What the Cyber Resilience Act means for CNC users

What the Cyber Resilience Act really means for CNC machine users

Manufacturers have spent the past decade connecting machine tools to the internet, to boost productivity, add automation and enable remote diagnostics. But every network connection has expanded the potential attack surface.

According to new research by cybersecurity firm NCC Group, global ransomware attacks increased by 50% year-on-year in 2025, with the industrial sector accounting for around a third of all attacks.

This highlights that a company’s operational technology (OT) and industrial control systems (ICS) are no longer peripheral targets, they are now the primary ones. This is unsurprising, given that 41% of companies invest no more than 25% of their security budget on ICS/OT, according to research by cyber security partnership OPSWAT-SANS.

Against that backdrop, the European Union’s Cyber Resilience Act (CRA) introduces a fundamental change. From September 2026, manufacturers must report actively exploited vulnerabilities and severe security incidents.

Machines must not only be “secure by design”, but vulnerabilities must be managed across their operational life. To achieve a CE mark, cybersecurity will now sit alongside mechanical safety and performance.

This is a major shift. CNC machines are no longer just mechanical systems with a control interface, they are connected digital products that run embedded operating systems, communicate across networks, transfer programmes and files, and enable remote support.

Secure by design in practice

There are five practical steps CNC users can take now to improve resilience and prepare for compliance.

Manufacturers should begin by reviewing how their CNC machines are connected and ensure clear segregation between office IT systems and shopfloor OT networks.

Historically, many machines have been connected directly to a factory’s office network for convenience, and in some cases even exposed to the wider internet. The CRA reinforces the need to secure these connections properly while preserving the benefits of connectivity.

Second is to check external visibility. An easy way to check if your CNC machine can be accessed from the internet is to conduct a “ping” test. If the machine can successfully ping an external public address, such as Google’s 8.8.8.8 it means it’s not isolated on the network.

The third step is to review remote user access. Connections for service engineers or third parties should be encrypted, authenticated and restricted to a defined list of users with limited time windows, rather than left permanently open. This “zero-trust” approach means that access to the network is denied by default unless explicitly permitted.

Fourth, manufacturers should reassess how part-programmes are transferred to their machines. Although USB storage devices are convenient, they significantly increase security risk and are often the weakest link in an otherwise secure network. Instead, users should move to secure file transfer systems and other traceable platforms.

The IT and OT divide

Most of us are used to how personal IT systems behave. If you run Microsoft Windows on a laptop, you are regularly prompted to install updates. Failing to do so is considered poor practice, as unpatched systems become vulnerable to security threats and malware.

CNC machines operate differently. Their industrial IoT operating systems are tightly integrated with drives, PLC controls and safety functions, typically validated as part of a long-term machine lifecycle.

Even a minor operating system update could alter timing, communications behaviour or driver compatibility, potentially affecting accuracy, reliability or safety.

Updates therefore cannot be pushed in the same way as office software. They must be tested, validated and deployed in a controlled manner, requiring clear planning and defined responsibilities between OEM and end user.

At Mazak, we’ve worked directly with high-level Cisco network engineers over a long period of time to develop our hardware solution. As of 1st January 2026, all machines ordered will have highly robust connectivity and network security capabilities built in as standard.

Mazak’s iCONNECT platform builds on that secure architecture. It was developed over three years and 40 per cent of our customers now use the free Mazak iCONNECT Information Hub, which includes access to machine manuals and information, FAQs and secure software downloads.

The premium M2M (Machine-to-Mazak) service adds remote support and diagnosis delivered by Mazak engineers, live machine monitoring from anywhere, machine usage history and the ability to set daily back-ups that can be restored quickly following a security incident, minimising downtime. Crucially, this service can be retrofitted to existing machines.

A structural shift

The Cyber Resilience Act comes at a time when modern manufacturing is more connected than ever before.

What it does is reinforce the need for these connections to be implemented in a secure and structured way, through clear network segmentation, controlled access and an approach that manages software over the life of the machine.

It also means that manufacturers can take advantage of connected technologies with greater confidence than ever before, whether that’s adding automation, real-time data or remote support, helping them build more dependable manufacturing environments.