Skip to content

Dual compliance

Most machinery with digital elements sits under two regulations at once: the CRA and the Machinery Regulation (EU) 2023/1230, which applies from 20 Jan 2027 and makes cybersecurity an essential health and safety requirement. Dual compliance is the “do it once” view: your Annex I register is the single evidence base, and a versioned crosswalk derives what that evidence demonstrates elsewhere.

Machinery Regulation, Annex III:

  • 1.1.9 — Protection against corruption: connected devices must not create hazardous situations; safety-critical hardware, software, and data protected against corruption, with evidence of intervention collected; the machinery must identify its safety-relevant installed software.
  • 1.2.1(a) — control systems must withstand, where appropriate to the circumstances and risks, intended and unintended external influences, including reasonably foreseeable malicious attempts from third parties leading to a hazardous situation.
  • 1.2.1(f) — the tracing log of intervention-related data and of safety-software versions uploaded after placing on the market, enabled for five years after each upload, exclusively to demonstrate conformity to a competent authority’s reasoned request.

(The labels shown in Resilic are short paraphrases of the OJ text, and marked as such.)

AI Act leg — via CRA Art. 12: for products with a recorded in-scope high-risk AI system (see AI systems), CRA Art. 12(1) can deem the cybersecurity requirements of AI Act Art. 15 complied with — only cybersecurity, never Art. 15’s accuracy or robustness — and only where Annex I Parts I and II are fulfilled and the protection level is demonstrated in the CRA EU declaration of conformity. The report always carries this standing condition: the AI-Act leg can never show as “done” from register status alone. With no in-scope AI systems recorded, the leg is reported as not relevant to any recorded AI system.

For each target requirement, the crosswalk names the CRA Annex I entries that evidence it and a rationale for the mapping. The status is computed on read from your register — Met (all mapped entries met or justifiably not applicable), Partial, or Gap — nothing is stored, so a crosswalk correction never leaves stale verdicts.

The view exports as a PDF demonstration in any state — the current state is printed, including the caveats and a cross-citation of how many of your products carry an approved cyber risk assessment (which frames the 1.2.1(a) “appropriate to the risks” wording).

The MR interaction works only “if the manufacturer demonstrates it” — this feature is that demonstration, structured and printable. It is readiness evidence, not a conformity assessment, not a CE claim, and not a statement that either regulation is “covered”.