← CRA Compliance Checklists
IndustrialDeadline: September 2026

CRA Compliance Checklist: CNC Machines & Industrial 3D Printers

Annex III Class I — networked CNC machines and industrial 3D printers are important products with safety-critical digital control elements

Networked CNC machines and industrial 3D printers are safety-critical manufacturing systems increasingly connected to production networks and cloud-based management platforms. Their digital control systems — including G-code interpreters, machine controllers, and remote monitoring agents — fall under the CRA. Most networked industrial CNC systems are Annex III Class I due to their safety-critical nature; those integrated into critical manufacturing infrastructure may be Class II.

15
checklist items
15
high priority
September 2026
deadline
Industrial
sector
Track progress free →
CRA Classification:Annex III Class I — networked CNC machines and industrial 3D printers are important products with safety-critical digital control elements

1. Scope & Classification

Confirm that networked CNC controllers and 3D printer management systems are products with digital elements in scope

highArticle 3(1)

Any CNC machine or 3D printer with network connectivity, remote monitoring, or OTA update capability is in scope. Purely offline machines without network interfaces are not.

Assess whether Annex III Class I applies given the safety-critical nature of machine tool control systems

highAnnex III, Class I

CNC machines with networked digital controllers that can affect tool paths, speeds, or safety limits are likely Annex III Class I. Review the Annex III criteria.

Assess intersection with EU Machinery Regulation (2023/1230) — cybersecurity and safety requirements must both be met

highArticle 6, CRA / Machinery Regulation (EU) 2023/1230

CNC machines and 3D printers are machinery subject to the Machinery Regulation. Coordinate CRA cybersecurity compliance with Machinery Regulation safety compliance.

Compile an SBOM covering CNC controller firmware, G-code interpreter, machine management software, and any cloud connectivity SDK

highArticle 10(6)

Modern CNC controllers and 3D printers run embedded Linux or RTOS with proprietary control software and third-party components. All must be tracked.

2. Product Security (Annex I Part I)

Implement authentication for all remote access to machine controllers — eliminate anonymous or unauthenticated interfaces

highAnnex I, Part I(2)

Unauthenticated access to CNC controllers could allow malicious modification of tool paths or machining parameters, resulting in dangerous conditions or sabotaged parts.

Validate all G-code and machine command inputs to prevent injection of malicious machine instructions via file upload

highAnnex I, Part I(1)

G-code injection or malicious print file manipulation can cause physical damage or safety incidents. Implement strict input validation and sandboxing of uploaded programs.

Encrypt remote monitoring and management communications between machines and cloud or enterprise systems

highAnnex I, Part I(3)

Machine telemetry, job status data, and management commands must be encrypted in transit. Use TLS 1.2 or later for all remote communications.

Implement signed firmware updates for machine controllers — verify signatures before applying

highAnnex I, Part I(9)

Unsigned firmware updates can be exploited to install malicious controller code. Use hardware-backed signing keys and verify on-device before installation.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy with a security contact for machine controller and management platform vulnerabilities

highArticle 13(1)

Industrial machine tools are increasingly targeted by security researchers and nation-state actors. A clear CVD process with manufacturing security expertise is required.

Support scheduled maintenance window patching — provide patch packages that can be tested in staging before production deployment

highAnnex I, Part II(1)

Industrial manufacturers cannot interrupt production arbitrarily. Provide patch packages with testing guidance so customers can validate in a staging environment before applying to production machines.

Define a minimum 10-year security support period reflecting manufacturing equipment asset lifecycles

highAnnex I, Part II(5)

Industrial machine tools are capital assets with 10–20 year lifecycles. A 10-year security support commitment is appropriate. Publish per-model end-of-support dates.

4. Article 14 Incident Reporting

Define Article 14 triggers for CNC and 3D printer incidents — focus on safety system bypass, intellectual property theft, and sabotage of production parts

highArticle 14(1)

A vulnerability enabling remote modification of machining parameters or print parameters in safety-critical part production is a high-severity Article 14 trigger.

Document the Article 14 notification procedure including OT security, product safety, and legal escalation paths

highArticle 14(2)

Industrial machine incidents involve both cybersecurity and product safety considerations. Ensure both OT security and product safety teams are in the Article 14 escalation chain.

5. CE Marking & Technical Documentation

Prepare an integrated CRA and Machinery Regulation technical file — avoid duplicating safety and security documentation

highArticle 23, Annex V

CNC machine technical files typically already exist for Machinery Regulation CE marking. Extend them with CRA cybersecurity risk assessment, SBOM, and CVD policy sections.

Issue EU Declaration of Conformity referencing both the CRA and the Machinery Regulation

highArticle 20, Article 22

A single DoC can reference multiple applicable legislation items. Ensure the CRA is explicitly listed alongside the Machinery Regulation.

Track your CNC Machines & Industrial 3D Printers compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our CNC machine is sold with a standalone controller — does the controller need its own CRA compliance?+

The controller is a component of the product. If you place the complete machine (hardware plus controller) on the market as a single product, you are responsible for CRA compliance of the whole. If you sell the controller separately as a standalone product, it needs its own CRA compliance. Either way, the controller software must meet Annex I requirements.

Our 3D printers are used to manufacture aerospace parts — are there additional CRA obligations?+

The CRA requirements are the same regardless of the end application. However, if your printers are integrated into aerospace supply chain production systems connected to critical infrastructure networks, the overall system classification may be higher. Additionally, aerospace-sector customers may impose contractual security requirements beyond the CRA minimum. Your CVD policy and security support commitments should reflect the safety-critical nature of aerospace applications.

We offer a cloud management platform for remotely monitoring our CNC fleet — is the cloud platform in scope for the CRA?+

Cloud-based services are generally outside CRA scope, which focuses on products with digital elements. However, the CNC machine firmware and any on-device management agent that communicates with the cloud platform are in scope. If you supply the cloud platform as a bundled product component (not a standalone SaaS service), it may be considered part of the product and within scope.

Related compliance checklists

Industrial Robotics & Collaborative Robots

Industrial

Industrial Controllers & PLCs

Industrial & Manufacturing

Process Control & SCADA Systems

Industrial

Warehouse Automation & Logistics Systems

Industrial

Need a CVD policy for CNC Machines & Industrial 3D Printers?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →