CECE analyses the interplay between the CRA and the Machinery Regulation

The CRA final compromise text has now achieved relative stability following the vote of the parliamentary Committee on Industry, Research and Energy (ITRE) held on 23 January. In addition, the political agreement reached in trilogues had already been endorsed by the EU ambassadors in December. To become law, the CRA final text requires formal adoption by Parliament and Council. Publication is instead expected in mid-2024. 

During the ad-hoc meeting, PT Data members went through the key aspects of the final text with a view to assessing the potential implications for construction equipment manufacturers in terms of cybersecurity requirements and manufacturers obligations to be fulfilled. The outcome of the discussion can be summarised as follows:  

• CECE members positively welcomed the improvements introduced in relation to the determination of the product support period, which now explicitly refers to the expected use time of the product (rather than expected lifetime as originally proposed by the Commission). This is further substantiated by the reference to the proportionality element and the support period of integrated components. The latter represents a good addition for the industry since machinery products support period is highly dependent on their components.  
• Members appreciated the alignment of the vulnerability reporting mechanism with the NIS2 directive timeframe and obligations.  
• In addition, the Commission’s guidelines to facilitate the CRA implementation is also considered a positive development, especially when it comes to the determination of what constitutes substantial modification under the regulation. According to the final wording, digital products should be considered substantially modified by a software change where, inter alia, the software update modifies the intended purpose of that product. Therefore, interpretative guidelines would be welcomed.  
• The interpretation of substantial modification could also play a key role to identify in which cases the new requirements apply also to products placed on the market before the CRA application date. As a matter of fact, the CRA regulation will apply only to new products placed on the market after its application date, unless those products placed before are subject to substantial modifications. 

In the context of the CRA final text analysis, members also identified a number of controversial aspects requiring further clarification in the coming months. Specifically, the reference goes to the interplay with the new Machinery Regulation (MR) as concerns were raised from a functional standpoint. According to a preliminary assessment, future CRA standards for the security elements included under the MR will be developed in such a way that would also allow for compliance with the functional safety aspects. This should be explicitly addressed by the Commission’s guidelines when it comes to manufacturers subject to this Regulation who are also subject to other related Union harmonisation legislation. Additionally, further clarification should be provided on the spare parts exemption with reference to components. Finally, the interpretation of product functions as regards remote data processing seems problematic and needs further clarity.  

The final assessment of the CRA final text and next steps on the file will be subject to further examination at the next PT Data meeting taking place in the context of the March Technical Week (on Wednesday, 20 March). CECE Secretariat will continue to closely monitor the developments on this crucial legislation and provide members with assistance throughout the implementation phase.