Deadlines & Regulatory Expectations
The Cyber Resilience Act introduces several deadlines, including the September 11, 2026 start of mandatory vulnerability and incident reporting and December 11, 2027 full CRA compliance becomes mandatory for product with digital elements placed on the EU market.
Q: From your perspective, which of these early deadlines will have the greatest operational impact on AGV/AMR suppliers?
A: The vulnerability and incident reporting obligations entering into force in September 2026 have a smaller, but still very important scope. They ensure that mechanisms and processes for communicating about actively exploited vulnerabilities and severe incidents will be in place, ultimately protecting businesses, users, and societies.
By December 2027, the CRA will be fully applied. It enforces a proactive approach to security, including Security by Design and Vulnerability Handling. It also sets requirements for lifecycle management so that customers know what to expect throughout the product’s lifetime.
Implications for AGV/AMR Manufacturers
The CRA requires security-by-design, post-market monitoring, and 24-hour reporting windows for actively exploited vulnerabilities.
Q: How will this reshape the engineering and product support processes for AGV/AMR solutions?
A: It requires significant effort to meet these requirements. AGV and AMR providers that use proven, high quality solutions from major suppliers like Kollmorgen will be in a much stronger position. Providers like us have the operational capacity needed to address these challenges in ways that are not possible for smaller players.
Manufacturers are expected to maintain SBOMs (Software Bill of Materials) and follow secure development and lifecycle processes.
Q: What new capabilities, tools, or organizational changes will AGV/AMR providers need to implement to stay compliant?
A: As mentioned in the previous question, the CRA raises the bar for how products must be developed and maintained. To stay compliant, AGV/AMR providers will need to introduce more formalized security practices across the entire lifecycle. This includes maintaining accurate SBOMs, adopting tools for continuous vulnerability monitoring, and establishing clear routines for incident response and secure updates. It will also require new competencies and closer coordination between engineering and product support. For many vendors, this represents a significant shift in how their organizations operate today.
Broader Market Impact
The CRA aims to harmonize cybersecurity expectations across the EU, influencing global markets even where the regulation is not legally required.
Q: In your view, how will EU CRA compliance expectations spill over into markets like the U.S. or APAC, particularly for global AGV/AMR providers?
A: Since the EU is an important market and most manufacturers offer their products globally, the strict requirements in the EU will also improve cybersecurity for (identical) products sold in other parts of the world.
Industry Readiness & Long-Term Outlook
Given the CRA’s emphasis on lifecycle security and continuous updates, vendors will need to rethink how their systems are architected, deployed, and maintained to remain competitive in the years ahead.
Q: How do you foresee AGV/AMR systems evolving over the next 5–10 years in terms of architecture, connectivity, and security centric design?
A: Cybersecurity relies on the continuous maintenance of systems rather than the former “install and forget” approach. Thus, I think that Operational Technology (OT) environments will increasingly rely on service based operational models, mirroring the evolution that has taken place within IT in recent years.
Many manufacturers still treat CRA as a “2027 issue,” despite operational requirements beginning much sooner.
Q: What misconceptions do you see in the industry today, and what should companies prioritize immediately in 2026?
A: I would say that companies that wait until 2027 take a huge risk. Not mainly because the obligations become mandatory in 2026, but because the obligations entering into force in 2027 are very extensive. In many cases, it will require considerable effort to make a system or product comply with the requirements of the CRA.
…
The CRA is accelerating a major shift in our industry, and only companies with robust security fundamentals will remain competitive. At Kollmorgen, we already have a strong security platform in place, enabling our customers to focus on designing and delivering great AGV and AMR systems instead of being slowed down by compliance complexity.
Contact Kollmorgen AMS Kollmorgen's Commitment to CRA