Two new pieces of European Union legislation, the Cyber Resilience Act (CRA) and the new Machinery Regulation (EU 2023/1230), are set to have a profound impact on the entertainment industry. These regulations introduce a new era of accountability for manufacturers, importers, and distributors, with a strong focus on cybersecurity and a modernised approach to machinery safety. For an industry that thrives on pushing the boundaries of technology, understanding and complying with these new rules will be crucial for ensuring the safety of performers, crew, and audiences, as well as for maintaining access to the European market.

This article will provide a comprehensive overview of the CRA and the new Machinery Regulation, explaining what they are, when they must be implemented, and how they relate to the CE and UKCA marking schemes. We will then delve into the specific applications and implications of these regulations for machinery and technology in the entertainment industry, covering theatre, tours, and film productions.

The EU Cyber Resilience Act (CRA): A New Era for Digital Product Security

The Cyber Resilience Act is a landmark piece of EU legislation that aims to enhance the cybersecurity of products with digital elements. In an increasingly connected world, where everything from lighting consoles to audio processors is connected to the internet, the CRA seeks to ensure that these products are secure by design and that manufacturers are responsible for their cybersecurity throughout their lifecycle.

What is the CRA?

The CRA establishes a set of horizontal cybersecurity rules for a wide range of products with digital elements, from consumer IoT devices to industrial control systems. The act is designed to address the growing threat of cyberattacks by ensuring that products placed on the EU market are secure from the moment they are designed and that manufacturers have processes in place to manage vulnerabilities and provide security updates.

The key objectives of the CRA are to:

  • Ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole life cycle.
  • Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
  • Enhance the transparency of security properties of products with digital elements.
  • Enable businesses and consumers to use products with digital elements securely.

Scope of the CRA

The CRA has a very broad scope and applies to all “products with digital elements” whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. A “product with digital elements” is defined as any software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.

This means that a vast range of equipment used in the entertainment industry will fall under the scope of the CRA, including:

  • Lighting control desks and systems
  • Audio mixing consoles and processors
  • Video servers and media players
  • Automated rigging and scenery control systems
  • Networked audio and video equipment
  • Wireless communication systems
  • Cameras and other film production equipment with network connectivity

The CRA does not apply to certain products that are already covered by other EU legislation with similar cybersecurity requirements, such as medical devices, aviation, and cars.

Key Requirements of the CRA

The CRA imposes a range of obligations on manufacturers, importers, and distributors of products with digital elements. The key requirements for manufacturers include:

  • Security by Design and by Default: Products must be designed, developed, and produced with an appropriate level of cybersecurity. They must be placed on the market with a secure-by-default configuration, including the possibility to reset the product to its original state.
  • Vulnerability Management: Manufacturers must have a process in place to handle vulnerabilities effectively. This includes identifying and documenting vulnerabilities, addressing them without delay, and providing security updates to users.
  • Security Updates: Manufacturers must provide security updates for their products for a reasonable period of time, which is presumed to be five years unless the product’s lifetime is shorter.
  • Information and Instructions: Manufacturers must provide users with clear and understandable information about the security of their products, including instructions on how to use them securely and how to install security updates.
  • Conformity Assessment: Manufacturers must carry out a conformity assessment to ensure that their products meet the essential cybersecurity requirements of the CRA.
  • CE Marking: Once a product has been shown to comply with the CRA, the manufacturer must draw up an EU declaration of conformity and affix the CE marking to the product.

Implementation Timeline

The Cyber Resilience Act entered into force on December 10, 2024. However, most of its obligations will apply in a phased manner to give manufacturers time to adapt:

  • September 11, 2026: The reporting obligation for manufacturers for actively exploited vulnerabilities and severe incidents will apply.
  • December 11, 2027: The CRA will fully apply, and all products with digital elements placed on the EU market must comply with its requirements.

The CRA and CE Marking

The CRA is a “New Legislative Framework” regulation, which means that it uses the CE marking to indicate compliance. The CE marking is a well-established mark that signifies that a product meets the essential requirements of the relevant EU legislation.

Under the CRA, the CE marking will also indicate that a product complies with the cybersecurity requirements of the act. This will provide a clear and recognizable signal to consumers and businesses that a product is cybersecure. Manufacturers of products with digital elements will need to ensure that their products meet the requirements of the CRA before they can affix the CE marking and place them on the EU market.

The New EU Machinery Regulation (EU 2023/1230): Modernising Machinery Safety

The new EU Machinery Regulation (EU 2023/1230) represents a significant update to the EU’s flagship legislation on machinery safety. It replaces the previous Machinery Directive (2006/42/EC) and introduces a range of new requirements to address the risks posed by new technologies such as artificial intelligence (AI) and the Internet of Things (IoT), as well as a greater emphasis on cybersecurity.

From Machinery Directive to Machinery Regulation

The previous Machinery Directive has been the cornerstone of machinery safety in the EU for over a decade. However, the rapid pace of technological change has created new challenges that the directive was not designed to address. The new Machinery Regulation aims to modernise the legal framework for machinery safety and ensure that it is fit for the digital age.

One of the key changes is the move from a directive to a regulation. A directive sets out a goal that all EU countries must achieve, but it is up to the individual countries to decide how to do so. A regulation, on the other hand, is a binding legislative act that must be applied in its entirety across the EU. This will ensure a more harmonised application of the rules and reduce legal fragmentation.

