EU Machinery Regulation 2023/1230: What Companies Need to Know Before 2027

Introduction: machinery safety is entering the digital age

The European regulatory landscape for machinery is undergoing a major transformation.

For many years, machinery safety was primarily associated with mechanical risks, electrical hazards, physical protection, emergency stops, instructions for use and CE marking. These remain essential. However, modern machinery is no longer purely mechanical. It is increasingly connected, software-driven, remotely maintained, data-dependent and, in some cases, powered by artificial intelligence.

This evolution changes the nature of risk.

A cyber vulnerability can now affect the safe operation of a machine. A software update can modify a safety function. A remote access interface can become an attack vector. A machine learning component can influence how equipment behaves in real time. In industrial environments, digital risk can create physical consequences.

This is the context in which the European Union adopted Regulation (EU) 2023/1230 on machinery, commonly referred to as the EU Machinery Regulation. The Regulation was adopted on 14 June 2023 and will replace the current Machinery Directive 2006/42/EC. It will become applicable from 20 January 2027, with some provisions applying earlier.

For manufacturers, importers, distributors, integrators and users of machinery, this is not a minor legal update. It is a significant shift in how machinery compliance must be governed, documented and demonstrated.

 

What is the EU Machinery Regulation 2023/1230?

The EU Machinery Regulation 2023/1230 lays down health and safety requirements for the design and construction of machinery placed on the European market. It also defines the conformity assessment procedures that must be followed before machinery and related products can be made available in the EU.

It replaces the Machinery Directive 2006/42/EC, which has been the core EU legal framework for machinery safety for many years. The move from a directive to a regulation is important. A regulation is directly applicable across EU Member States, which should reduce differences in national implementation and strengthen legal harmonisation across the single market.

The Regulation applies to machinery and related products, including partly completed machinery. It is relevant not only for manufacturers, but also for other economic operators such as importers and distributors.

The Regulation was published in the Official Journal of the European Union in June 2023 and entered into force in July 2023. However, companies have a transition period before the main obligations become fully applicable on 20 January 2027.

 

Why was a new Machinery Regulation needed?

The previous Machinery Directive was designed in a different technological context.

Since then, machinery has become more complex. Industrial equipment is now commonly connected to networks, integrated into digital production chains, remotely monitored, updated through software and sometimes equipped with AI-based or autonomous functions.

The new Regulation therefore aims to modernise the EU machinery safety framework and address risks linked to new technologies, including software, cybersecurity and artificial intelligence. The European Commission states that the new Machinery Regulation 2023/1230 was adopted in 2023 and that a corrigendum was issued to address application date issues in the original version.

From a Governance, Risk and Compliance perspective, the key message is clear: machinery compliance can no longer be managed as a purely technical or engineering topic. It now requires a structured interface between product safety, cybersecurity, software governance, supplier management, legal compliance and operational resilience.

Key changes introduced by the EU Machinery Regulation

1. Stronger focus on cybersecurity and digital risks

One of the most important developments is the recognition that cybersecurity can directly affect machinery safety.

The Regulation introduces requirements addressing protection against corruption and the safety and reliability of control systems. Industry analysis commonly points to Annex III sections 1.1.9 and 1.2.1 as central provisions for cybersecurity-related machinery safety requirements.

In practical terms, companies will need to consider whether unauthorised access, software manipulation, corrupted data, remote interference or cyberattacks could compromise the safe functioning of machinery.

This is a major compliance shift. Cybersecurity is no longer only an IT security issue. For connected machinery, it becomes part of the product safety and conformity assessment discussion.

2. Integration of software into the machinery safety perimeter

Modern machines rely heavily on embedded software, programmable control systems, sensors, connected components and digital interfaces. The new Regulation reflects this reality.

Software that performs a safety function or influences the safe operation of machinery must be properly assessed, protected, documented and controlled. This creates practical obligations around software lifecycle management, version control, change management, secure updates, testing and evidence retention.

From a GRC standpoint, companies should be able to answer a simple question: can we demonstrate that our software does not compromise machinery safety?

3. Artificial intelligence and autonomous behaviour

The Regulation also addresses risks associated with emerging technologies, including AI and systems with evolving behaviour. Practical guidance published by European standardisation stakeholders highlights the importance of understanding the safety and compliance implications of AI systems integrated into machinery.

