- The EU Machinery Regulation 2023/1230 replaces the previous Machinery Directive 2006/42/EC from January 20, 2027, and includes cybersecurity as an Essential Requirement for the first time.
- Machines with digital elements must be designed so that their safety functions cannot be compromised by unauthorized digital access.
- Manufacturers must consider cybersecurity in the risk assessment and confirm conformity through CE marking.
- The regulation complements NIS2 (operator obligations) and the Cyber Resilience Act (digital products) and closes the gap for mechanical engineering.
- Operators benefit from more secure machines but must still implement their own protective measures for existing equipment and network integration.
From Machinery Directive to Machinery Regulation
On June 29, 2023, Regulation (EU) 2023/1230 on machinery was published in the Official Journal of the European Union. It replaces the previous Machinery Directive 2006/42/EC, which has served as the regulatory framework for placing machinery on the European market for nearly two decades.
The change from a directive to a regulation has an important consequence: The Machinery Regulation applies directly in all EU member states from January 20, 2027, without requiring national transposition. There are no transition periods due to varying national legislation. From the effective date, the new requirements apply uniformly across the entire EU.
The most fundamental change for the cybersecurity community: The Machinery Regulation contains explicitly stated cybersecurity requirements for machines for the first time. The old Machinery Directive did not know the word "cybersecurity." The new regulation makes it an essential safety aspect.
What the Regulation Requires
The cybersecurity requirements are found in Annex III of the regulation, which defines the "Essential Health and Safety Requirements" (EHSR). The key passage in Section 1.1.9 states in essence:
Machines must be designed and constructed so that the connection of another device to the machine via any feature of the connected device, or via a remote device that communicates with the machine, does not lead to a dangerous situation. A hardware component that transmits signals or data relevant to the connection, as well as the software, must be designed so that they are adequately protected against accidental or intentional corruption.
Additionally, Section 1.1.9 further specifies: The machine must provide evidence of legitimate and illegitimate interventions in the software of the machine, insofar as this is necessary to fulfill the safety requirements.
What This Means in Practice
Translated into practical requirements, this means:
Protection against unauthorized access. The safety functions of a machine (emergency stop, safety guard monitoring, pressure limitation, speed monitoring, etc.) must not be compromisable by digital attacks. If an attacker gains access to the machine controller through a network connection or maintenance interface, they must not be able to manipulate or deactivate the safety functions.
Protection of communication channels. Every digital interface of the machine (Ethernet, USB, fieldbus, wireless connections) must be protected against manipulation. This applies to both hardware (physical access protection for interfaces) and software (authentication, integrity checking, encryption where appropriate).
Software integrity protection. The control software and, in particular, safety-relevant software components must be protected against corruption. This includes measures such as code signing, integrity checks at system startup, and protection against unauthorized program changes.
Audit trail. The machine must be able to demonstrate whether legitimate or illegitimate interventions in the safety-relevant software have occurred. This requires logging of access and changes to safety-critical software components.
Who Is Affected?
Manufacturers and Importers
The regulation is primarily directed at manufacturers (and their authorized representatives), importers, and distributors of machinery. Every machine placed on the market or put into service in the EU from January 20, 2027, must meet the new requirements.
This affects not only traditional machine builders but everyone who places a machine with digital elements on the EU market. The definition of "digital elements" is intentionally broad: It encompasses any software that runs on the machine or is required for machine function, as well as any network or communication interface.
In practice, this means: Virtually every modern machine falls under the cybersecurity requirements. A purely mechanical machine without any electronics would be exempt, but such machines are becoming increasingly rare. As soon as a PLC, a variable frequency drive with a network interface, or an HMI panel is installed, the new requirements apply.
Operators
Machine operators are not directly addressees of the Machinery Regulation (which governs placing on the market). But they are indirectly affected:
New machines will be more secure. From 2027, purchased machines must meet the cybersecurity requirements. Operators can and should demand and verify this during procurement.
Existing equipment remains unchanged. Machines put into service before January 20, 2027, do not fall under the new regulation. The existing machine fleet must therefore continue to be protected through operator-side measures.
