Cybersecurity becomes mandatory in mechanical engineering. Discover the specific requirements of the new EU regulation and how to implement them.
Importance of cybersecurity for machines
In an increasingly networked industry, machines and systems are more often connected to the internet and to one another. While this enables more efficient processes and remote maintenance, it also makes systems vulnerable to cyberattacks. A successful attack could not only cause production downtime but, in the worst case, also create safety risks for workers or the environment.
Cybersecurity requirements
The new machinery regulation sets out specific cybersecurity requirements for machines and related products. These requirements, laid down in Annex III, Section 1.1.9, aim to ensure the integrity and safety of machines in an increasingly connected manufacturing environment.
For manufacturers and operators in the machinery sector, the following concrete obligations arise:
Secure connectivity
> The machine or the related product must be designed and constructed so that the connection of another device to the machine or the related product by any function of the connected device itself, or by a remote access device communicating with the machine or the related product, does not lead to a dangerous situation.
Machines must be designed so that connecting external devices or allowing remote access does not create a hazard.
For example, a machine could be equipped with an integrated firewall and secure authentication mechanisms for each interface to prevent unauthorized or potentially dangerous access.
Protection of critical hardware
> A hardware component that transmits signals or data relevant to the connection or access to the software which is critical for the conformity of a machine or a related product with the applicable health and safety requirements must be designed to be adequately protected against unintentional or deliberate corruption. Machines or related products shall collect evidence of lawful or unlawful interference with that hardware component insofar as it is relevant to the connection or access to the software critical for conformity of the machines or related products.
Hardware components responsible for safety-relevant signals or data must be adequately protected against unintentional or deliberate corruption. The machine must be able to collect evidence of tampering with these components.
In practice, this could mean housing the control unit in a locked enclosure and ensuring it only runs cryptographically signed code or commands.
Protection of critical software and data
> Software and data that are critical for the conformity of the machine or the related product with the applicable health and safety requirements shall be identified as such and adequately protected against unintentional or deliberate corruption.
Safety-critical software and data must be identified and adequately protected against corruption or manipulation.
In an automated production line, this could be implemented by using encrypted, digitally signed control software executed from a protected storage area.
Identification of safety-critical software
> The machine or the related product must identify the installed software required for safe operation and be able to provide that information at any time in an easily accessible form.
The machine must identify the installed software required for safe operation and make this information readily accessible at all times.
For example, a machine panel could display the version number and checksum hash of its safety-critical firmware at startup and on request in the operator menu. This enables operators to quickly verify software integrity.
Recording of changes
> Machines or related products shall collect evidence of lawful or unlawful interference with the software or of a change in the software installed in the machines or related products or in their configuration.
The machine must be able to collect evidence of lawful or unlawful interference with the installed software or its configuration.
A possible implementation is a cryptographically protected change log that records all updates, configuration changes and access attempts.
These requirements are intended to ensure the integrity and security of machines and related products by protecting them from unauthorized interference and manipulation. They emphasize the need to protect both hardware and software from corruption and to make changes traceable.
The full requirements are set out in Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery products. The exact wording of the cybersecurity requirements can be found in Annex III, Section 1.1.9 of the regulation.
Many of the provisions in Annex III leave room for interpretation, especially at the interface between safety, security and existing practice. If you would like to clarify how these requirements specifically apply to your machines, a short orientation discussion can be useful.
Relation to the Cybersecurity Act
The new machinery regulation also takes into account the interaction with existing EU cybersecurity rules. In particular, it refers to the Cybersecurity Act (Regulation (EU) 2019/881). The machinery regulation provides that machines and related products that have been certified under a recognized scheme of the Cybersecurity Act or for which a corresponding declaration of conformity exists are to be considered compliant with certain requirements of the machinery regulation.
Specifically, this concerns the requirements for protection against corruption (Annex III, Section 1.1.9) and the safety and reliability of control systems (Annex III, Section 1.2.1). This presumption of conformity applies insofar as the relevant requirements are covered by the cybersecurity certificate or the conformity certificate.
This arrangement creates synergies between the two regulations and avoids unnecessary double certification. It makes it easier for manufacturers who have already obtained cybersecurity certifications under the Cybersecurity Act to meet the requirements of the new machinery regulation and promotes a coherent approach to cybersecurity across different EU rules.
Relation to the Cyber Resilience Act
The new machinery regulation is also closely linked to the Cyber Resilience Act (CRA). For products that fall under both the machinery regulation and the CRA, manufacturers must meet the requirements of both frameworks. The CRA acknowledges that there may be overlaps in cybersecurity requirements.
Meeting the essential requirements of the CRA can facilitate compliance with certain requirements of the machinery regulation, particularly regarding protection against corruption (Section 1.1.9) and the safety and reliability of control systems (Section 1.2.1). However, manufacturers must demonstrate these synergies, for example by applying harmonized standards or other technical specifications based on a risk assessment.
To ensure coherence, the European Commission and European standardization organizations intend to promote consistency in risk assessment and treatment for both regulations when preparing standards. The Commission also plans to provide guidance for manufacturers to help comply with the requirements of both regulations.
Significance of the machinery regulation
For machine manufacturers, these new requirements initially mean increased effort. They must adapt their development processes and may need to build additional expertise in cybersecurity. In particular, they must:
- carry out risk analyses that also consider cybersecurity aspects
- integrate cybersecurity into product design from the outset
- produce comprehensive documentation of implemented security measures
- develop mechanisms for regular security updates
- provide training and information materials for users
In the long term, however, the regulation also offers opportunities: it creates harmonized standards across the EU and can thus strengthen trust in European products. Companies that invest in cybersecurity early can also gain a competitive advantage.
For users of machines, the new regulation means a higher level of security. They can rely on purchased products meeting basic cybersecurity standards.
Important dates and deadlines
The new machinery regulation (EU) 2023/1230 was adopted on 14 June 2023, but different parts enter into force at different times.
Particularly important is 20 January 2027 — until this date the previous Machinery Directive 2006/42/EC continues to apply in parallel. Products placed on the market before this deadline can still be supplied with a declaration of conformity under the old directive. From 20 January 2027, all newly placed products must comply with the requirements of the new regulation.
Manufacturers can already take into account requirements of the new regulation, such as those on cybersecurity. Since July 2024, the European Commission has also allowed a combined EC/EU declaration of conformity to facilitate the transition.
Some parts of the regulation came into force earlier, including provisions on Konformitätsbewertungsstellen and powers of the EU Commission to adopt delegierter Rechtsakte (since 20 January 2024 and since 20 July 2024 respectively).
Companies should familiarize themselves with the changes early to ensure they meet all requirements after the transition period and can continue to place their products on the EU market.
Conclusion and outlook on the future of cybersecurity in mechanical engineering
The new machinery regulation marks a turning point in the connected industry. For the first time, it establishes binding cybersecurity requirements for machines and related products, which will significantly strengthen safety and integrity in an increasingly networked manufacturing environment.
It is worth noting that addressing cybersecurity early is important not only with regard to the machinery regulation but also to the Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA). The synergies with these frameworks allow companies to consolidate their cybersecurity efforts and prepare efficiently for regulatory requirements.
Companies should use the time before the regulation fully enters into force to adapt their processes, build expertise and develop innovative solutions. Only by doing so can they fully exploit the opportunities of the new regulation and prepare for future challenges.
The new machinery regulation introduces binding cybersecurity requirements into mechanical engineering for the first time. If you want to understand how strongly your products are affected and which next steps make sense, we can discuss this together in a non-binding orientation meeting.
