MVO, which comes into force on January 20, 2027, focuses on protection against corruption: the connection or communication with "another device" must not create dangerous situations. Machines and systems must be designed and built to communicate with other devices or networks without creating security risks. The software for the operation of the machine or system must also be designed to be protected against manipulation, for example, through the use of encryption technologies, security protocols, and regular software updates. These requirements apply to both manufacturers of machines and safety components as well as operators.
To regulate the cybersecurity of products with digital elements, the European Union has adopted the Cyber Resilience Act (CRA), which already came into force on December 10, 2024. The CRA defines access requirements for the EU internal market and extends the scope of the CE marking. It is applicable from December 2027, but there is already a reporting obligation for cybersecurity vulnerabilities of a product starting from September 2026.
The CRA defines cybersecurity requirements independent of product category to protect digital products throughout their entire lifecycle. Manufacturers must take responsibility for the IT security of their products beyond the point of sale. This applies to virtually all connected or connectable products: from vacuum robots to software and products used in critical sectors. This obligation is mandatory not only when the product is placed on the market but also throughout its usual lifespan.
The Cyber Resilience Act
The Cyber Resilience Act (CRA) applies to all products that are directly or indirectly connected to another device or network, encompassing both hardware and software. The protection extends across the entire product lifecycle: from planning, design, and development to maintenance of the products. These obligations apply to all stages of the value chain. From the full enactment of the CRA in December 2027, products with the CE marking indicate compliance with the legislation's protection objectives. This enables users of the products to subsequently derive further measures to enhance cybersecurity. Some regulations, such as the designation of conformity assessment bodies, come into force on June 11, 2026.
In the Future, Two Sets of Rules Will Be Decisive
Thus, the MVO and the CRA complement each other: while the MVO ensures the mechanical and functional safety of machines, the CRA ensures that digital components and software are secure against cyberattacks. Both rely on strict manufacturer obligations, conformity assessments, and market surveillance. This also has significant implications for the work of designers and developers: in the future, they must ensure not only mechanical safety but also incorporate cybersecurity into their design and development processes—otherwise, they face substantial fines.
This significantly impacts future product development: for instance, products are required to have Security by Design (security from the outset) and Security by Default (machines must be delivered with secure settings by default). Designers must, therefore, plan security measures against cyberattacks, unauthorized access, and manipulation already in the design phase. Machines with digital control require protected interfaces for secure communication. Additionally, secure update mechanisms are needed for software updates or remote access, and software changes must not create security vulnerabilities. Risk assessment must now consider cyber threats, such as potential hacking attacks on machine controls.
Designing for the future with MVO and CRA
The Machinery Regulation (MVO) and the Cyber Resilience Act (CRA) present significant challenges for manufacturers and operators of machines and systems, as well as suppliers of components and systems. While the MVO becomes legally binding across the EU from 2027, the reporting obligation for existing security vulnerabilities and cyber-attacks on connected components and systems required by the CRA comes into force as early as 2026. This is reason enough for companies to prepare early for the necessary and extensive measures.
The Konstruktionsleiter-Forum SPOTLIGHT, taking place on October 14, 2025, in Würzburg, raises awareness of the requirements and their consequences that companies will face, and demonstrates how they must position their development departments and processes in the future. The early bird catches the worm: those who register by July 15, 2025, will receive an early bird discount.
These are just some examples of how the MVO and the CRA will significantly influence and change product development. Companies and their designers and developers would therefore be well advised to start preparing for the future requirements today. (jv)
Future-Proof Authentication with Universal RFID Readers
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
:quality(80)/p7i.vogel.de/wcms/4b/0f/4b0faa6f14d841b9c739c2e3359eb032/0129335117v1.jpeg "Riccardo Rosa, president of Ucimu, the Italian mechanical engineering association, is not pleased with the overall situation in his country. Here is a status report from the \"boot\" of Europe ... (Image:Ucimu)")