Key Changes in the New Regulation

The new Machinery Regulation introduces a number of important changes, including:

  • Cybersecurity: The regulation introduces new essential health and safety requirements for the protection of machinery against corruption. This means that machinery must be designed and constructed in such a way that it is protected against accidental or intentional corruption that could lead to a hazardous situation.
  • Artificial Intelligence: The regulation addresses the risks posed by AI systems in machinery. It introduces new requirements for the safety and control of machinery with self-evolving behaviour or learning capabilities.
  • Autonomous Machinery: The regulation includes new provisions for autonomous and remote-controlled machinery, which are becoming increasingly common in many industries, including entertainment.
  • Digital Documentation: The regulation allows for the provision of instructions for use in a digital format, which will reduce the administrative burden on manufacturers and make it easier for users to access information.
  • High-Risk Machinery: The regulation updates the list of high-risk machinery that requires a conformity assessment by a third-party notified body. This list now includes machinery with embedded AI systems that have a safety function.

Implementation Timeline

The new Machinery Regulation entered into force on July 19, 2023. It will become applicable on January 20, 2027. Until that date, the current Machinery Directive (2006/42/EC) will continue to apply. Manufacturers have a transition period to adapt their products and processes to the new requirements.

The Machinery Regulation and CE Marking

Like the CRA, the new Machinery Regulation is a “New Legislative Framework” regulation that uses the CE marking to indicate compliance. The CE marking on a piece of machinery signifies that it meets the essential health and safety requirements of the regulation.

Manufacturers of machinery will need to ensure that their products comply with the new requirements of the Machinery Regulation before they can affix the CE marking and place them on the EU market after January 20, 2027.

Navigating the Post-Brexit Landscape: The UKCA Mark

Following the UK’s departure from the European Union, a new product marking scheme, the UKCA (UK Conformity Assessed) mark, has been introduced for goods being placed on the market in Great Britain (England, Wales, and Scotland). The UKCA mark is the UK’s equivalent of the EU’s CE marking.

The UKCA Mark Explained

The UKCA mark is used to indicate that a product conforms to the relevant UK legislation. For machinery and products with digital elements, this means complying with the UK’s own versions of the Machinery Safety Regulations and, in the future, any cybersecurity regulations that the UK may introduce.

Currently the UK government has not introduced these two new regulations.

The Digitisation of Entertainment Technology

Modern entertainment productions contain numerous interconnected technologies. Lighting, sound, video, and automation systems are no longer standalone units but are part of a complex network that is often controlled from a central point. They might also use protocols like PSN and timecode to interconnect and send the information from one to another.
This digitisation has brought about incredible creative possibilities, but it has also introduced new vulnerabilities.
A cyberattack on a theatre’s lighting system could plunge the stage into darkness, while a vulnerability in a touring production’s sound system could be exploited to disrupt a performance. However, a failure of machinery might injure or even kill a performer and failure of a machinery holding large weight over the audience could produce a mass casualty event.
The CRA is designed to address these risks by ensuring that all digital components of entertainment technology are secure.

CRA in the Entertainment Industry: Securing Connected Systems

The CRA will apply to a wide range of equipment used in the entertainment industry, from the control desks and processors to the individual fixtures and devices. Manufacturers of this equipment will need to:

  • Conduct a cybersecurity risk assessment to identify and mitigate potential vulnerabilities.
  • Implement security features such as authentication, access control, and encryption.
  • Provide a secure-by-default configuration to minimise the risk of misconfiguration.
  • Establish a vulnerability management process to identify and patch security flaws.
  • Provide security updates to users for a reasonable period of time.

This will require a significant shift in the way that entertainment technology is designed and developed. Manufacturers will need to integrate cybersecurity into their product development lifecycle and provide ongoing support to their customers.

Machinery Regulation in the Entertainment Industry: Safety and Cybersecurity of Stage and Production Equipment

The new Machinery Regulation will also have a significant impact on the entertainment industry, particularly in the area of stage and production machinery. The regulation’s new focus on cybersecurity is particularly relevant to automated scenery, rigging, and other stage machinery that is controlled by software.

Manufacturers of stage machinery will need to:

  • Protect their machinery against corruption that could lead to a hazardous situation.
  • Ensure the safety and control of machinery with AI systems, such as those that might be used for performer flying or other complex automated movements.
  • Comply with the new requirements for autonomous and remote-controlled machinery, such as follow-spot systems that can be operated remotely.

The regulation will also require manufacturers to provide clear and comprehensive instructions for use, which can be provided in a digital format. This will be a welcome development for an industry that is often on the move and needs to be able to access information quickly and easily.

Practical Implications for Manufacturers, Importers, and End-users

The introduction of the CRA and the new Machinery Regulation will have practical implications for all stakeholders in the entertainment industry:

  • Manufacturers will need to invest in cybersecurity and update their design and development processes to comply with the new requirements. They will also need to provide ongoing support to their customers in the form of security updates and vulnerability management.
  • Importers and distributors will need to ensure that the products they place on the EU market comply with the new regulations. They will need to verify that products have the CE marking and that the manufacturer has drawn up a declaration of conformity.
  • End-users, such as theatres, production companies, and rental houses, will need to be aware of the new regulations and ensure that the equipment they purchase, and use is compliant. They will also need to follow the manufacturer’s instructions for secure use and install security updates as they become available.

Conclusion

The Cyber Resilience Act and the new Machinery Regulation represent a significant step forward in the regulation of products with digital elements and machinery in the EU. While they will undoubtedly present challenges for the entertainment industry, they also offer a significant opportunity to improve the safety and security of entertainment technology.

By embracing the principles of security by design and by default, and by taking a proactive approach to vulnerability management, the entertainment industry can ensure that it continues to innovate and create breathtaking spectacles while protecting performers, crew, and audiences from the growing threat of cyberattacks. The road to compliance will require investment and effort, but the result will be a safer, more secure, and more resilient entertainment industry.