Cyber security has shifted from a feature to a legal precondition for selling machines in Europe, and the accountability now sits squarely with the manufacturer. That was the message from Sylvie Mbayin, product cyber security lead for Danfoss Power Solutions, who set out the regulations, standards and design decisions that OEMs and their suppliers must address before a series of compliance deadlines arrive over the next 18 months
Why the exposure has changed
A modern machine runs software, is connected to a network and generates large volumes of data, and for an OEM that connectivity is now a source of liability as much as capability. Mbayin was clear that “network” does not only mean the internet; a CAN signal counts too, which means machines sold into low-connectivity sectors such as agriculture are not exempt. An attacker no longer needs physical access and can instead exploit wireless connections, cloud services or remote maintenance routes.
The attack surface is concrete. Because machines such as a combine and a sprayer communicate over the CAN interface, an attacker connecting to the bus can mount a attack, altering a command to spray 10 litres into 100 litres and destroying a crop, or capturing a tank-open command to replay later. Open-source and third-party components carry their own risk, where a single bug becomes an entry point. Calibration data, currently unprotected, can be manipulated so subtly that the only symptom is a harvest 20% below expectation at season’s end. For an OEM, each of these is a product-liability scenario, not merely an end-user inconvenience.
Three regulations, one accountability shift
Mbayin said the regulatory landscape is undergoing a fundamental transformation, with three pieces of EU legislation redefining what counts as a compliant product. The Radio Equipment Directive targets products with internet connectivity and has applied since 2025. The Machinery Regulation covers all products with safety functionality. The Cyber Resilience Act (CRA), in her view the most significant, covers all products with a digital element and mandates cyber security across the lifecycle.
The common thread, and the point most relevant to manufacturers, is that these laws establish legal accountability for the OEM. Cyber security is now a non-negotiable condition for market access in Europe rather than a competitive differentiator.
The Machinery Regulation becomes mandatory in January 2027 and applies to all products placed on the European market with safety functionality, explicitly linking cyber threats to physical safety risk. It sets three expectations for manufacturers: protect the product against external corruption of software; carry out an assessment and implement technical and organisational measures to reduce risk; and protect safety functions so a cyber attack can never disable, bypass or manipulate them.
The Cyber Resilience Act spans embedded software, firmware and standalone applications, as well as any electronic hardware that processes digital data and any component intended for integration into a larger system. A machine with no intelligence is out of scope, but hardware that processes data is covered. Full compliance is required by December 2026, with incident and vulnerability reporting obligations starting earlier, in September 2025, so manufacturers must have monitoring, reporting and response processes running well ahead of full compliance. Mbayin noted that Danfoss focuses on the CRA because meeting its essential requirements also helps satisfy the other regulations, and that the Radio Equipment Directive aligns with the CRA from 11 December 2026.
What compliance requires on the OEM’s side
The CRA’s principles translate directly into manufacturer obligations. Security by design means building security into the concept and architecture from the start, beginning with a risk assessment that identifies threats and attack paths and makes conscious decisions on reducing risk; it cannot be bolted on later. Monitoring and vulnerability management continue after launch, with any exploitable incident reported to ENISA, the European Union Agency for Cybersecurity, within 24 hours and customers given transparent guidance on a fix. Security updates must be provided free of charge for a minimum of five years in the case of an exploitable incident, with longer-lifecycle products handled through contractual agreement.
The transparency requirement carries a documentation burden that OEMs must plan for, with records retained for a minimum of ten years. These include the software bill of materials (SBOM) capturing the product baseline and third-party software; the threat analysis and risk assessment (TARA); security testing such as fuzzing and penetration testing; and user guidance on secure operation. This documentation is the evidence of due diligence and is essential for the CE mark.
The cost of getting it wrong is high. Authorities can force a product recall, and financial penalties reach €50 million or 2.5% of annual global turnover. Mbayin singled out the loss of market access, brand reputation damage, and civil and criminal liability as the most serious consequences for a manufacturer.
The standards OEMs need to work to
Regulations define the obligation; standards provide the route to compliance. Using the analogy of constructing a building, Mbayin distinguished horizontal standards, the fundamental rules, from vertical standards covering a specific application. For products with digital elements under the CRA, the horizontal standard is EN 18031, alongside EN IEC 62443 for the safety of machinery. Vertical standards include IEC 62443 for industrial control systems, with IEC 62443-4-1 the rule book for the secure development process; Danfoss’s process is certified to maturity level two against it. The automotive sector works to ISO/SAE 21434, while agricultural tractors and earth-moving machinery are covered by ISO 24882.
What a supplier brings to the table
For OEMs weighing how much of this to build versus source, Mbayin set out the secure development measures Danfoss has implemented at component level. The root of trust is the anchor, protecting cryptographic keys and security libraries using a hardware security module (HSM) embedded in a microcontroller to generate keys, handle encryption and decryption, and store critical information. Secure boot checks operating-system integrity at every start-up; secure flashing allows only approved firmware updates. Because a product exposes multiple interfaces, for parameter changes, updates, calibration and development, the regulation requires every door to be closed, and Danfoss protects both its developer interfaces and its field-update interfaces.
Resilience continues into operation. Secure rollback stops an attacker downgrading software to an older, vulnerable version, while a secure log records security incidents such as bad-credential access attempts or attempts to install compromised software, for later forensic analysis.
For OEMs concerned about retrofit and continuity, Mbayin said Danfoss intends to keep products backwards compatible. The controller display has been redesigned in hardware while remaining compatible, and other product lines with sufficient memory will receive software-based security solutions without hardware changes. Plus1 software is being updated, including the operating system, GUIDE development tool and service tool, alongside diagnostic services for field updates.
The component is only part of the picture. Danfoss also protects the surrounding ecosystem, including the cloud infrastructure used to manage user access, keys and software signing, and the production environment where software, keys and data are loaded onto devices. Secure update mechanisms guard against compromise over the air or via other media, and the supporting documentation feeds the declaration of conformity.
How vulnerabilities are handled in the field
No product is free of vulnerabilities, Mbayin said, so what matters is reacting quickly, efficiently and transparently. The Danfoss process records and clarifies a reported vulnerability, analyses whether it is serious, creates a remediation plan, and communicates the outcome internally and externally to ENISA and to customers. A contact email is published on the Danfoss website for anyone discovering an issue.
For OEMs operating in low-connectivity environments, Mbayin described how offline authentication and authorisation will work. A user registers with the Danfoss identity provider and receives a certificate recognised by Danfoss systems, with a defined role and access rights. Software built with the Plus1 GUIDE is signed using Danfoss signing tools before being returned to the user, who then uses the service tool, connected directly to the device on the machine, to apply the update once the tool has verified their role and access rights.
A shared compliance burden
Cyber security is no longer a checklist but a risk-driven management process, Mbayin said, and the obligations are shared rather than resting on the supplier alone. Danfoss analyses its products, provides the required integrity, produces documentation including the SBOM and usage guidance, certifies its products, and runs vulnerability monitoring aligned with its IT infrastructure, issuing updates for exploitable vulnerabilities.
Distributors and machine owners carry their own duties at the next level up: analysis at machine level, ensuring machine integrity, obtaining the CE mark at machine level, putting monitoring and vulnerability management in place, and providing updates where needed for a minimum of five years. Danfoss provides secure products and expert support as a foundation, Mbayin said, but needs OEM requirements in return to help its customers build secure machines. The aim is to work together to build trusted and resilient products. Danfoss has recently published a white paper on cyber security.
Images: Danfoss Power Solutions
