EN 50742: New draft standard for cybersecurity of machines

EN 50742: New draft standard for cybersecurity of machines

   Nicht kategorisiert    11. January 2026  |  0

The new EU Machinery Regulation (EU) 2023/1230 introduces binding cybersecurity requirements for machinery for the first time. It applies to all machinery placed on the market from 20 January 2027 onwards.

Cybersecurity thus becomes an explicit part of the regulatory framework for machine manufacturers – not as a general IT security requirement, but only where cyberattacks can affect the safety of machinery.

To specify these new legal requirements, the harmonised standard EN 50742 “Protection against corruption” is currently under development. The draft standard is currently available only in English, for example via BSI and DIN Media. A German version is expected shortly.

What does the draft standard EN 50742 regulate?

EN 50742 defines requirements and recommendations to prevent accidental and intentional (including malicious) manipulation of machinery that could lead to hazardous situations.

The scope of the standard includes hardware components, software and data, if they could influence the safety of the machine.

EN 50742 is therefore not a general cybersecurity standard, but a machine-specific standard focused on safety-related parts of machinery and machinery components.

Key insight of the standard

One central statement of EN 50742 is:

Vulnerabilities do not create new hazards,
but their exploitation can compromise existing protective measures.

For this reason, the standard consistently builds on the established safety process that machine manufacturers already apply today.

Procedure according to EN 50742

The standard defines a clearly structured sequence of steps:

1. Risk assessment according to ISO 12100

First, a risk assessment according to ISO 12100 must be performed.
As before, all potential hazards of the machine are identified and appropriate protective measures are defined.

This risk assessment forms the basis for all subsequent steps.

2. Definition of the Security Context

The next step is to define the Security Context of the machine.

The Security Context describes the conditions under which the cybersecurity of the machine is ensured. In cybersecurity, the Security Context corresponds to what is referred to in safety standards as the “intended use”.

The Security Context must be clearly defined and documented in the operating instructions.

3. Threat assessment

Based on the Security Context as well as the identified hazards and protective measures, a Threat Assessment must then be carried out.

Principles for handling vulnerabilities

For dealing with identified vulnerabilities, EN 50742 defines three clear principles:

  1. Eliminate
    Vulnerabilities must be eliminated wherever they can lead to hazardous situations.
  2. Mitigate
    If elimination is not possible, vulnerabilities must be mitigated.
  3. Inform
    For all remaining vulnerabilities, the user information must contain all necessary details on appropriate countermeasures.

Two alternative implementation approaches

For the practical implementation of the requirements, EN 50742 provides two equivalent alternatives:

Alternative A – EN 50742 based approach

This approach is aimed at companies that do not already work according to the IEC 62443 series of standards.

Using the parameters:

  • Exposure Level
  • Attacker Capability Score
  • Window of Opportunity Score

an Attack Potential is determined.

In combination with the Severity Level derived from the ISO 12100 risk assessment, a
Safety-Related Security Requirement (SRSL) is defined.

For each SRSL, the standard specifies concrete requirements, for example for authentication.

Alternative B – IEC 62443 based approach

Companies already applying IEC 62443 may use this approach:

  • Implementation of a secure development process according to IEC 62443-4-1
  • Implementation of machine requirements according to IEC 62443-3-3
  • Implementation of component requirements according to IEC 62443-4-2

For each requirement, the necessary Security Level is defined.

Supporting annexes of the standard

The draft standard includes several practical annexes:

  • Annex A: Examples of logging formats
  • Annex B: Threat assessment
  • Annex C: Threat modelling for safety systems
  • Annex D: List of threats and possible mitigations

These annexes support manufacturers in the practical implementation of the standard.

Why machine manufacturers should act now

With the draft of EN 50742, a concrete basis is available for the first time to implement the cybersecurity requirements of the Machinery Regulation in practice.

Even though the final version of the standard may still be several months away, waiting is the wrong approach:
All machinery and safety-related components placed on the market after 20 January 2027 must comply with the requirements of the Machinery Regulation – including its cybersecurity aspects.

Support for implementation

We support machine manufacturers and component suppliers with our decades of experience in cybersecurity and automation technology in implementing EN 50742.

Use our contact form to get in touch – our ISO 3691-4 expert will respond promptly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments

    © 2026 Digitale Faszination