Go back

Safety & Security

Current state of the EU Cyber Resilience Act – and why no-one can claim they comply

Scanreco

Earlier in March, the European Commission took another step towards its mandatory-to-comply-with regulation concerning cybersecurity, and subsequently: machine manufacturers’ possibility to CE mark their equipment and continue to sell on the EU market. Although many uncertainties remain, here’s what we know now about the regulation and its potential harmonized standards.


On March 3 2026, the EU published draft guidance to support the application of the Cyber Resilience Act (CRA), open for comments until April 13, 2026. As this is an important step forward, it is also important to be clear and transparent about the current situation. At this stage, no company can reasonably claim that it (or its products) is compliant with the CRA standards, as there is still no final clarity on the harmonized standards that will define how compliance is to be demonstrated in practice.

While the regulation entered into force in December 2024, the technical and legal framework needed for conformity assessment is currently and still under development. The draft guidance released in March of this year doesn’t describe compliance, but it provides valuable insight into how the European Commission interprets the regulation and what the future standards and enforcement are likely to be. For manufacturers of radio remote controlled machinery and control systems, this guidance marks a transition point from regulatory awareness toward structured preparation.

Cybersecurity and the EU CRA 1080x1080-5 (1)

From digital regulation to physical machines

The Cyber Resilience Act (CRA) is an EU regulation that applies to all products with digital elements, including hardware, software, and any type of network connectivity. For the machinery sector, this includes not only equipment that relies on radio remote controls, but also e.g. machineries’ embedded software, other wireless communication, and digital interfaces for configuration, diagnostics, or updates. 

Typical examples that we as a remote control supplier meet include cranes, forestry machinery, concrete pumps, industrial vehicles, but also all other mobile or stationary machines with digital elements and where remote control systems are a core part of safe and efficient operation.

Cybersecurity and the EU CRA 1080x1080-3-What makes a machine a -product with digital...- (1)

No compliancy = no EU market access

One effect of the CRA is that cybersecurity becomes a product lifetime responsibility rather than a voluntary or best practice measure. In fact, cybersecurity requirements under the CRA become a baseline condition for placing affected machinery and control systems on the EU market. 
In partnerships of manufacturing radio remote controlled machinery, this doesn’t mean introducing entirely new concepts, but rather expanding existing product responsibilities to include cybersecurity alongside safety, reliability, documentation, and regulatory compliance.

Why 2026 is a key year

Although the CRA is scheduled to fully apply from December next year, 2026 is an important year for the industry. This year, structures for conformity assessment will start to be established. Moreover, obligations related to vulnerability and incident reporting are expected to be followed before full application – in fact, as early as in September this year.

For all of us in the radio remote control and machinery sector, early preparation is important. Products often have long lifecycles so design decisions made today will influence compliance and support obligations well into the future.

The role of the draft guidance

It is important to bear in mind that there to this date no way to claim products are cybersecure according to the regulation. The draft guidance published in March 2026 by the EU Commission is not legally binding and will not replace harmonized standards. However, it plays an important role by clarifying how the European Commission currently understands and intends to apply the regulation.

One particularly relevant aspect is the interface between cybersecurity and functional safety. While safety regulations address the prevention of physical harm, the CRA focuses on how cybersecurity weaknesses could undermine those safety functions, for example through unauthorized access, interference with radio communication, or manipulation of control logic.

Implications not only for European OEMs

The Cyber Resilience Act represents one of the most significant regulatory developments of machinery in recent years. Its influence will extend beyond Europe, as global manufacturers align products and platforms with the requirements of the European Union.

global export illustration with heavy equipment in focus and legal documents in the back made in different shades of blue-1

The CRA not only affects technical design choices, but also has implications for how organizations structure responsibilities and collaborate across the full value chain. Compliance also applies regardless of where a company is based. Any manufacturer in the world supplying machinery “with digital elements”  with, or without, wireless controls systems to the EU market will need to conform to the CRA requirements.

The draft guidance published in March does not provide any final answers, but offers a clear direction. It helps reduce uncertainty and highlights regulatory expectations. This helps companies prepare for the next steps of the implementation.

For us, as a leader in the radio remote controlled machinery industry, the overall message is pragmatic rather than alarmist:

  1. Cybersecurity is becoming an integral part of product compliance.

  2. Preparation can and should begin now.

  3. Formal compliance will only be possible once standards are finalized.

Scanreco is closely monitoring the ongoing development of the Cyber Resilience Act, including draft guidance, harmonized standards, and conformity assessment approaches. In parallel, we are actively working to ensure that our radio remote control systems and internal processes are aligned with the forthcoming requirements, with the aim of achieving full compliance once the regulatory framework is finalized.

Learn more about CRA and sign up for updates on the subject or explore our other articles and Whitepapers about the EU Cyber Resilience Act, EU Machinery Regulation, RED cybersecurity, functional safety, and other relevant topics.

Contact

Contact us for more information!

Related content

Our solutions

We provide high-performance industrial remote control solutions for your needs. Explore our platforms, partnership projects, and system solutions.

Scanrec_New-design-development_partnership-solutions_3

Partnership

New development projects

With our proven technology platforms and deep expertise, we help you develop a custom solution that meets your exact needs – it’s a lifecycle partnership.

Learn more
SCSi Stabilizer control device - Scanreco

System solutions

Seamless integration

Need a control system for your hydraulic machine? Scanreco System Solutions and our partner network deliver expertise and high-performing solutions tailored to your needs.

Learn more