Solutions for Mobile Machines
Cybersecurity: Why OEMs must act now
The Cyber Resilience Act (CRA) fundamentally changes the compliance requirements for mobile machinery. Part three of our blog series "Safety, Security & AI" shows how manufacturers can secure their mobile machines and keep costs under control.
The challenge is real: As of December 11, 2027, the Cyber Resilience Act (CRA) will be fully mandatory for all products with digital elements newly placed on the EU market. Already from June 11, 2026, the deadlines for conformity assessment will shorten, and – from September 11, 2026 – for reporting obligations regarding security incidents. Off-highway manufacturers must ensure cybersecurity for the entire lifecycle of a product – from development and operation to decommissioning. For this purpose, OEMs are converging cybersecurity and functional safety, but they are also obligated to convert all legacy systems that are still in series production. Part three of our blog series "Safety, Security & AI" focuses on cybersecurity and how OEMs can transform compliance requirements into competitive advantages.
What does the CRA mean for mobile machinery?
According to the CRA's requirements, cybersecurity must be considered in a Security-by-Design approach from the start of development throughout the entire product lifecycle. This includes:
- Risk analyses and threat assessments (TARA)
- Proof of security measures / Evidence of security measures
- Security monitoring and incident management during operation
For mobile machinery, this is a complex undertaking because they are highly networked, operate in harsh environments, and sometimes possess open architectures – all factors that increase the attack surface. Those who neglect CRA compliance risk high fines (up to 2% of global annual turnover), significant insurance, liability, and reputational damage, as well as the loss of market access (e.g., due to a missing CE certificate). In plain terms: Only CRA-compliant machines may then be placed on the market within the EU internal market. The central question, therefore, is: How can OEMs with limited resources achieve security compliance without costs exploding or being prevented from selling their machines in the EU?
Achieving guaranteed security compliance together
With BODAS, Bosch Rexroth offers a holistic ecosystem that supports OEMs in implementing complex regulatory requirements. The foundation: proven security processes and technologies from Bosch in the Automotive sector, which Bosch Rexroth has transferred to mobile machinery with its extensive off-highway experience. A crucial point: The complete BODAS offering of modular solutions, products, and support is based on ISO 21434 and covers the entire lifecycle – from security design and implementation to decommissioning, including vulnerability and incident management.
Consistent, transparent, future-proof: Proven solutions and processes from Bosch in the Automotive sector reliably ensure CRA compliance for mobile machinery as well. (Graphic: Bosch Rexroth AG)
1. Methodological Foundation: The Security Engineering Process
As part of their Security-by-Design approach, OEMs must demonstrate cybersecurity throughout the entire product lifecycle – from conception and production to operation (e.g., for CE certification). Without a clear security process, this is hardly possible.
Solution approach: With Bosch Rexroth as a partner, OEMs benefit from a proven security engineering process from Bosch in the Automotive sector, which the BODAS Ecosystem also uses as a solid foundation. This includes clear guidelines for development, production, and operation, documented conformity of the products used (controllers, telematics units, or assistance functions), as well as the integration of safety and security into a consistent lifecycle model.
2. Process Implementation: Identify, Assess, and Secure Risks
In the implementation phase, the defined security process is put into practice. A crucial role is played by risk assessment – both in this phase and throughout the product's further lifecycle. Within the framework of Threat Analysis & Risk Assessments (TARAs), attack surfaces are systematically identified and evaluated. Additionally, OEMs must define concrete measures to bring identified security risks to an acceptable level. Furthermore, transparent evidence for each software component used is mandated via a Software Bill of Materials (SBOM). All security features must be state-of-the-art and updateable so that they can keep pace with the evolution of standards.
Solution approach: The implementation effort for OEMs is reduced simply by Bosch Rexroth consistently implementing the TARA and SBOM obligations for every BODAS software. This allows OEMs to easily fulfill their own proof obligations and derive and document effective measures for incident management. State-of-the-art security features like Secure Boot, Secure Logging, encryption, or digital signatures are standard in the BODAS Ecosystem and are continuously developed further. Furthermore, Bosch Rexroth helps OEMs to achieve CRA security conformity even more efficiently via providing ready-to-use APIs, ready-to-use toolchains, and CRA software migration support.
3. Security Monitoring – Ensuring Security in Operation
Implementation done, task completed? By no means. Even after delivery, security remains an ongoing task. Manufacturers are obligated to monitor their systems, detect and assess security incidents, and report them to their customers and authorities. In security monitoring – the longest phase of the security process throughout the product's lifespan – OEMs must constantly look out for potential vulnerabilities. Since these can arise at any time, seamless vulnerability management is also mandatory. If a security incident occurs, the security gaps must be closed quickly – and without machine downtime.
Solution approach: Even during the operational phase, OEMs can fully rely on the product quality of the BODAS Ecosystem when it comes to security. The BOSCH Incident Monitoring System summarizes the proven infrastructure with structured processes for evaluating and reporting security incidents and covers all CRA requirements out-of-the-box – including incident management, vulnerability handling, and 24x7 monitoring. The BOSCH Incident Response Team keeps all Rexroth systems under constant surveillance around the clock, analyzes alarms, and compares the results with public vulnerability databases. Using BODAS Over-the-Air (OTA) services, OEMs can efficiently, securely, and traceably transfer patches and updates to individual machines and defined fleet segments when needed. A significant added value: The non-proprietary Flashing over the Air (FOTA) also works with third-party IoT solution providers (BODAS OTA Partner).
Starting Together – Efficiently and Securely
When it comes to security, early action also pays off. Those who properly establish and implement regulatory security for their entire vehicle fleet secure their access to the EU internal market and thereby gain a clear competitive advantage. The good news: OEMs do not have to tackle the complex requirements alone. Together with Bosch Rexroth, the compliant BODAS Ecosystem, and the proven processes of Bosch in the Automotive sector, they can master every single project phase of the security lifecycle according to ISO21434 with significantly reduced effort: from security engineering and implementation to monitoring and incident management.
But that's just one aspect. Because together with Bosch Rexroth and the BODAS Ecosystem, manufacturers of mobile machinery lay the foundation for an entirely future-proof vehicle fleet. The proven and modular BODAS platform has much to offer: It is open to integrate new functions as needed, scalable to efficiently secure all machine series, and easily accessible to quickly, efficiently, and securely score with innovative machines in the market.
Do you also see compliance as a lever for trust, market position, and future security? Meet the experts and members of the myBODAS Community now and gain your knowledge advantage or contact us directly regarding Safety & Security Consulting.
» Premium Support & Consultancy BODAS
All articles from this blog series "Safety, Security, and AI for Mobile Working Machines":
01. Cybersecurity, Functional Safety and AI: What matters now for off-highway manufacturers
02. Functional safety: How OEMs master the requirements of EU-MVO, CRA, and AI Act
03. Cybersecurity: Why OEMs need to act now
Yves Dasse is Bosch Cybersecurity Expert and Excellence Owner Software Development in the Business Unit Mobile Solutions at Bosch Rexroth. He has extensive experience in system development for off-highway machines and automotive.
Wanjing Su is Software Group Leader in the Business Unit Mobile Solutions at Bosch Rexroth. She has extensive experience in Functional Safety, embedded software, and tool software development for off-highway machines.
Martin Sykora is Head of Sales for Mobile Electronics at Bosch Rexroth. He has been with the Bosch Group for over 22 years and has worked in the field of mobile electronics for more than 19 years. In his position, Martin and his team serve as the global point of contact for mobile customers seeking BODAS-based solutions to support the digital transformation of mobile work machines.