breadcrumb
15 Jul 2026
5 Min
Table of Contents
  1. Cybersecurity Becomes an Integral Part of Machine Design
  2. Cyber Resilience Act: What Changes for Machine Manufacturers
  3. CRA, NIS2, RED, and GDPR: Different Regulations, One Ecosystem
  4. Practical Implications for Machine Manufacturers
  5. Security by Design: Protecting the Machine from Device to Cloud
  6. The ALMEC Architecture: From CAN Network to IoT Platform
  7. A Progressive Path Toward Cyber Resilience
  8. ALMEC Supports Manufacturers Throughout the Entire Product Lifecycle
  9. Would You Like to Assess Your Machine's Cybersecurity?
Share:

Cybersecurity for Connected Mobile Devices: from the Cyber Resilience Act to Security by Design

The Cyber Resilience Act introduces new requirements for connected hardware and software. Find out what’s changing for mobile equipment manufacturers and how ALMEC integrates cybersecurity, connectivity, and lifecycle management.

Cybersecurity Becomes an Integral Part of Machine Design

Excavators, telehandlers, aerial work platforms, agricultural machinery, logistics vehicles, and special-purpose machines are increasingly integrating ECUs, HMIs, IoT gateways, remote controls, sensors, and cloud services.

This evolution enables telemetry, remote diagnostics, predictive maintenance, software updates, and centralized fleet management. At the same time, every new connection point introduces a potential entry point to the machine’s electronic systems.

Cybersecurity can therefore no longer be considered merely an IT function to be added at the end of the design process. It must be integrated into the electronic architecture from the earliest stages of development, alongside functional safety, reliability, diagnostics, and operational continuity.

The principle behind the new European regulatory framework is clear: a product with digital elements must be designed, updated, and maintained securely throughout its entire lifecycle. The Cyber Resilience Act assigns manufacturers responsibilities covering planning, design, development, vulnerability management, and product maintenance.

Cyber Resilience Act: What Changes for Machine Manufacturers

The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, introduces horizontal cybersecurity requirements for products with digital elements placed on the European Union market.

In the mobile machinery sector, the regulation may apply to components and systems such as:

  • Programmable electronic control units (ECUs);

  • IoT and telematics gateways;

  • HMI interfaces;

  • Embedded software;

  • Cloud applications and portals associated with the product;

  • Remote diagnostics and service systems;

  • Devices with CAN, Ethernet, Wi-Fi, Bluetooth, or cellular connectivity;

  • Firmware and software update mechanisms.

The CRA entered into force on 10 December 2024. Reporting obligations for actively exploited vulnerabilities and severe incidents will apply from 11 September 2026, while the main requirements will become applicable on 11 December 2027.

For manufacturers, preparing for the CRA means going beyond simply securing the internet connection. They will need to demonstrate that cybersecurity has been considered throughout the design process and that the product can be managed, supported, and updated even after it has been placed on the market.

CRA, NIS2, RED, and GDPR: Different Regulations, One Ecosystem

A connected machine may simultaneously fall within the scope of several regulatory frameworks, each with a specific purpose.

  • Cyber Resilience Act

The CRA primarily concerns the security of the digital product itself. It establishes cybersecurity requirements for hardware and software and introduces obligations for manufacturers, importers, and distributors.

  • NIS2 Directive

The NIS2 Directive focuses instead on the security of organizations, networks, and information systems operating in sectors covered by its scope.

It requires organizations to implement risk management measures, incident management, business continuity, supply chain security, vulnerability management, and management accountability.

NIS2 does not replace the CRA. The two frameworks are complementary: one primarily addresses the product, while the other focuses on the organization that operates or manages digital systems and services.

  • RED and EN 18031

When a device incorporates wireless technologies such as LTE, Wi-Fi, Bluetooth, or other radio communications, it must also be assessed under the Radio Equipment Directive (RED) 2014/53/EU.

The RED establishes requirements for safety, electromagnetic compatibility, and efficient use of the radio spectrum. Delegated acts linked to the directive have also introduced cybersecurity requirements relating to network protection, personal data protection, and fraud prevention for certain categories of radio equipment. The EN 18031 series of standards supports the cybersecurity assessment process for these devices.

  • GDPR

The GDPR becomes relevant whenever the machine or its platform collects information relating to identifiable individuals, such as personal identifiers, location data, login credentials, user logs, or operational data associated with a specific operator.

The objective is not to apply every regulation indiscriminately to every machine, but to correctly determine the applicable regulatory framework according to the product's characteristics, integrated functions, processed data, and intended use.

