Automated intralogistics systems are considered the backbone of modern production and distribution processes. They enable precise, fast, and efficient handling of internal material flows. However, as these systems become increasingly digitalized, their vulnerability also grows—especially to cyber threats. The European Union has responded to this by creating a new regulatory framework with the new Machinery Regulation (EU 2023/1230), the Cyber Resilience Act (EU 2024/2847), and the NIS 2 Directive, which also places obligations on operators and distributors of automated systems.
From 2027 onwards, it will no longer be sufficient for companies in intralogistics to simply maintain their newly built systems mechanically. Instead, holistic security strategies that also incorporate software, communication technology, and networked infrastructures will be required. For many operators, this will mean a fundamental change. At the same time, opportunities will arise for automation specialists such as Unitechnik: they can take responsibility and support customers in meeting the new requirements by providing progressive and forward-looking service offerings.
Regulatory upheaval: what will change from 2027 onwards
The new EU Machinery Regulation replaces the previous Machinery Directive and, for the first time, explicitly defines cybersecurity requirements for machines and systems. This recognizes that modern machines are often software-based, connected to networks, and equipped with digital interfaces. Manufacturing companies—and in many cases operators as well—will be required to consider digital risks as early as the design phase. The regulation also requires that a new risk assessment be carried out when software changes are made, for example, through the integration of new functions or software updates.
This is supplemented by the Cyber Resilience Act, which defines binding requirements for the security of digital products across all industries. For suppliers of machines with a digital core, such as warehouse management software or automation components, this means, among other things, the obligation to ensure secure default settings ex works, to disclose vulnerabilities (e.g., through third-party products used) and to point out recommended security updates. In addition, the NIS 2 Directive requires so-called “critical facilities” to implement professional risk management in information security, including reporting obligations for security incidents.
All of this leads to a profound change in operator responsibility. Anyone who operates an automated intralogistics system must not only ensure its availability and performance, but also guarantee its digital resilience in the long term. This includes measures such as patch management, access control, logging, secure update procedures, and continuous monitoring. These requirements are not a one-time event, but require organizational, personnel, and technical changes throughout the entire life cycle of a system.
Even though the rough regulatory framework has already been established, the EU Commission committees still have a lot of detailed work to do. Until the Machinery Regulation and Cyber Resilience Act come into force, around 800 relevant standards still need to be adapted and harmonized accordingly. This poses a major challenge for manufacturers and distributors who are currently entering into long-term supply commitments, but also for operators' medium-term planning.
The operator perspective: challenges and shifting responsibilities
For operators of existing systems, the main question is how they can meet these new requirements without jeopardizing ongoing processes or having to make high investments. This is because many systems have grown over the years, have been expanded modularly, and are based on software and hardware versions that no longer correspond to the current state of the art.
Another problem is the unclear distinction between manufacturer and operator obligations. If operators make software changes or replace components on their own, they may be legally considered “new distributors” and must comply with all associated CE conformity obligations. The involvement of third-party providers, for example in the context of remote maintenance or cloud connections, further increases the complexity.
This makes it clear that operators need partners who not only have technical expertise, but are also able to translate regulatory requirements into concrete measures. This is precisely where Unitechnik comes in with its services.
Security as a service – using Unitechnik as an example
Unitechnik already supports customers with several coordinated service modules that are precisely tailored to future requirements—even though these will not become legally binding until 2027.
A key component is the software maintenance contract, which goes beyond mere troubleshooting. Regular security updates for operating systems, databases, and runtime environments are planned, tested, and rolled out in coordination with the customer in a structured manner. A quarterly health check ensures transparency regarding the system status, documents the patch status, and proactively provides information on possible vulnerabilities. The results are made available in the form of a report and can be used to fulfill documentation requirements for authorities or auditors.
Another forward-looking service is the Automation Check-up. This is a predictive maintenance strategy that goes far beyond technical maintenance. In a multi-stage process, Unitechnik systematically analyzes fault messages, evaluates the software status, and recommends specific measures for optimization and risk protection. Particularly noteworthy are the integration of safety-related software updates and the structured tracking of their effectiveness—an approach that is expressly required by the new Machinery Directive. Drive controllers are one example of safety-related software updates. Here, regular checks are carried out to ensure that the manufacturer's firmware is up to date.
In addition, Unitechnik actively supports the migration of outdated control systems. From a technical perspective, the switch from Siemens Step7 to the modern TIA Portal is long overdue and is becoming increasingly urgent due to security requirements. This is because older engineering PCs running Windows XP or 7, which are often required for Step7, pose a significant security risk. The TIA platform, on the other hand, not only allows the use of current hardware, but also the integration of secure communication protocols, user rights management, and diagnostic functions. All of these are essential elements of modern cybersecurity concepts.
Unitechnik also focuses on security in the area of system architecture: Access to customer systems is always via virtual machines. This virtual environment, which is used exclusively for one customer, contains the individual access mechanisms and all the necessary development and diagnostic tools. In the event of an attack, this ensures isolation, preventing malware from being transferred from one customer system to another. This measure complies with the principle of segmentation, as recommended in many security standards.
Conclusion: Cybersecurity is becoming mandatory – providers are delivering solutions
The new EU regulations mark the beginning of a new era in industrial automation. Cybersecurity is no longer a nice-to-have option, but a legal obligation. Operators and distributors are equally required to ensure protection, transparency, and responsiveness throughout the entire life cycle of their systems.
Automation specialists such as Unitechnik are taking on this challenge – not just from 2027, but today. With a well-thought-out portfolio of maintenance and migration services and a deep understanding of regulatory requirements, these specialist companies support their customers in operating their systems not only efficiently, but also in a future-proof manner. Cybersecurity is thus becoming an integral part of intralogistics – technically, organizationally, and legally.
Digression: Difference between IT security and OT security
IT security (information technology security) protects traditional corporate IT systems such as servers, networks, and data from cyberattacks, focusing on confidentiality, integrity, and availability. OT security (operational technology security), on the other hand, refers to the protection of industrial control and automation systems, where the focus is primarily on the availability and security of physical processes (e.g., material flow). While IT security is more software-driven, OT security requires a deep understanding of machines and systems and their real-time behavior.