:quality(80)/p7i.vogel.de/wcms/af/1e/af1ec4fca4636f521f780ba0ae009c8e/bild3-werkst-c3-bcck-20und-20werkzeug-5204x2928v1v1.jpeg "The main area of application for the new axial gear cutting machine is the production of rotor shafts for electric vehicles. (Image:Profiroll Technologies)")
:quality(80)/p7i.vogel.de/wcms/d1/ab/d1ab452217529e5c29a81add9aca7c22/0128871322v1.jpeg "Only one year to go: the new EU Machinery Regulation makes cybersecurity mandatory. Companies should act now. (Picture: ©Pisit - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/cd/fe/cdfe212a3b3206e2ff09dcdf71c11240/0129219561v1.jpeg "Extended S-series: The new Cobot models from Omron lift up to 30 kilograms and are now also protected against dust and water thanks to protection class IP65. (Image:Omron)")
:quality(80)/p7i.vogel.de/wcms/c3/6d/c36d161e7709095fd1de4cb9de27d927/0129133682v1.jpeg "Nanjing is Siemens' largest research and production center for CNC systems, drives and electric motors outside Germany. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/70/dc/70dc2fbc09e6958a72c63bd15e986e14/0129206156v1.jpeg "The global shoe machine manufacturer Desma relies on automation and has been revolutionizing shoe production—together with ABB Robotics for over 40 years. (Image:ABB Robotics)")
:quality(80)/p7i.vogel.de/wcms/60/fd/60fd12ddfe1fb623568736f27d1cfe61/0128606899v1.jpeg "The future of supply chains: AI and dashboards to ensure optimal OTIF values (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/39/38/393873c2ed943bb715a6419d94049b63/geralt-entrepreneur-1340649-1280-1280x720v1v1.jpeg "Visual Components presents its forecast for production simulation in 2026. (Image:Pixabay)")
:quality(80)/p7i.vogel.de/wcms/60/4e/604e2a1ce26f177c5f28c2bff94c2f7d/der-20rotor-20mit-20aktiv-20verwindbaren-20rotorbl-c3-a4ttern-20im-20windkanal-1920x1079v1v1.jpeg "The rotor with actively twistable rotor blades in the wind tunnel: The open measuring section and sound-absorbing wall and model fuselage cladding enable high-quality acoustic measurements. (Image:DLR)")
:quality(80)/p7i.vogel.de/wcms/a8/9a/a89aef1cba3843fa06a1ec1f07cf659b/adobestock-95634179--c2-a9-20crazyforanimeart-20-e2-80-93-20stock-adobe-com-4762x2678v1v1.jpeg "Copied from the octopus: Researchers have developed a film-like thin-film platform that can dynamically change not only its color but also its surface structure. (Image:AdobeStock_95634179_ CrazyForAnimeArt)")
:quality(80)/p7i.vogel.de/wcms/2b/fb/2bfbb9fa26274cb8f6e8979c24a3d08e/0129243542v1.jpeg "In some cases, the new additively manufactured lightweight bearings only reach
11 percent of the weight of comparable steel bearings. (Image:Rosswag Engineering)")
:quality(80)/p7i.vogel.de/wcms/d2/40/d240b49c8edba464bf610f0e0b3628f0/p90629460-lowres-2250x1265v1.jpeg "(Source: BMW Group)")
:quality(80)/p7i.vogel.de/wcms/e9/60/e960f8c34a847b11fc576c54d9d46ea6/0129325747v1.jpeg "Robobuses, like WeRide here, are well on the way to becoming an integral part of local public transport. (Image:WeRide)")
:quality(80)/p7i.vogel.de/wcms/e3/8d/e38d7a9b1bcb87f6ef6546654a2ee40f/bild1v1.jpeg "(Source: InfiMotion)")
:quality(80)/p7i.vogel.de/wcms/a6/cc/a6cc273294dbe8ab9534fb4316fc8d2b/0129255976v1.jpeg "Porsche sees battery expertise as a key strategic competence and has developed the battery modules for the new Cayenne Electric itself. (Image:Porsche)")
:quality(80)/p7i.vogel.de/wcms/6f/8f/6f8ff5bf9b81829ef22736bc790cecca/0129224894v1.jpeg "View of the quantum optics laboratory at the University of Stuttgart: here, researchers are experimenting with new photon sources for quantum computing and quantum networks. (Image:Barz Group, University of Stuttgart)")
:quality(80)/p7i.vogel.de/wcms/52/3a/523ac3157ae4b4f596c7241c89127061/0129260553v1.jpeg "This artistic illustration shows a thermal analog calculator that performs calculations using excess heat and is embedded in a microelectronic system. (Image:Jose-Luis Olivares, MIT)")
:quality(80)/p7i.vogel.de/wcms/d1/f4/d1f4508c6b79ec2f0432b34a6fa33a98/0114966184v1.jpeg "The Infineon headquarters Campeon in Neubiberg, Munich. (Image:Infineon)")
:quality(80)/p7i.vogel.de/wcms/fa/d3/fad3872cf3f110f43411f2dce9e8f23a/0129265762v1.jpeg "Siemens Energy has discovered the USA as a prosperous growth market for network technology and gas turbines! In order to be able to meet demand at some point, the company is already digging deeper into its pockets ... (Image:Siemens Energy)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/69/88/69882c428938e/tmts2026-ticec-banner-en-2000px.png "tmts2026-ticec-banner-en-2000px (https://www.tmts.tw/en)")
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ae/67ae0b9ac31f8/elatec-wp-universal-reader.png "Elatec WP Universal Reader")
:quality(80)/p7i.vogel.de/wcms/c8/90/c8901014acbf16f4835d74c0d2f51faf/0127698327v1.jpeg "Dr.-Ing. Christian Geiss, founder and managing director of Clockwork X GmbH—a subsidiary of the TÜV Austria Group—presents \"Cyber Resilience Act Live\" at Cadfem on November 4, 2025, in Salzburg. (Image:Clockwork X / TÜV Austria)")
:quality(80)/p7i.vogel.de/wcms/91/78/9178ebaa08598e8f5cb28668729cf242/0125920813v1.jpeg "Without CE marking, no product with digital components can be sold in Europe: From 2027, the requirements of the Machinery Regulation (MVO) and the Cyber Resilience Act (CRA) must be met for this. (Image: ©Looker_Studio - stock.adobe.com)")