Cybersecurity becomes mandatory in machine engineering. Learn the concrete requirements of the new EU regulation and how to implement them.
Importance of cybersecurity for machines
In an increasingly networked industry, machines and equipment are more often connected to the internet and to each other. While this enables more efficient processes and remote maintenance, it also makes systems vulnerable to cyberattacks. A successful attack could not only lead to production downtime but, in the worst case, also pose safety risks to workers or the environment.
Requirements for cybersecurity
The new Machinery Regulation sets specific cybersecurity requirements for machines and related products. These requirements, stipulated in Annex III, section 1.1.9, aim to ensure the integrity and safety of machines in an increasingly networked manufacturing environment.
For manufacturers and operators in the machinery sector, the following concrete obligations arise:
Secure connectivity
> The machine or the related product shall be designed and constructed so that the connection of another device to the machine or the related product by any function of the connected device itself or via a remote access device communicating with the machine or the related product does not lead to a hazardous situation.
Machines must be designed so that connecting external devices or enabling remote access does not create a hazard.
For example, a machine could be equipped with an integrated firewall and secure authentication mechanisms for each interface to prevent unauthorized or potentially dangerous access.
Protection of critical hardware
> A hardware component that transmits signals or data relevant to the connection to, or access to, the software that is essential to the conformity of a machine or a related product with the applicable health and safety requirements shall be designed so as to be adequately protected against unintentional or deliberate corruption. Machines or related products shall collect evidence of lawful or unlawful interference in the said hardware component to the extent that it is relevant to the connection to, or access to, the software that is essential to the conformity of the machines or related products.
Hardware components responsible for safety-relevant signals or data must be adequately protected against unintentional or deliberate corruption. The machine must be able to demonstrate interference with these components.
In practice, this could mean the control unit is housed in a locked enclosure and only executes cryptographically signed code or commands.
Protection of critical software and data
> Software and data that are essential to the conformity of the machine or the related product with the applicable health and safety requirements shall be identified as such and adequately protected against unintentional or deliberate corruption.
Safety-relevant software and data must be identified as such and adequately protected against corruption or manipulation.
In an automated production line this could be implemented by using encrypted, digitally signed control software that is executed in a protected memory area.
Identification of safety-relevant software
> The machine or the related product shall identify the installed software necessary for safe operation and be able to make that information available at any time in an easily accessible form.
The machine must identify the installed software required for safe operation and be able to provide that information at any time in an easily accessible form.
For example, a machine panel could display the version number and checksum hash of its safety-critical firmware at every startup and on request in the operator menu. This allows operators to quickly verify software integrity.
Recording of changes
> Machines or related products shall collect evidence of lawful or unlawful interference with the software or of a change to the software installed in machines or related products or to its configuration.
The machine must be able to collect evidence of lawful or unlawful interference with installed software or its configuration.
A machine could, for example, maintain a cryptographically secured change log that records all updates, configuration changes and access attempts.
These requirements are designed to ensure the integrity and security of machines and related products by protecting them against unauthorized interference and manipulation. They emphasize the need to protect both hardware and software from corruption and to make changes traceable.
The full requirements are set out in Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery products. The exact wording of the cybersecurity requirements can be found in Annex III, section 1.1.9 of the Regulation.
Relationship with the Cybersecurity Act
The new Machinery Regulation also considers the interplay with existing EU cybersecurity rules. In particular, it establishes a link to Cybersecurity Act (Regulation (EU) 2019/881). The Machinery Regulation provides that machines and related products that have been certified under a recognised scheme of the Cybersecurity Act or for which a corresponding declaration of conformity exists shall be presumed to be in conformity with certain requirements of the Machinery Regulation.
Specifically, this relates to the requirements for protection against corruption (Annex III, section 1.1.9) and to the safety and reliability of control systems (Annex III, section 1.2.1). This presumption of conformity applies to the extent that the respective requirements are covered by the cybersecurity certificate or the certificate of conformity.
