Insights
CRA, the Machinery Regulation and vulnerability management for integrators and plant builders.
CRA reporting obligation from September 2026: Which machines are affected?
On 11 September 2026 the Cyber Resilience Act's reporting obligations take effect – more than a year before the rest of the CRA. What must be reported (and what not), which deadlines apply, how ENISA's Single Reporting Platform (SRP) works, and what can be prepared today.
Why most CRA tools fail at the long tail: what plant builders should look for when selecting a tool
Most vulnerability tools are built for software vendors. Plant builders have a different problem: the risk sits in third-party firmware across a long tail of suppliers. Four questions and a demo test for CRA tool selection.
When a plant builder or integrator becomes a CRA manufacturer
Cyber Resilience Act: when a plant builder or integrator becomes the manufacturer through system integration – placing on the market, substantial modification (Art. 22) and the layered model of supplier obligations.
CRA and the Machinery Regulation for integrators and plant builders: what applies from 2026
The Cyber Resilience Act and the EU Machinery Regulation for integrators and plant builders – deadlines, obligations and how to set up vulnerability management across the supply chain.
