Gear up for change: The EU Machinery Regulation is coming

In January 2027, the EU Machinery Regulation (2023/1230/EU) will come into force, replacing the EU Machinery Directive (2006/42/EC).

The main difference is that machinery manufacturers will now have to safeguard their products against cyber risks. This includes not only cyberattacks but also hardware and software malfunctions, disrupted wireless connections and functional errors in autonomous or AI-driven operations.

Who is affected by the EU Machinery Regulation?

The regulation primarily targets machinery manufacturers. Their products must meet basic safety standards so they don’t endanger people, animals, property or the environment.

In addition, dealers and importers must avoid placing noncompliant products on the market. However, if they — or machine operators — modify equipment in ways that affect safety, they will now be considered manufacturers and bear the full set of associated obligations.

How much time is left to prepare?

Most of the regulation’s requirements must be met by 20 January 2027. The deadline may seem distant, but no noncompliant machinery may be placed on the market in the EU after this date — which means time is of the essence.

Given the lengthy development cycles in the machinery sector, meeting the new requirements demands considerable effort. Manufacturers must conduct risk assessments, define responsibilities and implement new processes and technical solutions. These steps need time and preparation.

What are the requirements of the EU Machinery Regulation?

The most important changes are set out in Annex III in sections 1.1.9 (“Protection against corruption”) and 1.2.1 (“Safety and reliability of control systems”). These provisions require machinery manufacturers to ensure that connections to external devices and networks do not lead to dangerous situations. Both the relevant hardware components and the machine’s software and data must be protected. In addition, all changes to software or system configurations must be documented through proper logging.

Machine control systems must also be designed so that external influences — such as cyber-attacks, hardware and software failures and disrupted wireless connections — as well as operating mistakes or faults in the control logic do not result in hazardous situations.

New requirements for AI

The Machinery Regulation also introduces specific requirements for AI systems that operate fully or partly autonomously — referred to as self-developing behavior or self-developing logic. Such systems may not activate machinery without supervision and must block any parameter and rule changes that could create hazardous situations. Also, all safety-related decisions must be logged, and AI control systems must be updateable at any time to address safety issues.

The regulation classifies AI systems as high-risk because autonomy and limited transparency can increase both the likelihood and severity of harm. As a result, they fall within the category of machinery requiring conformity assessment by an independent testing body.

Manufacturers must also document all risk assessments and safety measures to conform with the regulation. If their products don’t meet the requirements, they must act immediately to rectify the situation or take the machinery off the market. At the same time, the relevant authorities must be informed of any hazards and the corrective measures that were taken.

While the Machinery Regulation introduces strict requirements, it also provides certain simplifications. For example, operating instructions and declarations of conformity may in future be supplied in digital form. These documents must remain accessible online for the entire service life of the machine — or at least ten years — and must also be provided in paper form free of charge upon request.

What are the challenges around implementing the EU Machinery Regulation?

Beyond the tight deadlines, the greatest challenge for manufacturers lies in the regulation’s strict requirements. Compliance demands extensive technical and organizational changes, along with deep expertise in cybersecurity — resources that are not always readily available within development teams. Many face shortages in personnel, time and budgets.

Moreover, manufacturers must comply not only with the Machinery Regulation but also with other new cybersecurity frameworks, such as the NIS2 Directive and the Cyber Resilience Act, depending on their industry and products. These regulations introduce their own — sometimes overlapping — security requirements and reporting obligations. As a result, cybersecurity has become a strategic priority for machinery manufacturers, best addressed in a coordinated way to avoid duplicating efforts across multiple projects.

At the same time, the introduction of security requirements presents opportunities. Manufacturers can help their customers meet their own compliance obligations by providing secure machinery. New processes — such as mechanisms for installing security patches and functional updates, along with subscription-based services — can also serve as a foundation for digital offerings. Although the timing may be challenging, many manufacturers are now integrating digital components and services from the outset, so that cybersecurity is built in from the start. Experience shows that this approach is far easier and more cost-effective than retrofitting security later.

How NTT DATA can help

NTT DATA supports machinery manufacturers in implementing the EU Machinery Regulation through specialized teams, covering the full spectrum from risk assessments and gap analyses to recommending and implementing appropriate technical and organizational measures. We also ensure the reliable operation of required security solutions.

Our approach is guided by established standards and frameworks, including ISO/IEC 27005 for risk management and ISA/IEC 62443 for system and network protection.

Drawing on our deep industry knowledge and extensive experience across IT, OT, cybersecurity and compliance projects, we provide tailored advice and deliver customized solutions. Manufacturers benefit from an end-to-end service offering, with reliable long-term support.

• ALSO READ → The intelligent manufacturing dream is crumbling — here’s why