The CEMA guidance interprets the Cyber Resilience Act for agricultural machinery. It covers scope, OEM–supplier relationships, support periods and components for integration.
Why the agricultural machinery sector needs its own CRA interpretation
The Cyber Resilience Act (Regulation 2024/2847) will enter into force progressively from 11 December 2027 and covers almost all products with digital elements placed on the EU market. For manufacturers in mechanical and plant engineering this means: Almost every machine with electronic components and data connectivity—whether via USB, Bluetooth, GPS or OBD—falls within the scope of the regulation.
Unlike regulations with a long history of standardization, the CRA currently lacks concrete harmonized standards that would give manufacturers a presumption of conformity. In this phase of uncertainty, industry-specific interpretation guides such as the CEMA guidance help build a common understanding within a sector and prepare dialogue with standards bodies and market surveillance authorities.
The CEMA guidance focuses on questions arising from the particular structure of the agricultural machinery sector: complex value chains with numerous suppliers, long product lifecycles, predominantly decentralized update distribution via dealer networks and a heterogeneous product landscape ranging from simple implements to fully networked precision machines.
CRA in interaction with other EU rules
The Cyber Resilience Act does not appear in isolation. It is part of a regulatory framework in which different EU rules address different aspects of product safety and cybersecurity.
The Machinery Regulation (EU) 2023/1230 regulates the fundamental safety requirements for machines, including functional safety. The CRA complements these with specific cybersecurity requirements for digital elements. Both schemes apply in parallel, insofar as their requirements do not overlap. Agricultural machines are generally subject to both: the Machinery Regulation for mechanical and functional safety and the CRA for the cybersecurity of integrated electronic components and systems.
The NIS2 Directive (EU) 2022/2555, by contrast, is directed at operators of critical infrastructure and essential services—not at product manufacturers. Agricultural businesses do not usually fall under NIS2’s definition of critical entities. Nevertheless, the CRA can create an indirect link to NIS2 if products are used in critical sectors and are classified as critical products within the meaning of Annex IV.
The Blue Guide on the implementation of product legislation serves as a central reference for key concepts such as “placing on the market”, “making available on the market” or “substantial modification”. The CEMA guidance takes up these terms and applies them to the specific circumstances of agricultural machines.
An important difference compared with sectoral rules: Article 2(5) allows exceptions or limitations where other EU rules achieve the same or a higher level of protection. For the agricultural machinery sector, there is currently no such rule apparent that could displace the CRA. The CRA therefore applies in full.
Practical boundary questions frequently arise in the interplay of the Machinery Regulation, the CRA and other EU rules. If you want to clarify which requirements apply to your machines in parallel and where overlaps exist, a short classification discussion can be useful.
Horizontal and vertical harmonization
The CRA refers in its essential cybersecurity requirements (Annex I) to a risk-based approach. Manufacturers must carry out a cybersecurity risk assessment and ensure an appropriate level of security on that basis. The concrete design of these requirements will be specified by harmonized European standards as soon as they become available.
Two categories of standards are relevant for the CRA: horizontal standards that apply across product groups and vertical standards that specify sector-specific requirements.
The EN 40000 standards series is currently developing as a horizontal CRA standard and is intended to cover basic cybersecurity requirements for all product categories. In parallel, vertical standards tailored to specific product groups are being developed in ETSI as part of the ETSI EN 304 6xx series.
For the agricultural machinery sector, the IEC 62443 family of standards is of particular importance. Originally developed for industrial automation systems, IEC 62443 is increasingly applied to embedded systems in machines. It provides a structured methodology for security requirements at component and system level as well as for the security development lifecycle.
Important: standards are not laws. They provide a presumption of conformity, but their application is not mandatory. Manufacturers can also demonstrate conformity with the CRA’s essential requirements by other technical solutions. However, applying harmonized standards facilitates conformity assessment and creates legal certainty.
Scope, allocation of responsibilities and support periods
The CEMA guidance concentrates on the topics that are particularly relevant to manufacturers of agricultural machines.
Scope and definitions
The CRA covers all products with digital elements whose intended use or reasonably foreseeable use involves a data connection to a device or network. It is not decisive whether the connection is permanently present, but whether the technical possibility for data connectivity exists.
The CEMA guidance clarifies: an agricultural machine falls within the scope if at least the intended use or a reasonably foreseeable use allows for a data connection. This can include a diagnostic interface used only during maintenance, or a JTAG port on a microcontroller intended for firmware updates.
The distinction between “reasonably foreseeable use” and “reasonably foreseeable misuse” is practically relevant. Reasonably foreseeable use includes all application scenarios that arise from the provided functions, even if they are not expressly described in the user manual. Misuse, by contrast, occurs when a use arises outside the intended context and requires specialized knowledge that a typical user does not possess.
Substantial modification
A substantial modification within the meaning of the CRA occurs when a change after placing on the market impairs conformity with the essential cybersecurity requirements or alters the intended purpose. Every change requires an impact analysis by the modifier, which must be documented—even if the change is not classified as substantial.
The consequence of a substantial modification: the modifier becomes the manufacturer within the meaning of the CRA and must undergo the conformity assessment procedure again. This also applies to changes to spare parts if they can no longer be considered identical.