For companies, this means that AI-enabled machinery should not be treated as a black box. The safety implications of automated decision-making, self-learning systems or adaptive behaviour must be assessed and documented.

This is especially important where AI influences movement, detection, human-machine interaction, safety stops or operational decisions.

4. Updated conformity assessment requirements

The Regulation maintains the overall logic of CE marking and conformity assessment, but it updates the rules to reflect higher-risk categories and new technological risks.

Companies will need to determine which conformity assessment route applies to their machinery, whether a notified body is required, and which technical documentation is necessary to demonstrate compliance.

This is particularly important for machinery involving safety components, AI-related safety functions, connected systems or significant modifications.

5. More emphasis on technical documentation and evidence

The Regulation reinforces the importance of technical documentation. Companies must be able to evidence how machinery risks were identified, assessed, mitigated and validated.

For compliance teams, this is critical. In practice, many regulatory failures do not come from the absence of controls, but from the inability to demonstrate them.

Documentation should therefore cover design decisions, risk assessments, cybersecurity controls, software architecture, testing results, conformity assessment, instructions for use, supplier inputs and post-market monitoring where relevant.

6. Digital instructions and documentation

The Regulation also reflects the move towards digital documentation. European Commission materials note that Regulation 2023/1230 provides for the possibility of instructions in digital form, although practical expectations and national authority practices may still need to be monitored carefully.

This creates opportunities for better lifecycle documentation, but also requires strong governance: version control, accessibility, retention, language requirements and user availability must be properly managed.

 

Which companies are affected?

The EU Machinery Regulation is relevant for a broad range of organisations, including:

• machinery manufacturers;
• importers of machinery into the EU;
• distributors;
• authorised representatives;
• integrators and assemblers;
• companies making substantial modifications to machinery;
• industrial operators using complex machinery;
• suppliers of software or safety components embedded in machinery;
• companies involved in connected industrial systems, robotics, automation or AI-enabled equipment.

 

Even companies that do not manufacture machinery themselves may be affected if they import, distribute, modify, integrate or operate machinery in a way that creates new compliance obligations.

Industrial sectors particularly concerned include manufacturing, logistics, automotive, aerospace, energy, healthcare equipment, construction, agriculture, robotics, industrial automation and critical infrastructure.

 

What does the Regulation impose on companies?

1. Identify applicable machinery and related products

Companies should first determine which products, equipment, systems or components fall within the scope of the Regulation.

This requires a structured inventory of machinery and related products placed on the EU market or used in EU operations. The inventory should identify manufacturers, importers, distributors, safety components, software components, connected interfaces and any AI-enabled features.

2. Perform a comprehensive risk assessment

The Regulation is fundamentally risk-based. Companies must assess hazards associated with the design, construction and use of machinery.

The risk assessment should not be limited to traditional physical hazards. It should also cover digital and cyber-related scenarios, including:

• unauthorised remote access;
• manipulation of control systems;
• corrupted software updates;
• compromised safety functions;
• loss of data integrity;
• unsafe AI-driven behaviour;
• failure of connected components;
• dependency on third-party software or cloud services.

 

This is where cybersecurity and safety engineering need to work together.

3. Integrate cybersecurity into machinery design

Cybersecurity should be embedded by design.

For connected machinery, companies should consider secure architecture, access control, authentication, logging, vulnerability management, secure update mechanisms, network segmentation, protection against tampering and incident response procedures.

The objective is not merely to protect data. It is to ensure that cyber threats cannot compromise the safe operation of the machine.

4. Strengthen software governance

Software governance becomes a core compliance issue.

Companies should establish controls over software development, configuration, testing, release management, patching and change management. Any software modification that could affect safety should be assessed before deployment.

This is especially important for machinery that remains in operation for many years, receives updates, or is remotely maintained.

5. Review conformity assessment and CE marking processes

Companies must ensure that their conformity assessment process is aligned with the new Regulation.

This includes identifying applicable essential health and safety requirements, determining whether a notified body is required, preparing the EU declaration of conformity, maintaining technical documentation and ensuring that CE marking remains valid.

Where machinery is modified after being placed on the market, companies should assess whether the modification is significant enough to trigger new compliance obligations.

