Refurbished Industrial Robots & the EU 2027 Cybersecurity Rules
Two new EU regulations bring cybersecurity into machinery law for the first time. If you are planning to buy a refurbished robot, here is what actually changes for you - and what does not.
20 Jan 2027
Machinery Regulation (EU) 2023/1230First cybersecurity requirements for machinery.
11 Dec 2027
Cyber Resilience Act (EU) 2024/2847Requirements for products with digital elements, including connected robots. Reporting duties already from 11 Sep 2026.
On this page
1. The regulation - what changes in 2027
Two regulations introduce, for the first time, cybersecurity requirements into the world of industrial machinery:
- Machinery Regulation (EU) 2023/1230 - applies from 20 January 2027. It sets essential cybersecurity requirements for machinery, notably Annex III §1.1.9 ("Protection against corruption") and §1.2.1 ("Safety and reliability of control systems").
- Cyber Resilience Act (EU) 2024/2847 - applies from 11 December 2027 (with vulnerability-reporting duties starting 11 September 2026). It covers "products with digital elements", including connected robots.
Both are about making machines resilient to reasonably foreseeable misuse and tampering - not about demanding perfection.
2. Is buying a refurbished robot still compliant?
In most cases, yes - and no new obligations arise. Here is why:
- Legacy status is preserved. Products lawfully placed on the EU market before the application dates keep their status (Machinery Reg. art. 52(1); CRA art. 69(2)). The CRA only re-engages if the product undergoes a substantial modification after that date.
- Repair and refurbishment are not a substantial modification, as long as the intended use and risk level do not change (CRA recital 42).
- The original CE marking stays valid. Original certificates and conformity remain valid (Machinery Reg. art. 52(1)-(2)).
3. When obligations do arise
There are three situations buyers should know about, because they change who is responsible:
Importing from outside the EU
A robot imported from a third country is treated as placed on the market - i.e. as new (Machinery Reg. recital 10). The importer becomes responsible for current conformity; a non-EU "CE" plate is not equivalent to a valid EU CE marking.
Substantial modification
A change not foreseen or planned by the manufacturer that affects safety or compliance (Machinery Reg. art. 3(16); CRA art. 2(30)) makes whoever performs it the "manufacturer", with all related duties (Machinery Reg. art. 18; CRA art. 22). Adding axes within the manufacturer's standard is a foreseen change - not substantial - so the CE stays valid.
Building an assembly
Combining a robot and a welder to work "as an integral whole" creates an assembly of machinery - a new machine with its own intended use (Machinery Reg. art. 3(1)(a) and (d)). Whoever builds the working assembly becomes its manufacturer: new risk assessment, new CE for the assembly, technical file and declaration of conformity (Annex III 1.2.4.4: the emergency stop must halt both robot and welder). Following each maker's integration rules is necessary but not sufficient - the hazards of the combination (arc, fumes, moving torch) are not covered by the original CE markings.
4. Cybersecurity of older-generation robots - how we protect them
Older robots do not verify the authenticity of the instructions they receive: they execute whatever arrives on the expected interface. The law does not demand invulnerability - it requires proportionate protection against "reasonably foreseeable malicious attempts" (Annex III 1.2.1) and evidence of intervention (1.1.9).
Our approach is defence in depth - trust is built around the robot: physical security, network segmentation, disabled USB/ports, whitelist gateway, role-based accounts and passwords, logging, software integrity, plausibility limits.
Where a higher level is justified by the risk assessment, the recommended solution is an encrypted, safety-rated bridge PLC inside a closed and sealed cabinet. It authenticates and encrypts on the outward side (TLS / IEC 62443) and implements certified safety functions (SIL/PL per IEC 61508 / 62061 / ISO 13849), while the cleartext run to the robot stays short and physically protected. Conditions: the bridge is the only access path, encryption is genuinely configured, safety is independent from the gateway part, logging is in place, and everything is documented in the technical file. Residual risk - physical access to the cabinet - is mitigated by seals, open-detection and independent safety, and recorded in the risk assessment.
5. Our approach to compliance
Measures that cost almost nothing - disabled USB, role-based passwords, network segmentation - we apply as standard. Costlier measures are calibrated to the real risk of your site, because it is the risk assessment that defines what is "reasonably foreseeable".
Every unit we refurbish keeps its original conformity documentation. Where we provide a standard base configuration, it can be assessed once and reused across identical units (internal production control, art. 25). For the base "robot + controller" unit (e.g. KRC4), where the cyber requirements mostly live, a single standard configuration is reusable across all units with that controller.
A single certification does not cover every final application: each different cell or assembly needs its own conformity - or we can supply the base unit as partly completed machinery with a declaration of incorporation and assembly instructions (art. 22), leaving the final CE to the integrator.
6. Frequently asked questions
Will buying a used robot still be legal after 2027?
Yes. Robots lawfully placed on the EU market before the application dates keep their legacy status (Machinery Reg. art. 52(1); CRA art. 69(2)). No new obligations arise from resale or refurbishment alone.
Does the original CE marking stay valid on a refurbished robot?
Yes. Original certificates and conformity remain valid (Machinery Reg. art. 52(1)-(2)), provided intended use and risk level are unchanged.
Does adding external axes require new certification?
No, if the axes are added within the manufacturer's standard. That is a foreseen change, not a substantial modification, so you do not become the manufacturer and the CE stays valid.
If I add a welder to the robot, who is responsible for the CE?
Whoever builds the working assembly. Combining robot + welder to operate as one creates a new assembly of machinery (Machinery Reg. art. 3(1)(a),(d)), requiring a new risk assessment and a new CE for the assembly.
Can I certify a standard configuration and reuse it?
Yes, for identical units. A standard "robot + controller" configuration can be assessed once and replicated on identical units via internal production control (art. 25). It does not cover every different final application.
How do you secure an old robot that does not support encryption?
Through defence in depth (physical security, segmentation, disabled ports, whitelist gateway, logging) and, where justified, an encrypted safety-rated bridge PLC in a sealed cabinet - all documented in the technical file.
What does "substantial modification" mean?
A change not foreseen or planned by the manufacturer that affects safety or compliance (Machinery Reg. art. 3(16); CRA art. 2(30)). Performing one makes you the "manufacturer" with the related duties.
Is a robot imported from outside the EU treated as new?
Yes. Import from a third country counts as placing on the market (Machinery Reg. recital 10). The importer is responsible for current conformity; a non-EU CE plate is not equivalent to valid EU CE marking.
Planning a purchase and want certainty on compliance?
Talk to our team - we will walk you through what applies to your specific case.
Contact us