Machines today are digital systems. They are software-driven, connected, remotely accessible, and continuously generate operational and usage data. With the Cyber Resilience Act and the EU Data Act, the European Union is responding precisely to this development. Both regulations intervene in the same technical context.
The regulatory timeline is already approaching quickly. The EU Data Act applies from September 12, 2025. The first obligations of the Cyber Resilience Act — including mandatory reporting of actively exploited vulnerabilities — begin in September 2026, while full CRA compliance becomes mandatory from December 2027. For machine builders, this means that preparation effectively starts now.
For machine builders, this means that security, data access, and service architecture can no longer be considered separately, but must be treated as a shared responsibility.
The Cyber Resilience Act is a product regulation for products with digital elements. It therefore also applies to industrial machinery, control systems, and the software used within them. At its core lies one central question:
Can a connected machine be operated securely throughout its entire service life?
Among other things, the CRA requires:
This reporting obligation mainly concerns vulnerabilities in digital components used within the machine. If an OEM uses a certified third-party component — for example for connectivity or remote access — a large part of the vulnerability monitoring and reporting responsibility lies with the supplier of that component. This can significantly reduce the administrative burden for machine builders.
For machine builders, this represents a clear shift in perspective. Cybersecurity does not end with commissioning. Manufacturers remain responsible throughout the expected lifetime of the deployed software and digital components. In many cases, this means five years or more. Cybersecurity thus becomes a permanent component of product compliance and does not end upon delivery of the machine.
At the latest when a machine is commissioned, remote access becomes security-relevant. From a regulatory perspective, any remote connection is considered a digital entry point to the machine. If this access is insufficiently secured, it jeopardizes the safe operation of the machine.
Under the Cyber Resilience Act, remote access solutions are therefore regarded as security-critical components. If the connection is weak or not certified, responsibility lies with the manufacturer.
In practice, this means machines must be delivered with closed ports, clearly defined credentials, and integrated security mechanisms from the outset. If these requirements are not met, the product is considered insecure and cannot be placed on the market.
these requirements are not met, the product is considered unsafe and cannot be marketed.
With CRA enforcement milestones approaching from 2026 onward, the choice of secure and certified remote access technology becomes a strategic architectural decision.
The EU Data Act follows a different approach. It is not a security regulation, but a data and market regulation. Its focus is on data generated through the use of connected products, including in industrial environments.
The Data Act regulates:
In practice, the Cyber Resilience Act and the EU Data Act intersect at the same point: the machine’s internet connection.
Remote access is, under the CRA, a security-critical access point. At the same time, under the EU Data Act, it is the technical channel for data access and data sharing.
If access is secured too restrictively, legally required data access may be prevented. If it is designed too openly, security vulnerabilities arise. Machine builders must therefore learn to design security and data access together rather than playing them against each other
Both regulations fundamentally change key assumptions in mechanical engineering. Cybersecurity becomes part of product strategy rather than just IT. Data access becomes part of the customer relationship. Remote services become regulatorily visible. Cloud and platform decisions gain strategic importance.
A common mistake is underestimating long-term obligations. Security updates must still be provided years after the sale. At the same time, existing contractual models are coming under pressure. Blanket ownership claims to machine data are no longer sustainable under the EU Data Act.
In the future, competitive advantage will not depend on owning data, but on the ability to create sustainable added value from it.
The Cyber Resilience Act and EU Data Act define new guidelines for digital mechanical engineering.
Security, data access, and remote services become strategic factors that determine market access, customer relationships, and competitiveness.
Machine builders who integrate these topics early reduce regulatory risks and lay the foundation for scalable, future-proof business models.
In practice, this also means that not every security and data architecture must be built from scratch. Using specialized and certified industrial components can significantly reduce the compliance burden.
Purpose-built industrial gateways are a good example. Solutions such as the IXON SecureEdge Pro are IEC 62443-4-2 certified, supporting the strict security requirements of the Cyber Resilience Act while providing the open APIs needed to enable controlled data sharing under the EU Data Act.
For many machine builders, using certified components is therefore the most efficient way to meet regulatory requirements without having to develop the entire infrastructure themselves.
The Cyber Resilience Act (CRA) is a product regulation. It ensures that connected machines and software are secure throughout their entire lifecycle — from development to operation. Security becomes a prerequisite for marketability.
The EU Data Act is a data and market regulation. It governs access to machine data and strengthens users’ rights to use this data or share it with third parties.
In short: the CRA keeps attackers out and the Data Act regulates who is allowed in.
Both regulations apply at the same technical point: the machine’s internet connection.
Remote access is simultaneously security-critical (CRA) and data-relevant (EU Data Act).
Considering the two laws in isolation creates conflicting objectives — for example, overly restrictive security measures that prevent lawful data access, or overly open interfaces that create security vulnerabilities. Only an integrated approach ensures that security and data access function together.
Remote access becomes the central compliance interface. Under the CRA, remote access must be secure, clearly authenticated, and traceable. Under the EU Data Act, the same access enables controlled access to machine data.
Remote access thus evolves from a pure service tool into a regulatorily relevant component of machine architecture.
Primarily affected is data generated through operation of the machine, including:
Operational and usage data
Condition and performance data
Maintenance and diagnostic data
Generally not affected are source code, design documentation, or proprietary algorithms. The challenge lies in implementing a clear technical and contractual separation between these categories.
The first step is a digital inventory assessment:
Which software components run on the machine?
What data is generated, and where?
Which access points and interfaces exist?
Based on this, access rights, data flows, and responsibilities should be clearly defined. Only with this transparency can the requirements of the Cyber Resilience Act and the EU Data Act be met sustainably over the long term.