Skip to content
Close
SEARCH
Contact Us
Contact Us

AI Governance and Compliance

AI Governance

AI Maturity Model

AI Management System

AI Governance Tooling and Technologies

Regulatory Compliance

AI Trust for Goverments

AI Embeded in Products and Software

AI Trust Mark

AI Embedded in Products

Digital Trust

Other Services

Trainings and Workshops

AI Trust Hub

ai_academy_1 (1)

AI Academy

Learn More

Regulations

EU AI Act (Europe)

NIST RMF 1.0 (USA)

United Kingdom

United Arab Emirates

Medical Devices Regulation (EU)

Ethics Guidelines for Trustworthy AI

All Regulations


 

Standards

ISO/IEC 42001

ISO/IEC 42005

ISO/IEC TR 24027

ISO/IEC TR 24028

ISO/IEC TR 24029-1

ISO/IEC 22989

EU Harmonized Standards

COBIT Framework

All Standards

Webinars

Our Webinars


Other Resources

AI Trust Hub

eu_ai_act_1 (1)

Webinars

Learn More
ai_trust_hub_1

AI Trust Hub

Learn More

Explore Our Insights

Digital Trust

AI Trust

Data Privacy

AI Maturity

AI Safety and Robustness

EU AI Act

ISO/IEC 42001

Cybersecurity

Nemko Digital News

AI - Artificial Intelligence

AI Trust

EU AI Act

GPAI Code of Practice

Korean AI Trust Mark

Webinar Announcements

About us

About
Nemko Digital Learn about us here

careers-2

Careers
Contribute towards responsible AI

General Product Safety Regulation (GSPR)

Navigating the 2027 EU Machinery Regulation: A Guide for Manufacturers

Get ready for the EU Machinery Regulation (EU) 2023/1230: mandatory from January 20, 2027. Understand the new EU Machinery Regulation requirements for cybersecurity, AI, digital documentation, and conformity assessments to keep market access.

The EU Machinery Regulation (EU) 2023/1230, which becomes mandatory on January 20, 2027, supersedes the Machinery Directive 2006/42/EC, introducing critical new requirements for cybersecurity, AI, and lifecycle management that all manufacturers must address.

The European Union is implementing a landmark legislative update that reshapes the safety and compliance landscape for industrial equipment. The EU Machinery Regulation (EU) 2023/1230, which becomes mandatory on January 20, 2027, supersedes the Machinery Directive 2006/42/EC, introducing critical new requirements for cybersecurity, AI, and lifecycle management that all manufacturers must address.

 

From Directive to Regulation: Why This Shift Matters

EU Machinery Regulation Directive to Regulation
Figure 2: Key differences between the outgoing Machinery Directive 2006/42/EC and the new EU Machinery Regulation (EU) 2023/1230

 

The most significant architectural change is the move from a Directive to a Regulation. Unlike a directive, which requires individual member states to transpose rules into national law, a regulation is directly and uniformly applicable across all 27 EU countries. This eliminates the inconsistencies that arose from differing national interpretations of the previous Machinery Directive 2006/42/EC, which was adopted in 2006 with its application beginning in late 2009.

The core objective is to address the risks posed by emerging digital technologies that were not conceived when the previous directive was written. Modern machinery increasingly relies on software, connected sensors, and autonomous decision-making. The new framework integrates robust safeguards for these technologies, ensuring safety keeps pace with innovation.

 

Who Does the Regulation Apply To?

The Regulation covers a broad range of products placed on the EU market. This includes not only traditional machinery but also interchangeable equipment, safety components (now explicitly including software), lifting accessories, chains, ropes, and webbing, as well as removable mechanical transmission devices. Partly completed machinery is also within scope. Certain products are explicitly excluded, such as means of transport by air, water, and rail, although machinery mounted on those vehicles remains covered. The regulation applies to all economic operators in the supply chain, including manufacturers, importers, and distributors, each with clearly defined obligations.

 

Key Requirements and Obligations

The regulation introduces several new and expanded requirements with significant strategic implications for manufacturers and their supply chain partners. These centre on digital risks, clearer accountability, and updated conformity assessment procedures.

 

Cybersecurity as a Core Safety Requirement

Perhaps the most profound change is the elevation of cybersecurity to an essential health and safety requirement (EHSR). Manufacturers are now obligated to design products that are resilient against cyber threats that could compromise safety functions.

 

Section 1.1.9 — Protection Against Corruption: The Regulation explicitly states that machinery must be designed and constructed so that the connection to it of another device does not lead to a hazardous situation. Control systems and software must be secured to prevent tampering or unauthorized modifications.

 

This requirement aligns with the broader EU legislative push seen in the Cyber Resilience Act (CRA), which becomes fully applicable on December 11, 2027. Compliance will be guided by emerging harmonised standards, including prEN 50742 (currently under development for protection against corruption) and the widely recognised IEC 62443 series for industrial automation cybersecurity. As of late 2025, several major industry associations — including CECE, CECIMO, EGMF, and FEM — have formally requested a postponement of these specific cybersecurity provisions to align the timeline with the CRA, but a final decision from the European Commission is still pending.

 

New Rules for AI and Autonomous Systems

The Regulation introduces specific rules for machinery that incorporates Artificial Intelligence (AI) and machine learning. If an AI system performs a safety function, the machine is now classified as high-risk under Annex I. This designation mandates a more stringent conformity assessment procedure involving a third-party Notified Body, removing the option for self-certification. This is particularly relevant for manufacturers developing AI-embedded products that interact with safety-critical functions.