OEM‑supplier relationship and due diligence
The allocation of responsibility between manufacturers (OEMs) and suppliers of components is one of the most complex questions in implementing the CRA. Article 13(5) requires manufacturers to perform due diligence when integrating third‑party components to ensure that these do not impair the cybersecurity of the overall product.
The CEMA guidance makes clear: the OEM bears overall responsibility for the conformity of the end product. Its due diligence includes selecting suitable components based on its own risk assessment, checking whether the supplier’s declaration of conformity covers the CRA, and integrating and configuring components in accordance with the supplier’s instructions.
If a component is placed on the market separately and is CE marked, this simplifies the OEM’s due diligence. If the component is manufactured only for integration and not placed on the market separately, the allocation of responsibility can be contractually regulated. In any case, the supplier must provide sufficient information so that the OEM can carry out its due diligence.
The allocation of responsibility between OEM and suppliers is one of the most critical points in CRA implementation. We are happy to discuss, without obligation, how due diligence obligations, contractual arrangements and technical evidence can be structured cleanly.
Components for integration: secure by default
A particularly practical question is addressed by the CEMA guidance in a separate section: may components intended for integration into an end product be supplied with security functions not enabled?
The answer is: yes, under certain conditions. The rationale: if a component is already fully configured and secured, this can make integration significantly more difficult. The OEM would first have to deactivate security functions to perform the integration and then reconfigure them afterwards—which could create additional attack surface.
Example: a control unit with a cryptographic module is delivered without pre‑provisioned keys and with privileged functions disabled. The OEM can load the keys during integration and enable the security functions without requiring authentication.
The prerequisite, however, is that the supplier provides the OEM with precise instructions on how to securely configure the component after integration (Annex II number 8(f)). All necessary security functions must be present at the time of placing on the market—they simply do not have to be enabled.
This interpretation enables a pragmatic division of labor in the supply chain without jeopardizing the CRA’s objective of a secure end product.
Support periods
The CRA requires manufacturers to remedy vulnerabilities during a defined support period. That period must reflect the expected service life of the product and is at least five years.
For the agricultural machinery sector, CEMA proposes a support period of at least ten years. The reasoning: agricultural machines typically have long service cycles. Tractors are often used intensively as primary work equipment for eight to ten years and then continue in secondary roles. They are produced in higher numbers and therefore represent potential primary targets for cyberattacks.
The ten‑year support period is subject to two caveats: suppliers of components that provide core functions must also supply vulnerability information over this period. And external factors that affect compatibility—such as obsolescence of development tools or loss of expertise—must not make updates impossible.
Additionally: once an update has been published, it must remain available and installable for ten years.
Distinctions and common misconceptions
The CEMA guidance also addresses several frequent misinterpretations of the CRA.
Spare parts
Identical spare parts manufactured to the same specifications as the components they replace are exempt from the CRA—regardless of whether the original product is still manufactured or the support period has expired. This applies only to truly identical parts. If a component is modified due to obsolescence, it must be examined whether this constitutes a substantial modification.
Tailor‑made products
The CRA allows contractual deviations from the essential cybersecurity requirements for tailor‑made products. This concerns products developed for a specific business purpose and a specific business customer where both parties have expressly agreed alternative contractual conditions. Distinct from this are components developed in co‑design between two or more economic operators. Such components, ordered before manufacturing is completed, are not considered “placed on the market” and do not fall under the CRA.
Important and critical products
Annexes III and IV of the CRA list product categories subject to an extended conformity assessment procedure. The decisive factor is the product’s core functionality. If a component listed in Annex III or IV is integrated into an end product, the end product does not automatically inherit the component’s classification—unless the end product itself provides the core functionality of the listed product category.
Free and open source software
The CRA also covers FOSS components when they are integrated into a commercial product. The manufacturer of the end product is responsible for remedying vulnerabilities in all integrated FOSS components, even if the original developer has no commercial relationship with the manufacturer.
Guidance for the preparation phase
The CEMA guidance is an example of how trade associations can provide orientation to their members in the period before new regulations enter into force. It neither replaces the regulation itself nor future harmonized standards, and it is not legally binding. Nevertheless, it serves an important function: it creates a common understanding within a sector for interpretative questions arising from the specifics of that sector.
For manufacturers of agricultural machinery, the CRA entails significant adjustments in development processes, supplier management and support structures. Preparations should begin early, even though the regulation will not be fully applicable until December 2027. Key areas of action are implementing a vulnerability management process, contractually and technically clarifying the allocation of responsibilities with suppliers, defining support periods and adapting technical documentation.
The further development of harmonized standards, the publication of implementing acts by the Commission and the practice of market surveillance authorities will concretize the interpretation of the CRA in the coming months. Industry‑specific guidance such as the CEMA guidance helps ensure that this concretization takes into account the technical and economic reality of the affected sectors.
Industry guides like the CEMA guidance provide important orientation but do not replace an individual assessment. If you want to understand what the CRA specifically means for your products, your supply chain and your support strategy, this can be structured and classified in a non‑binding discussion.
