Blog · Compliance

NIS2, EU Machinery Regulation, CRA:
Which One Applies to You?

Three new EU laws. Three different targets. If you build machines or supply components to the industrial sector, you need to know the difference — and act before the deadlines hit.

June 2026 · 10 min read
Compliance Security
NIS2, EU Machinery Regulation, and CRA — which applies to you

Over the past two years, the European Union has introduced a wave of cybersecurity legislation that touches every layer of the industrial supply chain. The challenge is that each law targets a different group, operates on a different timeline, and demands a different response. Many machine builders and component suppliers assume one regulation covers everything. It does not. Understanding which law applies to your role — and where the responsibilities overlap — is the first step to building a compliance strategy that actually holds up.

The Three Laws at a Glance

NIS2 Directive EU Machinery Regulation 2023/1230 Cyber Resilience Act (CRA)
Primary target Operating end customers OEMs, machine builders Manufacturers of products with digital elements
Main focus Cybersecurity risk management and incident reporting Safety, cybersecurity, and AI Cybersecurity for the entire product lifecycle (CE marking)
In force by October 18, 2024 January 20, 2027 Reporting: Q3/2026 · Full obligations: Q4/2027

Three laws, three layers of the supply chain — with partially overlapping but distinct regulatory objectives.

NIS2: The Operator's Responsibility

The NIS2 Directive targets operating end customers — the companies running factories, utilities, water systems, and other critical infrastructure. It requires them to implement cybersecurity risk management, report incidents promptly, and assess the security posture of their supply chain.

NIS2 is already in force. Organizations in scope had until October 2024 to comply.

What this means if you supply to NIS2-regulated operators:

Your customers are required to consider cybersecurity risks in their supply chain and may request supporting security information from suppliers as part of their risk management obligations. That means they will ask you for documentation — security assessments, vulnerability disclosure policies, update commitments, technical specifications.

EU Machinery Regulation 2023/1230: The Machine Builder's Responsibility

The EU Machinery Regulation replaces the 2006 Machinery Directive and comes into force on January 20, 2027. It introduces cybersecurity as one of several essential safety requirements for CE marking — a machine must demonstrate that its relevant digital risks, including cybersecurity aspects, are adequately addressed as part of CE conformity assessment.

This regulation targets OEMs and machine builders directly. Key requirements include:

  • Cybersecurity must be addressed throughout the machine's design and risk assessment process
  • Remote access capabilities must be explicitly evaluated and documented
  • The technical file submitted for CE marking must include cybersecurity evidence
What this means for machines with remote access:

If your machine includes a remote access module — for diagnostics, maintenance, or monitoring — the security properties of that module become part of your CE compliance obligation. You need documentation from your component suppliers that demonstrates secure design, secure communication protocols, and a defined support lifecycle. This is exactly the gap that SMX-RNS20 is built to address. Our technical documentation package — including risk assessment, security architecture, integration guide, and Declaration of Conformity — is designed to slot directly into your CE technical file.

Cyber Resilience Act (CRA): The Component Manufacturer's Responsibility

The CRA is the most far-reaching of the three laws for anyone who manufactures products with digital elements, including software or firmware components, which may or may not be network-connected. If your product contains digital elements (such as software or firmware), regardless of whether it is network-connected, the CRA may apply to you.

Reporting obligations are expected to begin in 2026, ahead of full enforcement in 2027. Key requirements include:

  • Cybersecurity must be addressed from design through end-of-life
  • A Software Bill of Materials (SBOM) must be maintained
  • Actively exploited vulnerabilities must be reported to ENISA within 24 hours
  • Security updates must be provided for the supported lifetime of the product
  • CRA requirements will be integrated into CE marking frameworks for relevant product categories
Simplinx and the CRA

As a manufacturer of SMX-RNS20 — a network-connected industrial remote access module — Simplinx is directly in scope for the CRA. We have been building our compliance foundation in parallel with product development:

  • SBOM: Maintained from our build system, covering all software components and dependencies
  • Secure development process: Documented code review, security testing, and patch management procedures aligned with IEC 62443-4-1 principles as a supporting industry standard
  • Vulnerability disclosure policy: Public policy with a defined response channel
  • Security support commitment: 5-year extended security support from last sale date, with Critical vulnerabilities addressed within 30 days
  • ENISA incident reporting: Procedures defined for the Q3/2026 reporting obligation

How the Three Laws Connect

The three regulations are not independent — they form a layered framework covering the entire industrial supply chain:

CRA Component / product manufacturer

Simplinx SMX-RNS20

Machinery Regulation Machine builder / OEM

Assembles CE-marked machine using documented components

NIS2 Operating end customer

Factory, utility, or critical infrastructure operator

Each layer depends on the layer below it. A machine builder cannot demonstrate CE compliance without secure, documented components. An operator cannot demonstrate NIS2 supply chain due diligence without verified machine security. This is why cybersecurity documentation is no longer a nice-to-have in B2B industrial sales — it is becoming a procurement requirement at every level.

What to Ask Your Remote Access Supplier

Whether you are a machine builder preparing for the 2027 Machinery Regulation deadline or an operator responding to NIS2 supply chain requirements, here are the questions that matter:

1

Do they have a publicly available vulnerability disclosure policy?

2

Can they provide a Declaration of Conformity and CE documentation?

3

Is there a defined security support period — and what are the SLA commitments for critical patches?

4

Do they maintain a Software Bill of Materials (SBOM)?

5

Are they working toward IEC 62443-4-2 certification or equivalent independent assessment?

6

Can their documentation be referenced directly in your CE technical file?

These are not compliance checkboxes. They are indicators of whether a supplier takes security seriously enough to be part of your long-term infrastructure.

SMX-RNS20: Built With Compliance in Mind

The SMX-RNS20 industrial remote access module was designed from the start with EU regulatory requirements in mind. Our complete technical documentation package is available to integration partners and machine builders:

  • Declaration of Conformity (EMC 2014/30/EU · LVD 2014/35/EU)
  • Cybersecurity Summary — architecture, encryption, access control
  • Risk Assessment
  • Integration Guide with security configuration guidance
  • Security Support Commitment
For questions about compliance documentation or integration support, contact us at security@simplinx.com.

This article is for informational purposes only and does not constitute legal advice. Regulatory interpretations and timelines may change — consult a qualified legal professional for advice specific to your situation.

Back to Blog

Want to Know More About How Simplinx Works?

Talk to our engineering team — we're happy to go deeper on any aspect of the platform.

Contact Us