6. Manage suppliers and third-party components

Machinery compliance increasingly depends on the supply chain.

Software providers, component manufacturers, automation suppliers, remote maintenance providers and cybersecurity vendors may all influence the safety and compliance of machinery.

Procurement and supplier management processes should therefore include clear requirements on cybersecurity, documentation, vulnerability disclosure, secure updates, lifecycle support and evidence availability.

7. Prepare evidence for regulators, customers and auditors

Companies should expect more questions from market surveillance authorities, customers, insurers and auditors.

They should be able to evidence:

• the machinery risk assessment;
• cybersecurity controls;
• software governance;
• supplier due diligence;
• testing and validation;
• conformity assessment decisions;
• technical documentation;
• user instructions;
• incident and vulnerability management.

 

In a regulatory environment increasingly focused on operational resilience, evidence is becoming as important as the control itself.

 

The connection with other EU regulations

The Machinery Regulation does not exist in isolation.

It sits within a broader EU regulatory movement that is strengthening digital, cyber and operational resilience obligations across sectors.

Companies should assess its interaction with:

• the Cyber Resilience Act, which addresses cybersecurity requirements for products with digital elements;
• the NIS2 Directive, which strengthens cybersecurity risk management and incident reporting for essential and important entities;
• the AI Act, where machinery includes AI systems with safety implications;
• sector-specific requirements for operational resilience, product safety, industrial safety or critical infrastructure;
• harmonised European standards, which play a key role in demonstrating conformity.

 

The European Commission’s machinery standards page confirms that harmonised standards remain central to machinery compliance, with references published through Commission implementing decisions.

For GRC teams, this means that compliance should not be managed regulation by regulation in silos. Organisations need an integrated control framework that maps common requirements across product safety, cybersecurity, software governance, supplier risk and operational resilience.

 

 

How to prepare for EU Machinery Regulation compliance

Step 1: Build a machinery compliance inventory

Start with a clear inventory of machinery, related products, safety components, software, connected systems and AI-enabled features.

For each item, identify:

• product category;
• manufacturer or supplier;
• EU market role: manufacturer, importer, distributor, operator or integrator;
• CE marking status;
• safety functions;
• software dependencies;
• connectivity;
• remote access mechanisms;
• lifecycle status;
• available technical documentation.

 

Without this inventory, it will be difficult to assess exposure.

Step 2: Perform a gap assessment against Regulation 2023/1230

Companies should compare their current compliance framework against the new Regulation.

The gap assessment should cover legal obligations, product safety requirements, cybersecurity controls, software lifecycle governance, conformity assessment procedures, supplier documentation, user instructions and post-market processes.

The output should be a prioritised remediation roadmap.

Step 3: Map cybersecurity risks to safety impacts

Traditional cybersecurity risk assessments often focus on confidentiality, integrity and availability. For machinery, this is not enough.

The key question is: could a cyber event create an unsafe physical outcome?

Examples include unsafe movement, loss of control, failure of an emergency stop, manipulation of sensor data, dangerous speed changes, unexpected restart, or failure of protective systems.

This mapping should involve engineering, safety, cybersecurity and operational teams.

Step 4: Update technical documentation

Technical documentation should be reviewed and updated to reflect the new requirements.

This may include:

• machinery descriptions;
• intended use and reasonably foreseeable misuse;
• design risk assessments;
• cybersecurity threat scenarios;
• software architecture;
• safety functions;
• testing evidence;
• standards applied;
• conformity assessment route;
• supplier declarations;
• user instructions;
• maintenance and update procedures.

 

The documentation must be structured, accessible and audit-ready.

Step 5: Review supplier and procurement clauses

Supplier contracts should be updated to include machinery cybersecurity and compliance requirements.

Important clauses may include:

• secure development obligations;
• vulnerability notification;
• patching commitments;
• lifecycle support;
• evidence and audit rights;
• documentation delivery;
• incident cooperation;
• change notification;
• compliance with applicable EU product safety and cybersecurity requirements.

 

This is especially important where suppliers provide embedded software, control systems, sensors, connected components or remote maintenance services.

Step 6: Strengthen change management

Any change to machinery, software, connectivity, remote access or safety functions should go through a controlled change management process.

The process should assess whether the change affects conformity, safety, cybersecurity, CE marking, user instructions or technical documentation.

