EU Machinery Regulation 2023/1230 (MR): Requirements, obligations and implementation for businesses

Key Takeaways

• The EU Machinery Regulation 2023/1230 will apply directly in all Member States from 2027.

• For the first time, it combines mechanical safety requirements with digital aspects such as software integrity, updates and connected functions.

• Manufacturers, importers and distributors must adapt their processes, documentation and risk assessments accordingly.

• Digital user manuals, cybersecurity requirements and the handling of self-learning systems will become mandatory components of the safety assessment.

• Companies should already be aligning their product development with the new requirements.

What is the EU Machinery Regulation (MR)?

The EU Machinery Regulation (EU) 2023/1230 replaces the Machinery Directive 2006/42/EC and will apply directly and uniformly in all Member States from 20 January 2027. It sets out essential requirements for design, risk assessment, technical documentation and CE marking to ensure the reliable protection of people, pets and property.

Background: Why the EU Introduced a New Machinery Regulation

A new feature is the mandatory consideration of digital functions such as safety-related software updates, networked control systems and self-learning systems. This is because modern machinery is software-controlled, networked and capable of being updated, meaning that digital risks can trigger physical hazards. The MR therefore integrates digital safety requirements for the first time and combines mechanical safety with aspects of cybersecurity.

Scope of the MVO

The MR specifies the products and components to which its requirements apply. It covers not only traditional machinery but also takes into account modern technological developments and digital functions.

Scope:

• Machinery and equipment
• Safety components, including those using machine learning
• Software with safety-critical functions

Industrial Use Cases

Typical industrial applications include automated production lines with networked control systems, industrial robots with safety-critical control systems, and machines with remote maintenance access. They also include systems in which software performs safety-critical functions such as monitoring, emergency shutdown, or fault detection.

Highly autonomous robotic systems, such as humanoid robots, are also becoming increasingly relevant; in these systems, mechanical safety, software logic and AI-supported decision-making are closely interlinked.

Machinery Directive (MD) vs Machinery Regulation (MR): The Key Differences

The Machinery Directive was a legal framework to be transposed by the Member States, which meant that national differences could arise. The MR, on the other hand, is directly applicable and ensures uniform requirements across the EU. It adapts the legal framework to modern technologies by, for the first time, mandatorily addressing digital aspects such as software integrity, networked systems, and self-learning functions. At the same time, it implements the provisions of the New Legislative Framework, an EU framework for harmonised product requirements and uniform conformity assessment. In doing so, it closes key gaps that have arisen due to the increasing digitalisation of industrial machinery.

Timetable, Transition Periods and Entry Into Force of the MR

The EU Machinery Regulation was published in the Official Journal of the EU in 2023 and will become binding in all EU Member States from 20 January 2027. From that date onwards, only machinery that complies with the requirements of the Regulation may be placed on the market.

The period up to 2027 constitutes a transitional phase during which companies must adapt their development and safety processes to the new requirements. This includes, in particular, updating risk assessments, providing comprehensive technical documentation, and taking into account digital functions and networked control systems. Machinery intended to be placed on the market from 2027 onwards must already be designed in accordance with the new MR standards.

Key changes to the EU Machinery Regulation

Cybersecurity and secure control systems

The MR requires that safety-critical hardware and software be protected against tampering and continue to function reliably even in the event of external interference. This includes, in particular, the integrity of safety-critical software and protection against malicious access to control systems.

Digital documentation

Technical documentation and operating instructions can be provided in a digital, printable format, e.g. via a QR code on the machine. At the purchaser’s request, the operating instructions must be provided free of charge in paper form.

Artificial intelligence and autonomous functions

Self-learning and networked systems must be taken into account in risk assessments where they are relevant to safety. It must be possible to monitor their functions so that the safety level is guaranteed at all times.

This is particularly evident in complex robotic systems such as humanoid robots, whose behaviour can change dynamically as a result of AI models and must therefore be continuously assessed and validated.

Substantial modification

Machinery is considered to have been ‘substantially modified’ if modifications increase its risk or safety profile, for example in the case of retrofitted AI that alters the machine’s behaviour and increases safety risks. In such cases, a new conformity assessment is required and the machine falls within the scope of the MR, even if it was originally placed on the market before the Regulation came into force.