Practical Implications for Machine Manufacturers

Compliance affects not only software but the entire machine lifecycle, including design, updates, documentation, and support.

  • Access Control

Configuration and diagnostic functions should be accessible only to authorized users through differentiated roles and permission levels.

  • Firmware Protection

Digitally signed firmware, integrity verification, and version control prevent the installation of unauthorized software.

  • Secure Updates

OTA (Over-the-Air) updates must be authenticated, verifiable, and designed to ensure operational continuity.

  • Protected Communications

Communications between the machine and the cloud must be secured through encryption, authentication, and secure credential management.

  • Vulnerability Management

Manufacturers must establish a process to identify, assess, remediate, and document vulnerabilities throughout the entire product lifecycle.

  • Documentation and Support Period

Technical documentation must describe cybersecurity measures, available updates, and the declared support period, demonstrating product compliance.

Security by Design: Protecting the Machine from Device to Cloud

The Security by Design approach integrates cybersecurity directly into the machine architecture from the earliest stages of development.

In a mobile machinery system, this may include:

1. Secure Boot
Verifies firmware integrity during startup, preventing the execution of unauthorized software.

2. Signed Firmware
Allows only authentic and verified firmware versions to be installed.

3. Secure OTA
Ensures controlled, verified, and traceable remote software updates.

4. Encryption
Protects data during transmission between the machine and the cloud platform.

5. Device Authentication
Verifies the identity of the device before exchanging data and commands.

6. Access Control
Restricts diagnostic and configuration access to authorized users only.

These measures provide continuous protection across the entire digital chain, from the machine to the cloud.

The ALMEC Architecture: From CAN Network to IoT Platform

ALMEC approaches cybersecurity as an integral part of the complete electronic system design.

The architecture can build upon the machine's existing CAN network and progressively integrate:

  • ECUs and I/O modules;

  • Rugged HMIs;

  • Wireless and wired remote controls;

  • CAN Bus IoT gateways;

  • Secure cloud connectivity;

  • The Diaboard IoT Platform;

  • Remote diagnostics and technical support;

  • Update and access management.

The protection layers address device identity, authentication, machine-to-cloud encryption, firmware security, OTA updates, diagnostic access, event logging, and long-term support.

This approach makes it possible to intervene both on new developments and on existing connected machines, avoiding the misconception that cybersecurity is a single package to be applied uniformly.

Every architecture should instead be assessed according to its actual entry points, installed components, communication protocols, exchanged data, and maintenance methods.

A Progressive Path Toward Cyber Resilience

Cybersecurity integration can be organized into four stages.

1. Mapping the Existing Architecture

The CAN network, ECUs, HMIs, remote controls, gateways, cloud services, users, maintenance interfaces, and physical or remote access points are analyzed.

2. Implementing Security Measures

Authentication, encryption, OTA updates, credential management, access control, and event logging are introduced wherever they are genuinely required.

3. Compliance Documentation

Technical decisions, vulnerability management processes, and update procedures are documented and incorporated into the project documentation.

4. Lifecycle Management

Once the machine is deployed, the system continues to be managed through software updates, remote support, ticketing, monitoring, and continuous improvement.

ALMEC Supports Manufacturers Throughout the Entire Product Lifecycle

Compliance does not depend on a single component, but on the final product, its configuration, and the way it is maintained over time.

For this reason, ALMEC supports machine manufacturers in defining the electronic architecture, integrating hardware, software, and IoT technologies, and implementing the technical measures required to support the path toward compliance.

From the ECU to the IoT gateway, from the HMI to the Diaboard Platform, through to remote software updates and after-sales service, cybersecurity is integrated directly into the machine system.

Would You Like to Assess Your Machine's Cybersecurity?

Tell us about your project. ALMEC can analyze your existing architecture and develop a progressive integration strategy (from the machine to the cloud) taking into account connectivity, update capability, technical support, and the product lifecycle.

This content is provided for informational purposes only and does not replace a product-specific regulatory or conformity assessment.

Attached document

Cybersecurity for Connected Mobile Devices: from the Cyber Resilience Act to Security by Design
Get this document by email
Enter your email address below and we'll send you the PDF document straight to your inbox.
Newsletter
Check your inbox!
We've sent the document to your email address.
You might also be interested in
Subscribe our newsletter
Discover our news
before everyone else
Get monthly technical updates and product releases.
I have read and accepted the privacy regulation relating to the materials sent by Almec S.p.A.
Newsletter
Thank you for subscribing to our newsletter!
Check your inbox so you don't miss the latest news on our products and services, our events and much more...