New Machinery Regulation 2023/1230

On June 29, 2023, the new Machinery Regulation 2023/1230 was published in the Official Journal of the European Union, replacing the previous Directive 2006/42/EC. This new regulation marks a significant shift in how industrial machines are designed, assessed, and marketed within the European market. For the first time, aspects such as cybersecurity, artificial intelligence, digital risks, and OT/IT connectivity are explicitly addressed in a binding legal framework.

For industrial professionals, automation experts, machinery manufacturers, system integrators, and OT cybersecurity managers, this new regulation not only introduces new legal requirements—it demands a cultural and technical transformation in how the safety of industrial equipment is conceived.

What is the Machinery Regulation 2023/1230?

Regulation (EU) 2023/1230, commonly referred to as the new Machinery Regulation, is an EU-wide law that sets out essential health and safety requirements for the design and marketing of machinery, related products, and safety systems within the EU. Unlike its predecessor, this regulation will be directly applicable in all Member States starting January 14, 2027, without the need for national transposition.

Key changes in the new Machinery Regulation

Unlike the 2006 version, which focused on physical and mechanical risks, the new 2023/1230 regulation acknowledges that today’s industrial environments are highly digitalized, connected, and often powered by artificial intelligence. Key updates include:

  1. Introduction of cybersecurity requirements
    • Machines must now be designed to protect against unauthorized access, software tampering, and remote intrusions. This includes:
      • Validation of embedded firmware and software.
      • Protection against alteration of safety functions via external connections.
      • Consideration of attack vectors through OT/IT communications and industrial networks.
  2. Machines with autonomous or AI-powered functions
    • The regulation explicitly recognizes that some machines use automated decision-making algorithms, which introduce new risks such as unexpected decisions, collisions, data analysis errors, or unpredictable behavior.
  3. High-risk product classification
    • A new category for high-risk products is introduced, covering certain types of robots, self-learning software machines, and human-interactive systems. These must undergo third-party conformity assessment by notified bodies, with no option for self-certification.
  4. Digitization of technical documentation
    • The regulation allows manuals and technical documents to be delivered digitally, provided they meet requirements for accessibility, integrity, and durability. This affects how instructions, safety diagrams, and functional schematics are communicated.
  5. Compatibility with other standards (NIS2, IEC 62443, etc.)
    • The regulation is aligned with other legal and normative frameworks, especially those related to cybersecurity and critical infrastructure protection:
      • NIS2: Cybersecurity for essential sectors.
      • IEC 62443: Security of industrial automation systems.
      • ISO 12100, ISO 13849, EN 62061: For functional safety requirements.

Cybersecurity as a new regulatory axis

One of the most significant shifts in the regulation is the explicit inclusion of cybersecurity as a core part of overall machine safety. This marks a paradigm shift: safety is no longer just physical—it now encompasses digital threats as well.

Specifically, Annex III requires machines to:

  • Ensure the integrity and authenticity of safety-related software.
  • Implement mechanisms to prevent unauthorized access to critical functions.
  • Include protection measures against remote tampering, including secure software updates.

This aligns with common OT cybersecurity practices, such as:

  • Industrial network segmentation.
  • Role-Based Access Control (RBAC).
  • Event logging and monitoring (Syslog, OT SIEM).
  • Secure firmware patching and update management.

Impact on manufacturers, integrators, and industrial users

For manufacturers:

  • Must design “secure by design” machines with cybersecurity integrated from the conceptual phase.
  • Need to implement new testing procedures, such as intrusion testing and firmware validation—even on production lines previously certified under the old directive.

For integrators:

  • Must ensure secure interoperability of all system components.
  • Required to provide technical documentation proving that integration does not compromise safety.

For industrial users:

  • Must understand that cybersecurity is no longer only an IT concern—it is now a core part of industrial asset lifecycle management.
  • Risk assessments and audits must now include digital vulnerabilities.

OT environments and industrial digitalization

Regulation 2023/1230 arrives at a critical time when many companies are transitioning toward Industry 4.0, IIoT, and smart factory models. In OT environments, where machines are networked, exchange data, and make automated decisions, attack vectors multiply.

As a result, the new regulation requires that industrial connectivity must not compromise operator or process safety—aligning it with the zones and conduits model of IEC 62443-3-2, which defines how to segment OT networks to contain risks.

Deadlines and obligations: when does it apply?

Although the regulation was published in 2023, it becomes fully applicable on January 14, 2027. From that date onward:

  • All newly marketed products must comply with the new requirements.
  • Certifications under Directive 2006/42/EC will remain valid only if the product has not been substantially modified.

This gives companies time to:

  • Assess their current compliance status.
  • Adapt design, evaluation, and documentation processes.
  • Introduce cybersecurity improvements across systems.

Best practices to comply with the new Machinery Regulation

Adapting to this new regulation requires more than just updating documents. Best practices include:

  • Risk assessments with an OT cybersecurity focus.
  • Implementing “secure development lifecycle (SDL)” processes for machine design.
  • Using standards such as IEC 62443-4-1 for secure components.
  • Internal training to ensure design, automation, and IT speak the same language.
  • Performing hardening tests, vulnerability analyses, and firmware scans before product launch.

Conclusion: an opportunity for smart industry

Regulation 2023/1230 is more than a legal update—it’s a clear signal that industrial safety is being redefined for the digital era. In this new framework, machines are no longer just mechanical equipment—they are connected, intelligent, and vulnerable assets whose security must be addressed holistically.

For industrial professionals, this regulation offers a unique opportunity to align compliance, technology, and efficiency—building machines that are more robust, secure, and future-ready.

Need help adapting your machines or processes?

At Kollaborative Work, we help you perform technical audits, assess regulatory compliance, redesign OT security architecture, and train your teams to approach the Machinery Regulation 2023/1230 with confidence. Take the next step toward a smarter, safer industry. Contact us today!

Utilizamos cookies propias y de terceros para fines analíticos y para mostrarte publicidad personalizada basada en un perfil elaborado a partir de tus hábitos de navegación. Puedes aceptar todas las cookies, rechazarlas o configurar tus preferencias.    Más información
Privacidad