THINK SAFE. THINK ICS.

Machinery Regulation 2027: Advice on CE conformity with cybersecurity

From Jan. 20, 2027, cybersecurity will become part of the CE conformity assessment.
The new Machinery Regulation (EU) 2023/1230 replaces the previous directive - without a transitional period. Manufacturers must assess digital risks, secure control systems and document AI functions. Prepare now instead of being surprised in 2027.

Why the Machinery Regulation is relevant now

The Machinery Regulation (EU) 2023/1230 defines a new level of safety for machinery, equipment and digital control systems in the EU. The new regulation will be mandatory from January 20, 2027 - you can no longer choose between the old and new law.

These requirements apply from January 20, 2027

  • New: Cybersecurity is mandatory in the CE conformity assessment (Annex I, 1.1.5 & 1.2.9)
  • Control systems must be protected against cyber attacks - incl. firmware, updates and remote access
  • Machines must be protected against manipulation
  • Risks must be considered over the entire life cycle
  • AI functions must be evaluated in terms of safety - especially for autonomous systems
  • Technical documentation is becoming more extensive: digital risks must be demonstrated over the entire life cycle
  • Conformity assessment and declaration of conformity must comply with the new regulation
  • Obligations for importers and distributors will be extended
ics_maschinenverordnung_2023-1230_02

Machine development is becoming more digital, safer and more strictly regulated.

For whom is this particularly relevant?

  • Manufacturers of machines and systems
  • Integrators and system houses with responsibility for control, networking and updates
  • Importers and dealers with new inspection and cooperation obligations
  • Operators in the event of conversions or significant changes

What is new compared to the old Machinery Directive 2006/42/EC?

  • What is new compared to the old Machinery Directive 2006/42/EC?
  • Cybersecurity is now mandatory (Annex I, 1.1.5 & 1.2.9)
  • AI functions must be assessed in terms of safety
  • Software updates must be designed safely
  • Digital operating instructions are permitted (with restrictions)
  • Extended obligations for importers and dealers

Would you like to find out more about the Machinery Directive EU 2023/1230?

ARRANGE A CONSULTATION

Cybersecurity requirements of the EU Machinery Regulation in detail

The regulation describes how machines must be developed, evaluated and documented. In addition to the familiar requirements for mechanical and functional safety, the focus is now shifting to the entire digital part of the machine.

ics_machine_regulation_risk_management

This includes secure control systems, robust software, clear considerations of communication paths and remote access, protection against unauthorized access and proof that security-relevant functions work reliably even under digital attack.

Relevant keywords from the regulation in practice:

  • Cybersecurity requirements for networked machines and control systems
  • Tamper protection and protection against tampering
  • Conformity assessment, technical documentation and declaration of conformity
  • Digital operating instructions and digital provision of information (depending on the target group)
  • AI functions and autonomous or semi-autonomous functions, if safety-relevant

For many companies, this means a fundamental expansion of their previous safety assessment. Technical documentation must be more in-depth, consistent and maintained over the long term.

Combining IEC 62443 & Machinery Directive

The Machinery Directive REQUIRES cybersecurity (Annex I, 1.1.5), IEC 62443 DESCRIBES how to implement it. Advantage: Security concepts in accordance with IEC 62443 can be incorporated directly into your CE documentation.

MORE ABOUT IEC 62443 CONSULTING

Self-Check: Is your machine affected? (6 questions, 60 seconds)

Answer these 6 questions and check whether you need to take action:

  • Does your machine have network interfaces or remote access?
  • Do you use security-relevant software functions or firmware?
  • Do you carry out updates in the field or offer remote maintenance?
  • Do you use external communication channels or cloud functions?
  • Can settings or parameters influence the safety functions?
  • Do you use AI-based functions that influence security functions?
FREE INITIAL CONSULTATION

Our services for the Machinery Ordinance

We support companies from the initial classification to complete preparation for the new requirements.

Gap analysis according to EU Machinery Regulation

We examine in a structured manner how well your company is prepared for the regulation, identify specific adaptation requirements and show which measures should be implemented in a technically sensible and time-prioritized manner.

Result: Prioritized fields of action, responsibilities and an implementation plan by January 2027.

IT/OT security consulting for machines and control systems

We assess the digital risks of your machines, control systems, firmware and communication channels and support you in designing them securely and integrating them into existing engineering and development processes.

Result: Structured assessment of digital risks, comprehensible protective measures for control systems, communication, remote maintenance and updates.

Preparation of CE and safety documents

We support you in the creation and revision of technical documentation. This includes safety concepts, risk assessments with a digital focus and proof of the EU conformity of your machines.

