Building a Cybersecurity Management Plan
The EU Machinery Regulation, which will replace the Machinery Directive 2006/42/EC in January 2027, introduces mandatory consideration of cybersecurity. Manufacturers shall notify national authorities of any serious incidents affecting the security of products with digital elements and any actively exploited vulnerabilities. All requirements of the Cyber Resilience Act (CRA) will apply from 11 December 2027 onwards.
Under the new regulations, all products placed on the EU market shall be designed, developed and manufactured in accordance with the essential cybersecurity requirements of the Cyber Resilience Act. Manufacturers shall meet requirements related, among other things, to protection against tampering, the security of software and remote connections, and the integrity of safety functions.
The legislation is mandatory, and failure to meet cybersecurity requirements may prevent a product from being brought onto the market. For machines or vehicles already in use, the obligation to report vulnerabilities must also be taken into account.
Starting points and objectives:
- Changes introduced by the new Machinery Regulation and the Cyber Resilience Act must be addressed in design, product development and manufacturing.
- Compliance with cybersecurity requirements requires, among other things, technical documentation of cybersecurity solutions, risk assessment and traceability of results, and conformity assessment.
- Need for the identification of applicable requirements and standards for machines or vehicles.
- Development of a requirements management process tailored to the client’s needs, incorporating new cybersecurity requirements and standards, and ensuring that any other mandatory requirements are also included in the process.
Results and benefits:
- The customer gains an up-to-date overview of the new Machinery Regulation, the Cyber Resilience Act and relevant standards.
- We prepare the compliance management plan for the customer, which will ensure the product’s compliance with requirements.
- The plan defines concrete actions and tasks to meet identified requirements and maps the necessary tools and methods.
- Training sessions tailored to the customers’ needs are delivered.
At present, machine manufacturers have lots of questions about cybersecurity and the new obligations associated with it: who it is going to affect, when everything needs to be in order, when does the legislation apply and when not, and what steps they should take next. Our experts will assist you to the extent that meets your needs! – Business Manager, Safety and Compliance, Juha Hakanen, Comatec.


