Cyber Resilience Act

Yamazaki Mazak has partnered with worldwide technology leader Cisco Systems to ensure all its machine tools from January 2026 will be compliant with the upcoming changes to the Cyber Resilience Act (CRA).

The CRA is an EU regulation that establishes mandatory cyber security requirements for hardware and software products with digital elements placed on the European market. It requires manufacturers such as machine tools and laser technology providers, to build security into the design stage and provide support, including vulnerability handling and security updates throughout the operational life of the machine.

While the CRA came into force on 10 December 2024, the regulation allowed for a 36-month compliance window. However, from 11 December 2027, machines that are not compliant with the CRA will not be CE marked, which will inhibit them from being sold in the EU.

For machine tool operators, investing in machines that are compliant with the CRA can significantly improve their operational technology (OT) cyber security, helping to both de-risk and future proof production and provide reassurance to the wider supply chain.

FAQ's

The Cyber Resilience Act is an EU regulation that establishes mandatory cybersecurity requirements for most hardware and software products with digital elements placed on the European market. It aims to ensure secure-by-design and secure-by-default digital products throughout their lifecycle.

The CRA applies to manufacturers, software developers, importers, distributors, and any organisation supplying products with digital elements on the EU market. These include consumer and industrial devices, software applications and hardware–software systems that connect directly or indirectly to networks or other devices.

Yes. Many Mazak technologies incorporate digital elements such as CNC controls, software platforms, connected machines and smart factory systems which fall within the CRA’s broad scope for products capable of data connection.

The CRA entered into force on 10 December 2024, with most provisions becoming applicable 36 months later, while reporting obligations begin 21 months after entry into force. Additional obligations for manufacturers, including reporting of actively exploited vulnerabilities, begin on 11 September 2026.

Customers can expect the continued enhancement of:

Secure-by-design engineering
Stronger protection against cyber threats
Better transparency on cybersecurity updates
Increased resilience across connected manufacturing systems

These outcomes align with the CRA’s goal to improve product security, protect users from cyber risks and strengthen trust in digital technologies.

Mazak continues to develop and refine its vulnerability-handling procedures to meet CRA expectations. A Product Incident Support Team is in place to manage vulnerability reports in line with the CRA and will manage exploited vulnerabilities and severe incidents within strict timeframes (24 hours for early warning, 72 hours for full notification and final reporting after a fix).

Our Disclosure

Please read our full statement here.

Products

Technology & Solutions

Smooth Oscillation Cutting

News & Media

CYBER WORLD

Customer Stories

Service & Support

Local Support

Mazak iCONNECT

About Us

Environmental Strategy