Result: Consistent technical documentation and a declaration of conformity that complies with the Machinery Directive as the basis for the conformity assessment.

Why companies should act now

If you want to sell in 2027, you have to act now. A gap analysis takes 4-8 weeks, implementation 6-18 months. If you start in Q1 2026, you have a 12-month buffer until the deadline.

ics_gmbh_success

Those who address the regulatory changes early on will gain the following advantages:

  • Competitive advantage in tenders: Use early compliance as a USP
  • Minimize liability risk: Prove CE conformity with legal certainty
  • Increase product quality: Cybersecurity makes machines future-proof
  • Secure market access: From 2027, no placing on the market without new conformity
  • Save costs: Subsequent adaptations are 3-5x more expensive

If you only start shortly before 2027, you will be under time pressure. An early gap analysis creates clarity and planning security.

GAP ANALYSIS REQUEST

Your roadmap to the Machinery Ordinance 2027

Q1 2026 (now):

  • Carry out gap analysis
  • Identify need for action
  • Plan budget and resources

Q2-Q3 2026:

  • Expand risk assessment with cybersecurity
  • Develop security concept for control systems
  • Revise technical documentation

Q4 2026:

  • Implement measures (firmware, processes)
  • Internal tests and reviews
  • Preparation for conformity assessment

Q1 2027: (before January 20)

  • Update declaration of conformity
  • CE marking according to new regulation
  • Sales/support training on new requirements

How the gap analysis works

1. initial meeting and scope clarification:

Products, functions and role in the market

2nd workshop and review:

Technology, processes, documentation and cybersecurity status

3. result date:

Priorities, action plan and next steps towards conformity assessment

IEC 62443 Consulting

Cybersecurity standard for industrial automation, ideal as a technical basis for machine regulations

LEARN MORE

CRA Consulting

Cyber Resilience Act for products with digital elements, often relevant in parallel with the Machinery Ordinance

LEARN MORE

NIS2 Consulting

Cybersecurity for operators of critical infrastructure, relevant if you as a manufacturer are also an operator

LEARN MORE

Risk assessment

Digital risks are a key component of the new Machinery Directive. SECIRA can provide support here

LEARN MORE

FAQ - Frequently asked questions

When does the Machinery Directive (EU 2023/1230) apply?

The Machinery Regulation (EU) 2023/1230 will apply from January 20, 2027. Until January 19, 2027, you can still apply the old Machinery Directive 2006/42/EC.

Is there a transition period?

There is no transitional phase in which both regulations can be applied in parallel as desired.

Does this also apply to importers and dealers?

Yes, the regulation extends obligations and responsibilities for economic operators, including import and trade.

Do the operating instructions still have to be supplied in paper form?

No, not mandatory. The regulation allows digital instructions (QR code, app, web portal) - except for private individuals and certain professional groups without guaranteed internet access. For B2B machines, the digital form is usually sufficient. We check what applies to your products in the gap analysis.

When do I need a notified body?

This depends on the classification of the product, especially for certain categories from Annex I and the selected conformity assessment procedure. We will clarify this in the initial consultation based on your product.

How does all this relate to IEC 62443 or CRA?

IEC 62443 supports the structured implementation of OT security requirements. The CRA applies to products with digital elements. Which requirements are relevant for you depends on the product, function and market role.

You can also benefit from our IEC 62443 consulting and our CRA consulting.

What does "substantial modification" mean according to the Machinery Ordinance?

A significant change occurs if you influence the safety functions through software updates, hardware changes or configuration adjustments. In this case, you must assess and document the machine as new in accordance with EU 2023/1230.

What are the most important cybersecurity requirements of the Machinery Ordinance?

The Machinery Regulation (EU) 2023/1230 integrates cybersecurity into the essential health and safety requirements (Annex I, sections 1.1.5 and 1.2.9). Manufacturers must protect machines against unauthorized access, prevent tampering and secure safety-relevant software/firmware. This includes risk assessment of digital interfaces, protection of control systems and communication channels as well as proof that security functions remain reliable under attack.

What is considered a substantial modification according to Machinery Regulation (EU) 2023/1230?

A significant change occurs when software updates, hardware changes or configuration adjustments affect the safety functions (Art. 3 No. 28). Operators must then assess the machine as new in accordance with EU 2023/1230, document it and update the declaration of conformity if necessary. Typically for firmware updates or network integrations.

Will the CE marking change with the Machinery Ordinance?

CE marking remains mandatory, but will be extended: digital risks and AI must be assessed in risk assessments and technical documentation (Annex III). A new CE marking is required in the event of a significant change.

Book a consultation now!

Let us advise you individually. We will clarify your questions in a non-binding initial consultation and show you how to successfully implement the Machinery Ordinance 2027.