Substantial modifications. If an existing machine is substantially modified (e.g., by a new controller, network connectivity, or a software modification that affects safety), it may be classified as a "new machine" and must then meet the requirements of the new regulation. This is particularly relevant for retrofitting projects.
Extending Risk Assessment to Include Cybersecurity
The Machinery Regulation requires manufacturers to include cybersecurity risks in their risk assessment. This is a significant extension of previous practice, where risk assessment per EN ISO 12100 primarily considered mechanical, electrical, thermal, and ergonomic hazards.
The Extended Risk Assessment Process
The risk assessment must now additionally consider the following aspects:
Identification of digital interfaces. What communication interfaces does the machine have? Ethernet, USB, serial interfaces, fieldbuses, wireless connections (WLAN, Bluetooth, 5G)? Each interface is a potential attack vector.
Identification of safety-relevant software. Which software components control safety functions? Where is the boundary between safety-relevant and non-safety-relevant software? This boundary must be clearly defined.
Threat analysis. What attacks are possible through the identified interfaces? Who are the potential attackers (insiders, external attackers, maintenance service providers)? What capabilities do they have?
Risk evaluation. How likely is a successful attack? What impact does it have on the safety of persons? This is where machine safety fundamentally differs from classic IT security: It is not about data loss or business interruption, but about personal injury.
Derivation of measures. What design measures reduce the cybersecurity risks? The priority follows the established three-step method of machine safety: 1. Inherently safe design (e.g., safety PLC with a separate safety channel not reachable from the network), 2. Technical protective measures (e.g., authentication, encryption, network segmentation within the machine), 3. User information (e.g., instructions in the operating manual for secure network integration).
Harmonized Standards
At the time of writing this article, the harmonized standards for the Machinery Regulation are still in development. The following standards are particularly relevant:
EN ISO 12100 (Revision): The base standard for risk assessment will be extended to include cybersecurity aspects.
IEC 62443: The existing standard for industrial cybersecurity is expected to be listed as a (partially) harmonized standard under the Machinery Regulation. In particular, IEC 62443-4-1 (secure product development) and IEC 62443-4-2 (technical security requirements for components) are relevant.
EN ISO 13849 and IEC 62061: The existing standards for functional safety of controls must be interpreted in the context of the cybersecurity requirements. A safety PLC that achieves PL e according to EN ISO 13849 but has no cybersecurity measures does not fully comply with the Machinery Regulation.
CE Marking and Conformity Assessment
The cybersecurity requirements are part of the Essential Requirements of the Machinery Regulation. This means: They must be met for CE marking. A manufacturer who affixes the CE mark to their machine thereby also confirms compliance with the cybersecurity requirements.
Conformity Assessment Procedures
The Machinery Regulation defines different conformity assessment procedures depending on the risk class of the machine:
For machines listed in Annex I (high-risk machines): EU type-examination by a notified body or comprehensive quality management system. High-risk machines include, among others: presses, saws, injection molding machines, lifts, and certain lifting equipment.
For all other machines: Internal production control (self-assessment by the manufacturer). The manufacturer determines conformity themselves and issues the EU declaration of conformity.
In both cases, the technical documentation must demonstrate that the cybersecurity requirements are met. This includes: the extended risk assessment, the identified cybersecurity risks, the implemented measures, and evidence of their effectiveness.
Impact on Operating Instructions
The Machinery Regulation requires that operating instructions contain information the operator needs for safe use of the machine. In the cybersecurity context, this means:
- Recommendations for secure network integration of the machine
- Information on required operator-side protective measures (firewall, segmentation)
- Information about available security updates and how to install them
- Details about the communication protocols and interfaces used
- Notices about default credentials and the need to change them
For operators, this information is invaluable: It provides the basis for operator-side risk assessment and integration of the machine into the ISMS.
Distinction from NIS2 and the Cyber Resilience Act
The EU Machinery Regulation does not stand in isolation but is part of a regulatory ecosystem that addresses cybersecurity from different perspectives. The distinction is important so you understand which obligations apply to you.