Synergy between the Machinery Regulation and the CRA

The MR and the EU Cyber Resilience Act (CRA) are two key European regulatory initiatives. Both sets of regulations address different aspects of product safety, mechanical safety and digital resilience, and for the first time bring these together into a coherent framework. Areas that have hitherto been viewed largely in isolation – functional safety and cybersecurity – will become increasingly intertwined in the near future.

Obligations for businesses throughout the supply chain

The MR sets out clear responsibilities for all economic operators in the supply chain. The manufacturer bears the greatest responsibility. Even where development work has been outsourced, responsibility generally remains with the manufacturer. The manufacturer carries out the risk assessment, prepares the technical documentation, is responsible for the conformity assessment and affixes the CE marking.

Importers and distributors must check whether machinery has been correctly assessed for conformity and marked, and whether the necessary documentation is available.

Operators must use machinery safely and may only make modifications if these do not give rise to new risks; in the case of significant modifications, a reassessment is required.

CE marking and conformity assessment in accordance with the MR

The steps involved in the conformity assessment procedure (CE marking) are structured similarly across all EU directives. Depending on the product, some steps may vary, or verification by an external body may be required.

1. Requirements Engineering

Identification of all applicable standards, guidelines and legal requirements for the specific machine type.

2. Risk assessment

Identification of all hazards throughout the product or machine lifecycle in accordance with EN ISO 12100. The standard sets out the systematic procedure for identifying and assessing the hazards associated with a machine. It describes:

• Defining the boundaries of the machine
• Identification of potential hazards
• Risk assessment and risk evaluation
• Risk mitigation measures

3. Safety policy

Identification of appropriate safety measures based on the risk assessment – e.g. design and technical solutions.

4. Safety Engineering

Practical implementation of the previously planned protective measures through:

• Technical design
• Selection of appropriate safety techniques
• Development of safety-critical software

5. Verification

Systematic verification that the safety functions have been implemented correctly and that the required performance level is achieved (in particular in accordance with EN ISO 13849-1).

6. Validation

Testing on the actual machine to verify that all safety measures function reliably and actually meet the specified requirements.

7. Documentation

The complete and transparent preparation of all CE-related documentation, including, amongst other things:

• Risk assessment
• Safety documentation
• Technical documentation
• Validation reports

8. Evaluation & Final Report

All evidence will be collated and assessed.

9. Inspection (Ongoing Review)

Regular inspection of the machine during operation to ensure the effectiveness of safety measures throughout its entire lifecycle.

How EFS’s Information Security Experts support in implementing the EU Machinery Directive

Our information security experts at EFS support companies in implementing the EU Machinery Directive by identifying digital risks and safety requirements at an early stage and developing practical solutions. We test the software-based safety functions, assess the machines’ connectivity and data flows, and ensure that all digital documentation, access options and protective measures comply with regulatory requirements. In this way, we help to balance compliance, safety and efficiency, and significantly reduce the effort involved in operational implementation.

Conclusion

The EU Machinery Regulation brings together safety and digital requirements into a modern, holistic safety framework. Companies must adapt their development and documentation processes in good time to be able to offer compliant machinery from 2027 onwards. With the increasing connectivity of machinery, ranging from diagnostic interfaces to autonomous humanoid robots, it is clear how closely the MR is intertwined with the CRA and other regulatory frameworks. Ultimately, connected, AI-controlled machines must meet both physical safety requirements and digital resilience obligations – a strategic issue for the future that demonstrates to companies how important it is to incorporate compliance by design from the outset. EFS Consulting supports practical implementation, assesses digital risks and ensures that processes, documentation and safety measures are designed to comply with the MR.

This enables companies to bring their machine products to market in a manner that is both regulatory-compliant and audit-proof.

FAQs

What is the EU Machinery Regulation?

The EU Machinery Regulation (EU) 2023/1230 is the new binding legal framework for machinery safety and replaces the Machinery Directive. Among other things, it requires risk assessment, technical documentation and the consideration of digital functions such as software updates and networked control systems.

When does the EU Machinery Regulation come into force?

The Regulation will apply from 20 January 2027; from that date, only machinery that complies with the MR may be placed on the market.

Who is covered by the Machinery Regulation?

The MR applies to manufacturers, importers and distributors of machinery, as well as safety-related components and software. All parties involved must ensure that only compliant machinery is supplied or operated.

What is the difference between the Machinery Directive and the Machinery Regulation?

The Directive had to be transposed into national law, whereas the Regulation applies directly and uniformly across all EU Member States. Furthermore, the MR incorporates digital risks such as software integrity and connected functions, which were not covered by the old Directive.