New standards for cybersecurity in machinery

New EU regulations like Radio Equipment Directive (RED), EU Machinery Regulation (MR) and Cyber Resilience Act (CRA) introduce cybersecurity requirements that affect radio equipment, machinery and digital products. For OEMs using wireless remote control systems, understanding the regulatory landscape early helps ensure a predictable path to CE marking 2027 and beyond.

What does it mean for mobile machines?

New EU legislations introduce cybersecurity requirements that affect radio equipment, machinery and digital products.

Some requirements apply directly to the machine placed on the EU market, while others apply to components integrated into the machine, such as radio remote control systems.

For OEMs using wireless or remote control systems, these developments will influence how machines are designed, documented and CE-marked in the coming years.

The regulatory landscape is still evolving, but understanding the direction early helps ensure a predictable path forward. At Scanreco, we follow these developments closely and work continuously to support our OEM partners.

What's coming

The regulatory landscape towards CE marking in 2027

Several EU legislations introduce cybersecurity expectations for machinery placed on the European market. They address different parts of the system – the machine itself, radio equipment, and digital products – but together they shape the future compliance framework.

Radio Equipment Directive (RED)

What it is
The EU Radio Equipment Directive (RED) 2014/53/EU regulates equipment that communicates via radio signals at designated frequencies.

In effect
Cybersecurity requirements under Article 3(3) apply from August 2025.

What it covers
Radio equipment, including wireless remote control systems.

What it means for equipment manufacturers
Remote control equipment integrated into machinery must comply with RED and be supported with the necessary documentation.

Machinery Regulation (MR)

What it is
The EU Machinery Regulation (EU) 2023/1230 replaces the current Machinery Directive.

In effect
Applies from January 2027 across all EU member states.

What it covers
The complete machine placed on the EU market.

What it means for OEMs
OEMs must continue to perform a risk assessment and CE-marking process, ensuring that safety and cybersecurity risks – including those related to software and digital technologies – are properly addressed.

Cyber Resilience Act (CRA)

What it is
The EU Cyber Resilience Act (CRA) introduces cybersecurity requirements for products with digital elements, including electronics and software.

In effect
The regulation will apply from December 2027, with specific obligations phased in earlier in September 2026.

What it covers
Products with digital elements placed on the EU market, including electronics and software used in machines and control systems.

What it means for OEMs
Manufacturers must demonstrate that products with digital functionality are securely developed and maintained throughout their lifecycle, including processes for vulnerability management and software updates.

What OEMs should start thinking about now

The regulatory landscape is evolving and pending harmonization, but a few themes are already clear. Because these regulations apply to machines placed on the EU market after the relevant deadlines, both new and existing machine designs need to be reviewed.

Architecture decisions made early

Cybersecurity is difficult to retrofit late in development. Wireless communication, authentication mechanisms and software integrity should be considered early in the machine control architecture.

Documentation and traceability

Future CE marking will increasingly rely on structured documentation such as:

- cybersecurity risk assessments
- design decisions
- lifecycle management processes

Clear documentation will become as important as the technical solution itself.

Lifecycle responsibility

Cybersecurity expectations extend beyond the initial product launch. Manufacturers may need structured processes for:

- vulnerability management
- security updates
- long-term maintenance

Collaboration across the supply chain

OEMs depend on suppliers for critical system components. Clear responsibilities and transparency between OEMs and technology suppliers will be essential to support compliance and documentation.

Self-test

Is your machine platform exposed?

Start here:

Do you sell machines on the European market?
Do your machines use wireless communication, remote control systems or other digital products?
Will you place machines on the EU market after 2025–2027?

If yes, it may be worth considering:

Have cybersecurity requirements been considered in your system architecture?
Are responsibilities between OEM and suppliers clearly defined?
Do you have a documented process for handling software updates and vulnerabilities?

If several of these questions are still open, it may be useful to review how the upcoming regulations could affect your platform.

ON-DEMAND WEBINAR SERIES

Cybersecurity webinars for mobile machine OEMs

Watch our on-demand webinars on what the new EU cybersecurity rules mean for your machines — and how to get compliance-ready before the Machine Regulation and CRA applies. Hosted by Scanreco's experts.

🌎 Webinars are in English with options for subtitles in various languages in the video settings.

on-demand webinar

New cybersecurity regulations: What OEMs need to know

In this webinar, our experts break down what the Machinery Regulation and Cyber Resilience Act mean in practice, who they apply to, the most important deadlines to prepare for, and how OEMs should start working with suppliers and internal risk assessments today.

Watch on-demand now

On-demand webinar

Cybersecurity risk analysis: Getting started with TARA

In this webinar, our experts explain what TARA is, why it matters, how it helps you uncover vulnerabilities in your systems, and how to use it as a practical foundation for stronger, more secure machine design across the full product lifecycle.

Watch on-demand now

On-demand webinar

Cyberscurity risks from an insurance perspective - the insurance expert gives her view

In this webinar, Anna Johansson, a senior cybersecurity and risk consultant at AON, shares her perspective on today’s evolving cybersecurity landscape, how cyber exposure is assessed, which risk areas companies often overlook, and what additional measures should support effective risk mitigation and long-term business resilience.

