
Humanoid Robots in the Cybersecurity Era: The Impact of the EU Cyber Resilience Act
This article explains how the EU Cyber Resilience Act (CRA) applies to humanoid and industrial robots, including product scope, key compliance deadlines, and the cybersecurity obligations manufacturers should understand when developing connected robotic systems for the European market. It was written by SRES consultants with expertise in functional safety, AI safety, SOTIF, cybersecurity, and autonomous systems, drawing on experience supporting OEMs, Tier 1 suppliers, robotics companies, and autonomous system developers.
Looking to go deeper? Explore SRES Physical AI training programs, including our EU Cyber Resilience Act (CRA) training. Need more than training? Explore our Robotics Safety consulting services supporting the development of safe, secure, and compliant robotic systems.
EU Cyber Resilience Act Series — Part 1: Scope Check and Deadlines
Modern factory floors are smarter than ever. Humanoid robots perform various activities such as: welding, sorting, and assembling with inhuman precision. Humanoid robots now walk your warehouse aisles. But every one of those robots is also a networked computer, and the EU just made cybersecurity your legal responsibility.
For decades, factory operators thought about robots in terms of physical safety: guardrails, emergency stops, collision sensors. Cybersecurity was an IT problem – firewalls, servers, laptops. Robots were machines. The assumption was that machines don’t get hacked.
That thinking is now dangerously out of date, and as of November 2024, it is also out of compliance with EU law.
What Changed? The CRA Enters the Factory
The EU Cyber Resilience Act (Regulation 2024/2847) is the first global law to impose mandatory cybersecurity requirements on physical products – not just software, not just IT systems, but anything with a digital element that connects to a network or another device.
That definition was not just written with products like smart fridges and connected toys in mind. It also covers industrial or household robots just as squarely. A robot reporting telemetry to a cloud dashboard. A robot receiving AI updates over Wi-Fi. A robot communicating with a warehouse management system. All of them are now CRA-regulated products.
Is Your Robot Covered? A 3-Step Test
Test 1: Does your robot connect to a network or another device?
CRA Article 2(1) and Article 3(10)
The CRA applies to products whose intended purpose or reasonably foreseeable use includes a direct or indirect data connection to a device or network. This includes robots connected via Ethernet, Wi-Fi, Bluetooth, 5G, factory gateways, PLCs, or cloud platforms. Even if the robot does not connect directly to the internet, an indirect connection through a larger system is sufficient for CRA applicability.
Test 2: Is your robot a “product with digital elements”?
CRA Article 3(1)
A robot is more than hardware. Its firmware, operating system, control software, mobile applications, cloud services, and remote fleet management functions are all considered part of the product. The CRA defines a “product with digital elements” as a software or hardware product, including its remote data-processing solutions and separately marketed components.
Test 3: Is the robot commercially supplied in the EU?
CRA Article 2(1)
The CRA applies to products made available on the EU market as part of a commercial activity. This means the regulation applies regardless of where the manufacturer is located. A robotics company based in the United States, China, Japan, or elsewhere must comply if its products are sold or deployed within the European Union.
Quick Rule of Thumb
If your robot:
- Connects to a network (Article 2(1), Article 3(10)),
- Contains software or digital functionality (Article 3(1)), and
- Is commercially supplied in the EU (Article 2(1)),
then it is very likely covered by the Cyber Resilience Act.
Are There Any Exclusions That Apply to Robots?
- Medical robots (MDR/IVDR) : Robots covered by Regulation (EU) 2017/745 (Medical Device Regulation) or 2017/746 (In Vitro Diagnostic Medical Device Regulation) are excluded under Art. 2(2)(a) – (b). The MDR already imposes equivalent cybersecurity requirements.
- Aviation-certified robots: Robots certified under Regulation (EU) 2018/1139 (EASA) are excluded under Art. 2(3). This is a narrow exception for aerospace-grade products.
The Attack Surface You Didn’t Know You Had
Modern industrial and humanoid robots are connected, software-driven systems running Linux based platforms with sensors like cameras and lidar, and communicating via ROS2, Bluetooth, cellular, and cloud services. This creates a wide attack surface where operational data may be transmitted externally, sometimes without full operator awareness.
Security research has already demonstrated real-world vulnerabilities, including:
- Bluetooth hijacking: Attackers can exploit flaws in wireless protocols to remotely take control of deployed robots.
