Header Banner
RoboticsSafety

AMHE (Automated Material Handling Equipment) & EU CRA (Cyber Resilience Act)

May 21, 2026
0

What is the EU CRA?

The EU Cyber Resilience Act (CRA) is a recently enacted regulation that enforces minimum cybersecurity requirements on any “Product with Digital Element” (PDE) placed into the market.  Simply put, a PDE is any product that is intended to connect to another device or network.  The regulation applies to both hardware and software products, which encompasses the industrial automation control systems (IACS) that comprise AMHE solutions and subsystems.

Just like the EU did with the General Data Protection Regulation (GDPR), which addressed personal privacy topics, the EU is aggressively regulating the cybersecurity of PDEs.  The GDPR reshaped how organizations handle personal data, and the CRA is poised to fundamentally change how OEMs approach product security design.

The EU CRA mandates non-compliant products cannot legally be placed on or kept in the EU market.  Further, CE marking and declarations of conformity now implicitly include cybersecurity.  By specifying requirements, enforcing substantial penalties (tiered penalties of up to €15 million or 2.5% of an OEM’s total global revenue, whichever is higher!) and integrating CE markings into CRA compliance, OEMs of PDEs are obligated to comply.

Annex I of the CRA provides the substantive responsibilities of OEMs for compliance with the regulation.  The 2 primary obligations of OEMs under the CRA relate to secure product engineering and lifecycle vulnerability management.

The secure engineering requirements of the EU CRA include topics like:

  • Delivered with configurations free of known exploitable vulnerabilities, and a secure-by-default configuration that minimizes services and data to those specified for the function.
  • Protect against unauthorized access & Confidentiality and Integrity of data.

The vulnerability management topics of the EU CRA apply for the PDEs expected lifecycle.  Therefore, manufacturers must define a support period, which—for long-lived AMHE—may extend well beyond traditional IT product cycles and may be measured in decades.  Nevertheless, the CRA mandates lifecycle vulnerability management topics including:

  • Testing and review of a PDEs security; document, address, remediate, report vulnerabilities; disclose information about patches or mitigations.
  • Address vulnerabilities throughout the product lifecycle through security updates; facilitate information sharing; make available security patches free of charge.

What underpins the regulation is applied risk management.  The EU CRA obligates PDEs be “designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.”  Therefore, most OEMs do have some latitude in how to satisfy the EU CRA engineering and vulnerability management topics, depending on the specified context of use and reasonably foreseeable misuse of any given product.

While the EU CRA is the first substantial regulation for the security of PDEs, OEMs are impacted by other drivers of change related to security.  Examples include the EU Machinery Regulation 2023/1230 (MR), emerging market regulations, customer terms and conditions, and a general expectation of reputable OEMs to manage product security in this day of age.

How does a reputable OEM satisfy the EU CRA and disparate market requirements?

Often times security relating to the OEM Enterprise IT landscape is conflated with the security of the products the OEM places on the market, which are typically quite distinct topics for AMHE OEMs.

Generally speaking, a company’s ability to manage its own information systems should not be conflated with the security of the PDEs that company places on the market.  While ISO 27001 is a commonly known standard related to a company’s information systems and may include high level development controls, the IEC 62443 -3 and -4 series of standards is better aligned with the secure development of IACS.

The IEC 62443 is a series of standards that address the issue of security for IACS, maintained and published by the International Electrotechnical Commission (IEC).  The 62443 provides minimum secure development processes and foundational security control requirements for IACS and is specified in draft EU CRA mapping documentation relating to IACS.

While 62443 does not exclusively cover all regulations, necessitating the need of supplemental processes to fully satisfy CRA legal and reporting obligations, 62443 is a strong baseline across the broad regions and industries that utilize IACS. IEC 62443 is expected to be the basis of the upcoming EN 18031 series of harmonized standard under the CRA by 2027.

With regulatory enforcement beginning in January 2027 for MR, and CRA enforcement beginning Dec 2027, reputable AMHE OEMs like Dematic have proactively adopted business processes to account for compliance of emerging regulations, terms, and expectations – based on IEC 62443 standards.

How can AMHE OEMs prepare for EU CRA compliance, especially when security is not natively designed into the products?

While this is not a simple question to answer, the requirements to satisfy the EU CRA are now clear.  OEMs must focus on compliance of the key requirements of Annex I of the CRA – which generally follow good engineering practice in the year 2026 anyways.  However, topics that may be challenging to address or document should be managed sooner rather than later, by:

  • Establishing alignment between relevant teams (i.e. Product Management, Legal, Engineering, Product Security, Customer Service) on the overall management of the EU CRA.
  • Implementing industry acceptable standards (i.e. 62443) into formal engineering processes.
  • Determining vulnerability reporting policies & mechanisms to regulatory authorities (due Sept 2026), and comply with mandated reporting timelines (tiered).
  • Specifying the context of use of the AMHE including secure deployment assumptions, intended operating environment.
  • Providing to regulatory authorities upon request, in a machine-readable format, and retained for 10 years post-market placement a complete SBOM of the components that comprise of any PDE.

Finally, factors that will influence how AMHE OEMs will exercise reasonable risk management against a secure product design will also consider the following critical factors:

  • AMHE is designed, engineered, and purpose-built to provide specified autonomous functionality in a safe capacity that prioritizes Safety & Availability within an IACS.
  • At the core OT control level, AMHE is typically not designed to process personal or business‑critical data as a primary function, although adjacent IT and cloud‑connected components may.
  • IACS is subject to limitations of available commercial off the shelf industrial automation & fieldbus technologies applied within functionally validated, safe, real-time, low latency industrial machine operations.
  • To protect systems and machines against cyber threats, it is necessary for the Asset Owner (OEM’s customer) to implement and continuously maintain a holistic, state-of-the-art industrial cybersecurity concept. An OEMs products and solutions constitute one element of such a concept.
  • AMHE systems are installed within trusted & segregated environments, where physical access, human competency, IT security controls, and integrations of AMHE to enterprise systems are typically maintained by the asset owner. AMHE systems are often deployed on hosts and networks exclusively managed by the asset owner.

REFERENCES

EU CRA Official Journal (final text):  Regulation – 2024/2847 – EN – EUR-Lex

EU CRA Requirements Standards Mapping:  Cyber Resilience Act Requirements Standards Mapping – Joint Research Centre & ENISA Joint Analysis | ENISA

S4 (SCADA Security Scientific Symposium) – S4x26 : ICS Security Conference

Hard Hats Publication, Sarah Fluchs (CTO admeritia) – Security-Briefing – admeritia GmbH

Learn more about The Robotics Group (TRG): mhi.org/trg

For further articles from the The Robotics Group (TRG):

Things to Consider Before You Automate

Scaling Warehouse Automation: Insights from the Field

From Vision to Reality: Implementing Robotics in the Modern Supply Chain 

The Path to Lights Out

Maximizing ROI and Mitigating Risks with Robotics

Demystifying Robots

How Robots Positively Impact the Labor Shortage

Justifying Robotics, Part II

How to Justify the Cost of Robotics–Part 1

Robot Safety

TagsCyber SecurityData Analyticsdigital toolsOEMSafety
Previous Article

Making the List: ASRS Strategic Advantages that ...

Copyright MHI © 2023. All Rights Reserved | Privacy Policy | Terms & Conditions