New Machinery Regulation: the countdown begins

The New Machinery Regulation will come into force on 20 January 2027. What changes compared to the previous Directive? What obligations apply to manufacturers, importers and distributors?

The time has almost come. Just a few months remain before the much‑discussed Regulation (EU) 2023/1230, also known as the New Machinery Regulation, becomes fully applicable, precisely on 20 January 2027.

The first major innovation lies in the nature of the legal act itself: the shift from a Directive to a Regulation. This means that national transposition through a Member State decree is no longer required. The Regulation will apply as written, ensuring greater uniformity of obligations for importers, manufacturers and distributors across the European Union.

Stronger obligations throughout the ceramic supply chain

With regard to economic operators, Regulation (EU) 2023/1230 strengthens and clearly defines obligations along the entire supply chain. Manufacturers, importers and distributors are subject to specific and distinct responsibilities, in line with the EU market surveillance framework. In particular, importers and distributors take on an active role in ensuring that only compliant machinery is placed on the market, complete with the required documentation and correct markings.

The New Regulation also broadens and clarifies its scope of application, explicitly covering not only traditional machinery but also so‑called “related products”, such as safety components, interchangeable equipment and removable mechanical transmission devices.

Software and cybersecurity enter the regulatory framework

One of the main elements of discontinuity compared with Directive 2006/42/EC is the explicit recognition of the role of software. Software performing safety functions, as well as systems with self‑evolving behaviour based on artificial intelligence or machine learning, fully fall within the regulatory scope when they have an impact on machine safety.

Particularly relevant is the introduction of specific essential health and safety requirements relating to cybersecurity: EHSR 1.1.9 “Protection against corruption” and 1.2.1 “Safety and reliability of control systems”. The Regulation requires machinery to be designed and constructed in such a way as to prevent unauthorised access, manipulation or interference—whether intentional or accidental—that could compromise the safety of control systems. Cybersecurity therefore becomes a structural element of the risk assessment process rather than a purely voluntary or contractual aspect.

Another clarification with significant operational impact concerns the concept of “substantial modification”. Any modification, this is the real novelty, including digital or software‑based changes that affect the safety of a machine, results in the party carrying out the modification being considered the new manufacturer. This entails the obligation to carry out a new risk assessment, a new conformity assessment procedure and to affix new CE marking.

Finally, the Regulation introduces a new system for identifying high‑risk machinery (which does not include ceramic machinery) and allows for the digitalisation of technical documentation, with a mandatory ten‑year retention period, provided that a paper version is made available upon request.

As far as documentation is concerned, this must also cover safety‑relevant software, demonstrating the correct functioning of safety functions and the absence of alterations that could lead to compromise, as well as a dedicated risk analysis for this purpose.

A dual regulatory track for digitalised machinery

Overall, Regulation (EU) 2023/1230 represents a significant evolution compared to Directive 2006/42/EC, updating the European regulatory framework in line with ongoing technological transformation.

In closing, a point for reflection for machinery manufacturers: the New Machinery Regulation precedes the application of the Cyber Resilience Act by a few months (11 December 2027). These are two distinct but coordinated Regulations. The former integrates cybersecurity as a machine safety requirement, while the latter governs the cybersecurity of products with digital elements. For digitalised machinery, both Regulations often apply in parallel, sharing risk analyses, technical evidence and documentation.

For more information: [email protected]