NIS2: Operator Obligations
NIS2 is directed at operators of network and information systems in regulated sectors. It requires risk management, incident response, reporting obligations, and supply chain security. NIS2 does not say how a machine must be built, but how the operator must protect their systems (including machines).
Complement to the Machinery Regulation: The Machinery Regulation ensures that new machines have more secure baseline properties. NIS2 ensures that the operator operates these machines securely and embeds them in a comprehensive security concept.
Cyber Resilience Act (CRA): Digital Products
The Cyber Resilience Act is directed at manufacturers of digital products (hardware and software) and requires cybersecurity throughout the entire product lifecycle: secure development, vulnerability management, and security updates.
Distinction from the Machinery Regulation: The CRA generally applies to all products with digital elements. The Machinery Regulation is lex specialis for machines. For the cybersecurity requirements of machines, the Machinery Regulation applies primarily. The CRA may apply supplementarily, particularly for software components that are placed on the market separately.
The Regulatory Triangle in Practice
For a mid-market company that both manufactures and operates machines, the following picture emerges:
| Role | Regulation | Obligations |
|---|---|---|
| As machine manufacturer | Machinery Regulation 2023/1230 | Cybersecurity in risk assessment, CE marking, secure design |
| As machine manufacturer | Cyber Resilience Act | Secure development, vulnerability management, security updates |
| As machine operator | NIS2 (if applicable) | Risk management, incident response, reporting obligations, supply chain |
The good news: The requirements overlap considerably. A manufacturer who implements IEC 62443 fulfills a large portion of the requirements of all three regulations. An operator who runs an ISMS according to ISO 27001 and includes OT security covers both NIS2 and the operator-side implications of the Machinery Regulation.
What Machine Manufacturers Should Do Now
Extend the Risk Assessment
Start by extending your existing risk assessment (per EN ISO 12100) to include cybersecurity aspects. Identify the digital interfaces of your machines, the safety-relevant software, and the possible threats. Use IEC 62443 as a guide for threat analysis.
Introduce Secure-by-Design Principles
Integrate cybersecurity into your development process. This does not mean you must immediately be IEC 62443-4-1 certified. But basic principles such as Least Privilege (only the minimally necessary access rights), Defense in Depth (multiple layers of protection), Secure Defaults (secure default configuration), and Fail Secure (go to a safe state on failure) should be incorporated into your design principles.
Enable Security Updates
Ensure that your machines can be securely updated. The specific challenges of this are described in the article on patch management in OT. This includes: a mechanism for firmware updates of the controller, signed update packages for integrity verification, a documented update process, and a support period during which you provide security updates.
Update Operating Instructions
Supplement the operating instructions with cybersecurity information: Recommendations for network integration, information about security updates, details on interfaces and protocols, recommendations for access controls.
Monitor Standardization
Follow the development of harmonized standards for the Machinery Regulation. In particular, the revision of EN ISO 12100 and the harmonization of IEC 62443 will provide concrete guidance for implementation.
What Machine Operators Should Do Now
Adjust the Procurement Process
From 2027, you can require machine manufacturers to ensure that new machines meet the cybersecurity requirements of the Machinery Regulation. Integrate cybersecurity criteria into your procurement specifications: What security features must the machine provide? How must the network connectivity be designed? What update options are available? How long will the manufacturer provide security updates?
Inventory Existing Equipment
Create an inventory of your existing machines with digital elements. Document for each machine: What controller is installed? What network interfaces exist? What firmware version is running? What security features are present? What is missing? This inventory is the basis for the risk assessment and planning of retrofit measures. In ISMS Lite, machines with digital elements can be captured and the associated cybersecurity measures linked to the risk assessment, 500 Euro pro Jahr for the complete feature set.
Review Network Integration
Check how your machines are integrated into your network. Are they in a segmented OT network following the Purdue Model? Are maintenance access points secured? Are there direct connections from the internet? The Machinery Regulation requires that the network connection of a machine must not create a dangerous situation. This is only the case if the operator-side network integration is secure.
Integrate OT Security into the ISMS
If you fall under NIS2, integrating OT security into your ISMS is mandatory anyway. The Machinery Regulation provides you with additional information: The operating instructions of new machines will contain cybersecurity recommendations that you can incorporate into your measure planning.