Watch on-demand now

On-demand webinar

Beyond one-time compliance: why lifecycle management matters

In this webinar, our expert examines how to integrate cybersecurity across the entire product lifecycle, from initial deployment to long-term compliance. The discussion focuses on the importance of lifecycle readiness and what it means in practice when assessing products and suppliers.

Watch on-demand now

Get cybersecurity updates

Get relevant updates straight to your inbox, along with invitations to webinars where experts share insights and answer questions related to cybersecurity.

Sign up here

Scanreco perspective

Key to success - a holistic perspective

At Scanreco, at the core of what we do is delivering best possible product integrity - control solutions designed to withstand both today’s requirements and tomorrow’s risks and challenges.

We approach product integrity through three interconnected dimensions.

Safety integrity ensures that our systems meet demanding functional safety requirements, including SIL-rated architectures for critical machine operations.
Security integrity addresses the growing importance of cybersecurity and evolving regulatory requirements for wireless and digital systems.
Lifecycle integrity focuses on maintaining system robustness over time, including structured approaches to updates, vulnerability handling and long-term platform support.

Together, these dimensions form the foundation of Scanreco’s long-term commitment to delivering reliable and future-ready control solutions for machine builders and operators.

Frequently asked questions

What EU cybersecurity regulations affect machinery manufacturers?

Several EU regulations introduce cybersecurity expectations that may affect machinery manufacturers and their suppliers.

The most relevant frameworks are:

Radio Equipment Directive (RED) – cybersecurity requirements for certain radio equipment from August 2025

EU Machinery Regulation (MR) – updated machinery safety framework applicable from January 2027

Cyber Resilience Act (CRA) – cybersecurity lifecycle requirements for products with digital elements

These regulations address different parts of the system but together shape the future compliance landscape for machinery in the EU.

Do the new EU cybersecurity regulations apply to machinery?

Yes, but in different ways.

Some regulations apply directly to the machine itself, while others apply to components integrated into the machine, such as radio equipment or digital control systems.

OEMs remain responsible for the CE marking of the complete machine, while suppliers must ensure their components comply with applicable regulations.

Do machines need to be connected to the internet to be affected?

No.

A machine does not need to be connected to the internet for these regulations to be relevant.

Do OEMs need to redesign their machines because of these regulations?

Not necessarily.

However, OEMs may need to review aspects such as:

system architecture
cybersecurity risk assessments
documentation
lifecycle processes

The impact depends on the machine design and the technologies used.

Who is responsible for compliance and CE marking?

The OEM remains responsible for CE marking the machine placed on the market.

Suppliers contribute by ensuring their components meet applicable requirements and by providing technical documentation to support the OEM’s compliance process.

How is Scanreco working with these regulatory developments?

Scanreco continuously follows the evolving regulatory landscape and works systematically to ensure that our remote control solutions fulfil the requirements needed by machine builders to facilitate verification of their equipment.

As harmonized standards become more clearly defined, we will continue to share insights and guidance with our OEM partners.

What are the cybersecurity requirements in the Radio Equipment Directive (RED)?

The Radio Equipment Directive (RED) regulates products that communicate via radio.

From 1 August 2025, certain categories of radio equipment must also meet cybersecurity requirements under Article 3(3)(d), (e) and (f).

These requirements focus on ensuring that radio equipment:

protects communication networks from misuse
safeguards personal data and privacy where applicable
prevents fraud or unauthorized use of connected services

For manufacturers of radio equipment, this typically means demonstrating that the product includes appropriate safeguards against unauthorized access, manipulation or misuse of the radio interface.

Wireless remote control systems used in machinery fall within the scope of RED and must be assessed against these requirements.

Do wireless remote control systems fall under RED?

Yes.

Wireless remote control systems communicate via radio signals and are therefore considered radio equipment under the EU Radio Equipment Directive (RED).

Manufacturers of radio equipment must ensure that the equipment architecture and implementation comply with RED requirements and provide supporting documentation.

For OEMs integrating wireless control systems into machinery, this means the radio equipment used in the machine must be RED-compliant and supported with appropriate technical documentation.

What changes with the EU Machinery Regulation in 2027?

The EU Machinery Regulation (EU) 2023/1230 replaces the current Machinery Directive and becomes applicable from January 2027 in all EU member states.

Its goal is to modernize the safety framework for machinery and address risks associated with digital technologies, software and increasingly connected systems.

Compared with the previous directive, the regulation places greater emphasis on:

risks related to software and digital control systems
cybersecurity considerations where they affect machine safety
clearer documentation and traceability requirements

OEMs placing machinery on the EU market must continue to perform a risk assessment and CE-marking process, ensuring that safety risks — including those related to software and digital technologies — are addressed.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) introduces cybersecurity requirements for products with digital elements, including electronics and embedded software.

Its goal is to improve the overall cybersecurity of connected products sold in the EU by introducing requirements related to:

secure product development
product vulnerability management
product software update mechanisms
transparency regarding known vulnerabilities

Unlike the Machinery Regulation, which focuses on machine safety, the CRA addresses product cybersecurity throughout the product lifecycle.

The exact application to specific industrial products will become clearer as standards and implementation guidance develop.

Want to read more about Cybersecurity?

We continously develop information to help you stay up to date on how to navigate remote controlled machine related cybersecurity updates.

Blog

What OEMs need to know about the EU Cyber Resilience Act

Safety and Compliance

The Machinery Regulation EU2023/1230

Download now

EXPERT

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Andreas Lång System architect