- Hard-coded encryption keys: Shared or leaked keys can allow compromise to spread across multiple robots, potentially enabling fleet wide control.
- Unauthorized data transmission: Some robots have been observed sending operational data to external servers without user consent.
- Default credentials & open ports: Weak factory settings and exposed services significantly increase the risk of unauthorized access.
These issues highlight why cybersecurity is now a core design requirement under regulations like the CRA.
The Numbers Behind the Risk
- 39 Known attack vectors across the humanoid robot ecosystem [2]
- 39 – 79% Security maturity range across current humanoid platforms [2]
- $13.8B Projected humanoid robot market value by 2028 [3]
Nation-state actors have already noticed. Recorded Future documented multiple espionage campaigns targeting the robotics industry since late 2024 with threat actors, and supply-chain infiltration attempts targeting semiconductor and electronics suppliers.
What the CRA Actually Requires from You
The CRA imposes obligations across the entire product lifecycle not just at the point of sale. For robot manufacturers and operators selling into the EU market, this means:
- Secure by design: No default passwords. Minimal attack surface. Secure update mechanisms. These must be baked into hardware and software architecture from day one, not patched in later.
- Lifecycle vulnerability management: Manufacturers must actively monitor, disclose, and patch vulnerabilities for the supported lifetime of the product not just at launch.
- Mandatory incident reporting: From September 2026, actively exploited vulnerabilities and significant incidents must be reported to EU authorities via a central platform within tight timeframes.
- CE marking: No CE marking = no EU market access. For robots, this now explicitly includes cybersecurity compliance, not just physical safety.
The Compliance Clock Is Ticking
The CRA entered into force in November 2024 and phases in over three years. The reporting obligations are not far off, and full compliance is required before the deadline that matters most: no CE marking, no EU sales.
| Stage | Date | What it means for your robot |
|---|---|---|
| 1 | Today | CRA is in force. Vulnerability reporting obligations are weeks away. Product design decisions made today determine 2027 compliance. |
| 2 | 11 September 2026 | Mandatory vulnerability and incident reporting via the EU single reporting platform begins. Non-compliance risks regulatory action. |
| 3 | 11 December 2027 | Full CRA application. All connected robots sold in the EU must carry CE marking covering cybersecurity. No exceptions. |
Non-EU manufacturers take note: The CRA applies to any company globally that sells products into the EU market. A Japanese, US, or Chinese robotics company shipping units to European customers must comply or lose access to the world’s largest single market.
Where This Leaves You
The robots in factories have always carried physical risk. Now they carry legal and cybersecurity risk too. The EU CRA doesn’t ask you to become a cybersecurity expert overnight but it does require you to treat your robots the same way you treat your IT infrastructure: with structured risk management, regular updates, and documented accountability.
The manufacturers who treat CRA compliance as a competitive differentiator rather than a legal burden will be the ones that win contracts in 2027 and beyond. Buyers will ask for compliance documentation. Insurers will price it in. Regulators will audit it.
The question is no longer whether your robots need cybersecurity. It’s whether you’ll be ready in time.
A Note on Getting Your Engineers Ready
SRES offers EU Cyber Resilience Act (CRA) training designed for product engineers working on connected hardware: how the regulation applies, how classification actually works in practice, the essential requirements you design against, and how the CRA sits with the GDPR, Machinery Regulation, and AI Act obligations a humanoid tends to trigger. The content is practical, regulation driven, and focused on helping engineering teams successfully develop and deliver compliant products.
References:
[1] European Parliament and Council of the European Union, “Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act),” Official Journal of the European Union, 2024. Available: https://eur-lex.europa.eu/eli/reg/2024/2847/oj
[2] Surve, P.P. et al. (2025). SoK: Cybersecurity Assessment of Humanoid Ecosystem. arXiv:2508.17481. https://arxiv.org/abs/2508.17481
[3] Markets and Markets (2023). Humanoid Robot Market worth $13.8 billion by 2028. PR Newswire, 14 July 2023.https://www.prnewswire.com/news-releases/301877354.html
Have insights or questions? Send us an email at info@sres.ai or leave a comment below—we welcome thoughtful discussion from our technical community.
Interested in learning more about our approach? Explore why teams choose SRES training and how we support organizations with consulting for automotive and physical AI applications.