This arrangement creates synergies between the two regulations and avoids unnecessary double certification. It makes it easier for manufacturers who have already carried out cybersecurity certifications under the Cybersecurity Act to meet the requirements of the new Machinery Regulation, while promoting a coherent approach to cybersecurity across different EU rules.
Relationship with the Cyber Resilience Act
The new Machinery Regulation is also closely linked to the Cyber Resilience Act (CRA). For products that fall under both the Machinery Regulation and the CRA, manufacturers must meet the requirements of both frameworks. The CRA recognises that there may be overlaps in cybersecurity requirements.
Complying with the essential requirements of the CRA can facilitate meeting certain requirements of the Machinery Regulation, particularly regarding protection against corruption (section 1.1.9) and the safety and reliability of control systems (section 1.2.1). Manufacturers must, however, demonstrate these synergies, for example by applying harmonised standards or other technical specifications based on a risk assessment.
To ensure coherence, the European Commission and the European standardisation organisations intend to promote consistency in risk assessment and risk treatment for both regulations when preparing standards. In addition, the Commission plans to provide guidance for manufacturers to facilitate compliance with the requirements of both regulations.
Importance of the machinery regulation
For machinery manufacturers, these new requirements initially mean increased effort. They must adapt their development processes and may need to build additional expertise in cybersecurity. In particular, they must:
- carry out risk analyses that also consider cybersecurity aspects
- integrate cybersecurity into the design of their products from the start
- create comprehensive documentation of the implemented security measures
- develop mechanisms for regular security updates
- provide training and information material for users
In the long term, however, the regulation also offers opportunities: it creates uniform standards within the EU and can thus strengthen trust in European products. Companies that invest early in cybersecurity can also gain a competitive advantage.
For users of machines, the new regulation means a higher level of safety. They can rely on the fact that the products they purchase meet basic cybersecurity standards.
Key dates and deadlines
The new Machinery Regulation (EU) 2023/1230 was adopted on 14 June 2023, but different parts enter into force at different times.
Of particular importance is 20 January 2027 – until that date, the previous Machinery Directive 2006/42/EC continues to apply in parallel. Products placed on the market before this cut-off date may still be supplied with a declaration of conformity under the old Directive. From 20 January 2027, all newly placed products must comply with the requirements of the new Regulation.
Manufacturers can already take into account requirements of the new Regulation, such as those on cybersecurity. In addition, since July 2024 the European Commission has enabled a combined EC/EU declaration of conformity to ease the transition.
Some parts of the Regulation entered into force earlier, including rules on Konformitätsbewertungsstellen (since 20 January 2024) and powers of the European Commission to adopt delegated acts (since 20 July 2024).
Companies should familiarise themselves with the changes early so that they can meet all requirements after the transition period and continue to place their products on the EU market.
Conclusion and outlook The future of cybersecurity in machine engineering
The new Machinery Regulation marks a turning point in the networked industry. It establishes, for the first time, binding cybersecurity requirements for machines and related products, which will significantly strengthen safety and integrity in an increasingly networked manufacturing environment.
It is worth emphasising that early engagement with cybersecurity is important not only with regard to the Machinery Regulation but also to Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA). The synergies with these frameworks allow companies to bundle their cybersecurity efforts and prepare efficiently for regulatory requirements.
Companies should use the time until the Regulation comes fully into force to adapt their processes, build expertise and develop innovative solutions. Only in this way can they fully exploit the opportunities of the new regulation and prepare for the challenges of the future.
Support for implementation
For the first time, the new Machinery Regulation introduces binding requirements for the cybersecurity of safety-related controls. For manufacturers this means: cybersecurity becomes an integral part of CE marking and is no longer just an optional quality feature.
Secuvi supports companies in implementing these requirements in a timely and structured manner. This includes integrating cybersecurity aspects into risk assessment, developing secure product functions, producing the necessary evidence and preparing for conformity assessments. Communicating safety-relevant information to customers and distributors is also part of the requirement catalogue and of the implementation consulting.
If you would like to know what concrete impact the Machinery Regulation has on your products and how to design them securely and in conformity, we will accompany you with regulatory and technical expertise.