Frequently Asked Questions
Does the regulation also apply to used machines?
No. The Machinery Regulation applies to the initial placing on the market or initial putting into service of a machine in the EU market. Used machines that were already in operation before January 20, 2027, do not fall under the new regulation, provided they are not substantially modified.
However: If you substantially modify a used machine (e.g., install a completely new controller or equip the machine with network connectivity that was not previously present), the machine may be classified as new. In this case, you must meet the requirements of the new regulation and issue a new declaration of conformity.
What does "substantial modification" mean?
The Machinery Regulation defines the term "substantial modification" for the first time: A modification not foreseen by the manufacturer that affects the safety of the machine such that a new risk assessment is required. In the cybersecurity context, this could be: Retrofitting a network connection on a previously isolated machine, replacing the safety PLC with a different model, or installing new SCADA software that changes the security architecture.
Do I need a notified body?
That depends on the risk class of your machine. Machines listed in Annex I of the regulation (high-risk machines such as presses, saws, lifts) require a conformity assessment by a notified body. For all other machines, a self-assessment (internal production control) by the manufacturer is sufficient.
Important: The cybersecurity requirements are part of the Essential Requirements. The notified body will therefore also examine the cybersecurity aspects when a type examination is required.
How does the Machinery Regulation relate to CE marking?
CE marking confirms that the machine meets all applicable Essential Requirements of the Machinery Regulation. From January 20, 2027, this includes the cybersecurity requirements. A manufacturer who affixes the CE mark to their machine thereby also declares that the cybersecurity requirements are met.
If market surveillance determines that the cybersecurity requirements are not met, the market surveillance authority can order the recall of the machine or issue a sales ban. This is a significant tightening compared to the previous situation, where cybersecurity was not a criterion for CE marking.
Practical Recommendations for the Transition Period
The remaining time until January 2027 is tight. Here are the most important recommendations:
For machine manufacturers who have not yet started: Begin immediately with an inventory of your product range. Which machines have digital elements? What communication interfaces exist? What safety functions are controlled by software? On this basis, you can prioritize which products have the greatest need for adaptation.
For machine manufacturers already implementing IEC 62443: You are well positioned. Verify whether your existing IEC 62443 documentation covers the specific requirements of the Machinery Regulation. Supplement the risk assessment per EN ISO 12100 with cybersecurity aspects and update the operating instructions.
For machine operators: Use the time to inventory your machine fleet. Which machines have digital elements? How are they networked? What security measures are missing? Start with the operator-side measures (network segmentation, access control, monitoring) that are sensible regardless of the Machinery Regulation. And prepare your procurement processes so that from 2027, you can include cybersecurity requirements in tenders and specifications.
For everyone: Build cybersecurity competence in OT. This requires training for both automation engineers (who must understand cybersecurity) and IT security professionals (who must understand OT). The combination of both competencies is rare and correspondingly valuable.
Timeline and Transition Periods
| Date | Event |
|---|---|
| June 29, 2023 | Publication of Regulation (EU) 2023/1230 |
| January 20, 2027 | Application date of the regulation |
| From January 20, 2027 | New machines must meet the requirements |
| From January 20, 2027 | Machinery Directive 2006/42/EC repealed |
There are no staggered transition periods. From January 20, 2027, the new requirements apply in full to all newly placed machines.
For machine manufacturers, this means: The preparation time is running. Extending the risk assessment, adapting design principles, qualifying employees, and updating documentation all take time. Those who start only in 2027 will have problems.
For operators, this means: From 2027, you will receive more secure machines. But your existing machine fleet does not change automatically. The operator-side measures (network segmentation, monitoring, patch management, access control) remain your responsibility.
Further Reading
- OT Security in SMEs: Why Production Control Belongs in Your ISMS
- Securing SCADA and PLC Systems: Practical Measures Without Production Downtime
- Risk Assessment for OT Systems: Different Priorities Than in IT
- NIS2 for SMEs: What You Need to Know and What to Do Now
- Patch Management in OT: When You Cannot Simply Update