When does the EU Machinery Regulation 2023/1230 apply?

The EU Machinery Regulation 2023/1230 becomes mandatory on 20 January 2027, replacing the old Machinery Directive 2006/42/EC.

What are the new cybersecurity requirements in the Machinery Regulation?

The new requirements are in Annex III Sections 1.1.9 (Protection Against Corruption) and 1.2.1 (Safety and Reliability of Control Systems). These require protection of safety-critical software, logging of interventions, and resistance to malicious attacks.

Do I need to comply with both CRA and Machinery Regulation?

If your product is both machinery AND a product with digital elements (connected/smart machinery), you may need to comply with both. Article 9 of the Machinery Regulation states that where risks overlap, the more specific regulation applies.

EU Machinery Regulation 2023/1230: Cybersecurity Requirements Guide

Q: Does AI/ML machinery require third-party certification?

Yes, safety components with self-evolving behavior using machine learning, and machinery with embedded AI/ML systems ensuring safety functions, require mandatory third-party conformity assessment under Annex I Part A.

The EU Machinery Regulation 2023/1230 introduces mandatory cybersecurity requirements for machinery with digital elements. This guide covers how it intersects with the Cyber Resilience Act (CRA) for industrial IoT, robotics, and smart manufacturing.

What is the EU Machinery Regulation?

Regulation (EU) 2023/1230 replaces the old Machinery Directive 2006/42/EC and becomes mandatory on 20 January 2027. It establishes harmonized health and safety requirements for machinery, related products, and partly completed machinery placed on the EU market.

Key Cybersecurity Requirements

Section 1.1.9 - Protection Against Corruption

Hardware components transmitting signals for safety-critical software must be protected against corruption
Software and data critical for compliance must be identified and adequately protected
Machinery must collect evidence of legitimate or illegitimate interventions
Must identify installed software necessary for safe operation

Section 1.2.1 - Safety and Reliability of Control Systems

Control systems must withstand malicious attempts from third parties
Maintain a 5-year tracing log of interventions and safety software versions
For AI/ML systems: 1-year logging of safety-related decision-making
Wireless control failures must not lead to hazardous situations

AI and Machine Learning Systems

Safety components with fully or partially self-evolving behavior using machine learning, and machinery with embedded AI/ML systems ensuring safety functions, require mandatory third-party conformity assessment under Annex I Part A.

CRA + Machinery Regulation Overlap

If your product is both machinery AND a product with digital elements, you may need to comply with both regulations. Products that may need both include industrial IoT devices, connected manufacturing equipment, industrial robots, AGVs, and collaborative robots.

Key Dates

29 June 2023 - Published in Official Journal
19 July 2023 - Entry into Force
20 January 2027 - Full Application (Directive 2006/42/EC repealed)

Back to CRA Compliance Toolkit