What are the Mandatory Cyber Security Requirements that Manufacturers must meet by 11 Dec 2027?

In short, by December 2027, machines sold in the EU must be cyber-secure by default, actively maintained against vulnerabilities, and backed by clear, documented evidence of compliance.

To sell a machine with digital elements in the EU, the manufacturer must ensure the products. The CRA introduces mandatory cybersecurity requirements for manufacturers, covering the planning, design, development and maintenance of such products. These obligations must be met at every stage of the value chain. The CRA also requires manufacturers to handle vulnerabilities during the lifecycle of their products. Certain products that are particularly relevant for cybersecurity must undergo a third-party assessment by a notified before places machines on the EU market.

1. The machine must be secure by design and secure by default. Cybersecurity is integrated into the product from the design phase rather than added later. The manufacturer delivers machines with only necessary functions enabled, no weak passwords, and no unnecessary open ports or services.
   
   
2. The manufacturer must implement essential security controls. The manufacturer protects the machine against known vulnerabilities, provides secure software and firmware updates, and minimises the machine’s attack surface. There must be a defined process to identify, handle, and fix vulnerabilities throughout the product’s lifecycle.
   
   
3. The manufacturer must maintain mandatory cybersecurity documentation. This includes a documented cyber risk assessment, a Software Bill of Materials (SBOM) listing all software components, a vulnerability handling process, and technical documentation that demonstrates compliance with the CRA. This documentation must be available to EU authorities upon request.
   
   

Our End-to-end system called CRA Navigator powered by AI will handle all the CRA mandatory requirements and will also help Machinery Manufacturers (OEMs) with many other Service and Maintenance fields. Read more about CRA Navigator AI.