Poorly governed updates are likely to become a major compliance risk under the new framework.

Step 7: Train relevant teams

Compliance with the Machinery Regulation is not only a legal department issue.

Training should be provided to:

• engineering teams;
• product managers;
• cybersecurity teams;
• compliance officers;
• procurement teams;
• maintenance teams;
• quality and safety teams;
• senior management.

The objective is to create a shared understanding of the link between machinery safety, cybersecurity, software and regulatory compliance.

Step 8: Monitor standards and regulatory guidance

Harmonised standards and guidance will play an important role in practical implementation. Since references to harmonised machinery standards are published and updated through the EU framework, companies should actively monitor developments as the 2027 deadline approaches.

This is especially important for cybersecurity and AI-related machinery requirements, where market practice, standards and regulatory interpretation are still evolving.

 

Practical compliance roadmap

2026: assessment and planning

Companies should use 2026 to build their inventory, perform a gap assessment, review product portfolios, identify high-risk machinery and define a compliance roadmap.

Priority should be given to connected machinery, AI-enabled systems, safety-critical software, remote maintenance interfaces and products placed on the EU market after January 2027.

2026–2027: remediation and documentation

The next phase should focus on remediation: updating technical documentation, strengthening cybersecurity controls, revising supplier contracts, adapting conformity assessment processes and training internal teams.

From 20 January 2027: operational compliance

From 20 January 2027, the new Regulation becomes fully applicable. Companies should be ready to demonstrate compliance, respond to customer and authority requests, manage product changes, and maintain evidence throughout the lifecycle of machinery.

 

Why GRC teams should take the lead

The EU Machinery Regulation is often perceived as a product safety or engineering topic. That view is too narrow.

The Regulation requires coordination across multiple governance domains:

• product compliance;
• cybersecurity;
• software lifecycle management;
• third-party risk management;
• documentation and evidence;
• operational resilience;
• legal and regulatory monitoring;
• internal controls;
• audit readiness.

This is precisely the role of GRC.

GRC teams can help translate regulatory requirements into practical controls, assign ownership, structure evidence, monitor remediation and ensure that cybersecurity and safety risks are managed consistently.

In short, the Machinery Regulation is not only about machines. It is about governance.

 

Conclusion: January 2027 is closer than it looks

The EU Machinery Regulation 2023/1230 marks a significant evolution in European product safety regulation.

It confirms that machinery safety must now be understood in a digital environment where software, connectivity, AI and cybersecurity can directly affect physical outcomes.

Companies should not wait until 2027 to act. The transition requires inventory work, risk analysis, documentation, supplier engagement, cybersecurity controls, software governance and internal training.

The organisations that prepare early will not only reduce compliance risk. They will also strengthen product reliability, customer trust, operational resilience and market access.

The strategic message is simple:

Machinery compliance is becoming a combined discipline of safety, cybersecurity, software governance and GRC.

Companies that understand this shift early will be better positioned for the next generation of industrial regulation.

 

FAQ — EU Machinery Regulation 2023/1230

When does the EU Machinery Regulation apply?

The EU Machinery Regulation 2023/1230 becomes applicable from 20 January 2027, although some provisions apply earlier.

What does the EU Machinery Regulation replace?

It replaces the Machinery Directive 2006/42/EC, which remains applicable until the new Regulation becomes fully applicable.

Does the Machinery Regulation include cybersecurity requirements?

Yes. The Regulation reflects the fact that cybersecurity can affect machinery safety, particularly where machinery is connected, software-driven or remotely accessible. Industry guidance commonly highlights Annex III sections 1.1.9 and 1.2.1 as key cybersecurity-related provisions.

Who is affected by the Machinery Regulation?

The Regulation affects manufacturers and other economic operators such as importers and distributors, as well as companies involved in machinery integration, modification, supply chains or operation.

Why should cybersecurity teams care?

Because a cyber incident affecting machinery can create a safety issue. Cybersecurity therefore becomes part of the machinery risk assessment, conformity assessment and technical documentation process.

How should companies prepare?

Companies should start with a machinery inventory, perform a gap assessment, map cybersecurity risks to safety impacts, update technical documentation, review supplier contracts, strengthen software governance and train relevant teams before January 2027.