Two new categories have been added to the high-risk list specifically for AI-enabled machinery: safety components with fully or partially self-evolving behaviour using machine learning, and machinery with embedded AI systems ensuring safety functions. These provisions interact closely with the broader EU AI Act framework, which also classifies certain AI systems as high-risk.

 

The Concept of Substantial Modification

A crucial new obligation arises when a "substantial modification" is made to a machine already in service. If a modification is not foreseen by the original manufacturer and it affects the machine’s compliance with the essential health and safety requirements, for example, by creating a new hazard or increasing an existing risk. The person or entity performing the modification is considered a manufacturer and must assume all related obligations. This includes conducting a full conformity assessment and affixing a new CE marking.

 

Digital Documentation & the Omnibus IV Controversy

The Regulation permits manufacturers to provide technical documentation, instructions for use, and the EU Declaration of Conformity (DoC) in digital format. While this is a welcome change, the recent Omnibus IV proposal has created significant industry concern. As of February 2026, the proposal seeks to make digital DoCs mandatory from January 2027, but it excludes the machinery sector from the 24-month transition period granted to all other affected industries. In a joint statement on February 17, 2026, a coalition of major industry associations, including EGMF, FEM, and CECE, called this exclusion a significant departure from the negotiated text of the Machinery Regulation, which allows for either paper or digital DoCs. The associations argue that forcing a sudden shift to mandatory digital-only DoCs without a transition period imposes undue costs and legal uncertainty on a sector with long development cycles.

 

Redefined Economic Operator Duties

The Regulation clarifies the responsibilities for all actors in the supply chain, placing greater accountability on importers and distributors to verify compliance before products reach the market.

 

Manufacturers Integrate cybersecurity and AI risks into the core risk assessment. Conduct the appropriate conformity assessment procedure (third-party for high-risk categories). Provide documentation in a digital format (with paper copies available on request, pending Omnibus IV outcome). Assume full manufacturer liability for any "substantial modification.
Importers Verify the manufacturer has completed the conformity assessment and prepared all required documentation. Ensure their name and contact details are affixed to the product. Refuse to place non-compliant machinery on the market.
Distributors Act with due care to verify that the product bears the required CE marking and is accompanied by the necessary documents. Cooperate with market surveillance authorities to ensure non-compliant products are removed from the market.

 

The Challenge of Harmonised Standards

Achieving a presumption of conformity with the Regulation relies on using harmonised standards. Currently, there are over 800 harmonised standards listed under the old Machinery Directive, all of which must be reviewed and, where necessary, revised to align with the new requirements by the 2027 deadline. This massive undertaking by standards bodies like CEN and CENELEC is ongoing, but the tight timeline presents a significant challenge for both the standards bodies and the manufacturers who rely on them.

 

Enforcement, Penalties, and Key Dates

Enforcement is the responsibility of national market surveillance authorities in each EU Member State. They are empowered to check products, demand corrective actions, and impose penalties for non-compliance. Article 50 of the Regulation mandates that Member States establish rules on effective, proportionate, and dissuasive penalties.

The following table summarises the critical milestones for the transition, incorporating corrections from the official corrigendum of July 4, 2023:

 

June 29, 2023 Regulation published in the Official Journal of the EU.
July 19, 2023 Regulation entered into force.
October 20, 2023 Application date for Article 50(1), obligating Member States to establish penalty rules.
January 20, 2024 Rules for notifying authorities and Notified Bodies became applicable (Articles 26–42).
May 29, 2026 Amending Regulation (EU) 2024/2748 on internal market emergency procedures applies.
October 20, 2026 Deadline for Member States to notify the Commission of their penalty rules (Article 50(2)).
January 20, 2027 Full application date. The Machinery Regulation becomes mandatory; the old Directive 2006/42/EC is repealed.

Figure 1: Key milestones in the transition to the EU Machinery Regulation (EU) 2023/1230, from publication in June 2023 to full application in January 2027

 

Navigate the EU Machinery Regulation with Confidence

The transition to the new Regulation requires a strategic, proactive approach. Integrating cybersecurity into product design, updating technical documentation, managing AI-related conformity assessments, and ensuring supply chain compliance are complex undertakings. However, treating compliance as a strategic opportunity rather than a burden, can enhance product safety, build customer trust, and secure a competitive advantage in the European market.

Nemko Digital provides the expert testing, risk assessment, and advisory services that manufacturers need to navigate this transition effectively. While Nemko Digital is a Notified Body under the current Machinery Directive (2006/42/EC), and is pursuing designation under the new Regulation, we offer the support needed to prepare for the new requirements, from cybersecurity risk assessments to compliance advisory. Reduce risk, accelerate compliance, and bring safer, cyber-resilient machinery to the EU market with confidence.

Contact Nemko Digital today to discuss your compliance strategy and ensure you are ready for the 2027 deadline.

Future-Ready Solutions

Nemko Digital’s AI governance and regulatory compliance experts help organizations navigate current and upcoming regulatory frameworks, ensuring readiness for the future.

Contact Us

Future-ready solutions

Nemko Digital’s AI governance and regulatory compliance experts help organizations navigate current and upcoming regulatory frameworks, ensuring readiness for the future.
Contact Us

Get Started on your Digital Trust Journey

Contact Us