Robotics / Compliance / ISO 10218 & IEC 62443
Compliance

ISO 10218:2025 and IEC 62443 for Robots: The New Cyber Risk-Assessment Mandate

ISO 10218:2025, the updated industrial robot safety standard, now requires a cybersecurity risk assessment and points to IEC TS 63074 and IEC 62443 for how to do it. Cybersecurity is no longer optional for compliant industrial robots. This page maps the requirement chain and how to produce the evidence. It is guidance, not legal advice.

Key takeaways

What changed for cybersecurity in ISO 10218:2025?

The 2025 edition makes cybersecurity a required part of robot safety, where earlier editions largely did not address it. ISO 10218 is the core safety standard for industrial robots and robot systems, split into part 1 (the robot) and part 2 (integration and the robot system). The third edition modernizes it and adds an explicit expectation to consider and assess cybersecurity risks that could affect safety.

The reasoning mirrors the EU Machinery Regulation: a robot whose safety functions can be defeated by a cyberattack is not safe. So cyber risk assessment moves from good practice to a standards expectation you have to satisfy and document.

Why is a robot cyber risk assessment now mandatory?

Because the standard uses requirement language ("shall") for assessing cybersecurity risk, an integrator or manufacturer following ISO 10218:2025 must perform and document one. The assessment identifies threats to the robot and robot system, evaluates how they could lead to hazardous situations, and drives the security measures needed to reduce that risk to acceptable levels.

This is not a paperwork exercise. It sets the security requirements the rest of your controls must meet, and it is the anchor auditors will look for. Doing it well means understanding your robot’s real attack surface, which is where a structured robot penetration test and a clear threat model feed directly into the assessment.

How does ISO 10218 defer to IEC TS 63074 and IEC 62443?

ISO 10218:2025 does not reinvent security requirements; it points to the established industrial security framework. IEC TS 63074 addresses the security aspects that affect functional safety of machinery control systems, bridging the safety world to security. From there, the detailed controls come from the IEC 62443 series, the widely adopted standard for industrial automation and control system security.

This chaining is deliberate and useful: it means robot cybersecurity aligns with the same framework used across industrial control systems, so the evidence and vocabulary are portable to auditors who already know 62443.

What IEC 62443 controls apply to robots?

The most relevant parts are the security levels (SL 1 to 4) and the component requirements in IEC 62443-4-2, plus the secure-development lifecycle in 62443-4-1. Security levels let you target a defensible posture against a defined class of attacker. The component requirements cover foundational areas that map cleanly onto a robot:

  • Identification and authentication, which per-robot cryptographic identity satisfies.
  • Use control and least privilege, which the authorization gate enforces per action.
  • System and data integrity, which firmware attestation and tamper-evident provenance provide.
  • Auditability, which verifiable receipts deliver.

How do you document a compliant risk assessment?

Record the assets, threats, and hazards; assign a target security level; specify the controls; and show they operate. A defensible assessment ties each identified threat to a concrete control and to evidence that the control works, not just that it was specified. That last part, showing controls actually operate, is where most robot programs are weak.

Attestation closes that gap. Per-robot identity demonstrates authentication, the gate demonstrates use control, and provenance demonstrates integrity and auditability, all as verifiable artifacts you can attach to the assessment file.

How does attestation provide the required evidence?

Attestation turns each IEC 62443 control area into continuous, checkable evidence rather than a one-time claim. Instead of asserting that a robot authenticates, you can show attested identities; instead of asserting integrity, you can show firmware attestation results and a tamper-evident action log. This maps the abstract requirement to something an auditor can verify.

Honest scope: RankShield helps you meet ISO 10218:2025 and IEC 62443 and produces supporting evidence; it does not certify compliance or replace your assessment. It is a standards-native way to make your controls demonstrable. See how the platform works or request early access.

Frequently asked questions

Does ISO 10218:2025 require cybersecurity?

Yes. The 2025 third edition adds an explicit requirement to assess cybersecurity risk for industrial robots and robot systems, and defers the detailed controls to IEC TS 63074 and IEC 62443.

What is the relationship between ISO 10218, IEC 63074, and IEC 62443?

ISO 10218:2025 requires a cyber risk assessment; IEC TS 63074 bridges functional safety to security; and IEC 62443 provides the detailed security levels and component requirements to implement.

What security level should a robot target under IEC 62443?

It depends on the assessed threat and consequences. IEC 62443 defines security levels 1 to 4 against increasingly capable attackers. The risk assessment drives which level is appropriate for your robot and environment.

Which IEC 62443 requirements map to attestation?

Identification and authentication (per-robot identity), use control (the authorization gate), system and data integrity (firmware attestation and provenance), and auditability (verifiable receipts).

Does RankShield certify ISO 10218 or IEC 62443 compliance?

No. It provides controls and verifiable evidence that map to these standards, but certification and the risk assessment remain your responsibility. RankShield is a building block, not a certification.

Keep exploring

Make your controls demonstrable.

Turn ISO 10218:2025 and IEC 62443 requirements into verifiable evidence from your own robots.

Request early access