MHI Logo

AMHE (Automated Material Handling Equipment) & EU CRA (Cyber Resilience Act)

The EU CRA is a recently enacted regulation that enforces minimum cybersecurity requirements on any PDE placed into the market.

By Warehouse Automation Blog

AMHE (Automated Material Handling Equipment) & EU CRA (Cyber Resilience Act)

What is the EU CRA?

The EU Cyber Resilience Act (CRA) is a recently enacted regulation that enforces minimum cybersecurity requirements on any “Product with Digital Element” (PDE) placed into the market.  Simply put, a PDE is any product that is intended to connect to another device or network.  The regulation applies to both hardware and software products, which encompasses the industrial automation control systems (IACS) that comprise AMHE solutions and subsystems.

Just like the EU did with the General Data Protection Regulation (GDPR), which addressed personal privacy topics, the EU is aggressively regulating the cybersecurity of PDEs.  The GDPR reshaped how organizations handle personal data, and the CRA is poised to fundamentally change how OEMs approach product security design.

The EU CRA mandates non-compliant products cannot legally be placed on or kept in the EU market.  Further, CE marking and declarations of conformity now implicitly include cybersecurity.  By specifying requirements, enforcing substantial penalties (tiered penalties of up to €15 million or 2.5% of an OEM’s total global revenue, whichever is higher!) and integrating CE markings into CRA compliance, OEMs of PDEs are obligated to comply.

Annex I of the CRA provides the substantive responsibilities of OEMs for compliance with the regulation.  The 2 primary obligations of OEMs under the CRA relate to secure product engineering and lifecycle vulnerability management.

The secure engineering requirements of the EU CRA include topics like:

The vulnerability management topics of the EU CRA apply for the PDEs expected lifecycle.  Therefore, manufacturers must define a support period, which—for long-lived AMHE—may extend well beyond traditional IT product cycles and may be measured in decades.  Nevertheless, the CRA mandates lifecycle vulnerability management topics including:

What underpins the regulation is applied risk management.  The EU CRA obligates PDEs be “designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.”  Therefore, most OEMs do have some latitude in how to satisfy the EU CRA engineering and vulnerability management topics, depending on the specified context of use and reasonably foreseeable misuse of any given product.

While the EU CRA is the first substantial regulation for the security of PDEs, OEMs are impacted by other drivers of change related to security.  Examples include the EU Machinery Regulation 2023/1230 (MR), emerging market regulations, customer terms and conditions, and a general expectation of reputable OEMs to manage product security in this day of age.

How does a reputable OEM satisfy the EU CRA and disparate market requirements?

Often times security relating to the OEM Enterprise IT landscape is conflated with the security of the products the OEM places on the market, which are typically quite distinct topics for AMHE OEMs.

Generally speaking, a company’s ability to manage its own information systems should not be conflated with the security of the PDEs that company places on the market.  While ISO 27001 is a commonly known standard related to a company’s information systems and may include high level development controls, the IEC 62443 -3 and -4 series of standards is better aligned with the secure development of IACS.

The IEC 62443 is a series of standards that address the issue of security for IACS, maintained and published by the International Electrotechnical Commission (IEC).  The 62443 provides minimum secure development processes and foundational security control requirements for IACS and is specified in draft EU CRA mapping documentation relating to IACS.

While 62443 does not exclusively cover all regulations, necessitating the need of supplemental processes to fully satisfy CRA legal and reporting obligations, 62443 is a strong baseline across the broad regions and industries that utilize IACS. IEC 62443 is expected to be the basis of the upcoming EN 18031 series of harmonized standard under the CRA by 2027.

With regulatory enforcement beginning in January 2027 for MR, and CRA enforcement beginning Dec 2027, reputable AMHE OEMs like Dematic have proactively adopted business processes to account for compliance of emerging regulations, terms, and expectations - based on IEC 62443 standards.

How can AMHE OEMs prepare for EU CRA compliance, especially when security is not natively designed into the products?

While this is not a simple question to answer, the requirements to satisfy the EU CRA are now clear.  OEMs must focus on compliance of the key requirements of Annex I of the CRA - which generally follow good engineering practice in the year 2026 anyways.  However, topics that may be challenging to address or document should be managed sooner rather than later, by:

Finally, factors that will influence how AMHE OEMs will exercise reasonable risk management against a secure product design will also consider the following critical factors:

REFERENCES

EU CRA Official Journal (final text):  Regulation - 2024/2847 - EN - EUR-Lex

EU CRA Requirements Standards Mapping:  Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis | ENISA

S4 (SCADA Security Scientific Symposium) - S4x26 : ICS Security Conference

Hard Hats Publication, Sarah Fluchs (CTO admeritia) - Security-Briefing – admeritia GmbH

Contributor: Tim Richards, Dematic

Learn more about The Robotics Group (TRG): mhi.org/trg

For further articles from the The Robotics Group (TRG):

Things to Consider Before You Automate

Scaling Warehouse Automation: Insights from the Field

From Vision to Reality: Implementing Robotics in the Modern Supply Chain 

The Path to Lights Out

Maximizing ROI and Mitigating Risks with Robotics

Demystifying Robots

How Robots Positively Impact the Labor Shortage

Justifying Robotics, Part II

How to Justify the Cost of Robotics–Part 1

Robot Safety

Industry Groups

Related Posts


MHI Logo

8720 Red Oak Blvd., Suite 201

Charlotte, NC 28217

Follow Us

Follow Us on LinkedInFollow Us on TwitterFollow Us on YouTubeFollow Us on FacebookFollow Us on Instagram

Copyright MHI © 2026 | All Rights Reserved