Machinery Regulation 2023/1230 EC

What is Regulation (EU) 2023/1230?

• Full title: Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC.
• Its purpose is to set harmonised health, safety, and conformity assessment rules for machinery and related products within the EU single market.
• As a regulation (rather than a directive), it will apply directly and uniformly in all Member States without needing transposition into national law.
• It replaces the Machinery Directive 2006/42/EC as of the date of full applicability.

Scope: What is covered — and what is excluded

Covered

The new regulation retains and refines the scope of machine-safety regulation. It applies to:

• Machinery in the strict sense (assemblies with moving parts or energy input)

• Related products, including:

  • Interchangeable equipment

  • Safety components (including software-based safety components)

  • Lifting accessories, chains, ropes, webbing, removable transmission devices

• Partly completed machinery (i.e. an assembly meant to be integrated into or assembled with other machinery)

• Software and digital aspects of machinery (control, updates, connectivity)

• Cybersecurity / protection against corruption (i.e. ensuring that software attacks cannot compromise safety functions)

Excluded / special exclusions

Some categories are explicitly excluded or handled under other EU legislation:

• Aeronautical products, motor vehicles, tractors etc. (if covered by separate sectoral rules)

• Household appliances, general audio/video, IT equipment, ordinary office machines (unless they fall into the category of additive manufacturing machinery) — insofar as they fall under the Low Voltage Directive or Radio Equipment Directive.

• Spare parts (unless they are safety components)

Thus, the regulation does not dramatically expand the product types regulated, but rather expands the risk aspects to be considered (e.g. software, connectivity, cybersecurity).

Key changes and new elements relative to the Directive 2006/42/EC

While much of the fundamental structure remains, several significant changes are introduced to modernise for digital / AI / connectivity risks:

1. Conformity assessment and classification of high-risk machinery

   • The previous Annex IV (Directive) is restructured into Annex I (divided into Part A and Part B) in the new regulation.

   • Machines listed in Annex I Part A require mandatory involvement of a Notified Body (third party) in conformity assessment—manufacturers cannot simply self-declare. 

   • Annex I Part B is closer to older procedures (similar to previous Annex IV) for lower risk categories. 

   • For machines not in Annex I, conformity assessment under Article 25(4) applies (internal production control, etc.) 

   • A new “unit verification” route is introduced: conformity can be assessed per individual machine (rather than type) for certain complex cases.

2. Substantial modification / significant changes

   • The regulation defines “substantial modification” and sets out when a changed machine must be re-evaluated and re-declared as a new machine.

   • If an operator makes modifications that affect compliance, that operator becomes (legally) the manufacturer of the modified machine.

3. Digital documentation, instructions & declarations

   • The regulation allows (and encourages) technical documentation, operating instructions, declarations of conformity, and assembly instructions to be provided in digital form, e.g. via integrated software, QR codes, data carriers, or online.

   • Documents must be accessible for at least 10 years or for the entire expected service life of the machine. 

   • There are rules on how digital access should be provided (e.g. even when machine is offline) and on providing paper copies on request.

4. Cybersecurity / protection against corruption

   • A new provision demands that machines’ safety functions must not be compromised by intentional or unintentional cyberattacks (sometimes called “protection against corruption” in the regulation). 

   • Manufacturers must design machines to resist IT-based threats that could interfere with safety. 

5. AI / learning systems & safety relevance

   • The regulation makes special mention of systems that use machine learning or have autonomous behavior, particularly when they affect safety functions. Such systems may trigger higher scrutiny or require Notified Body involvement.

   • There is emphasis on explainability, decision traces, and assurance that the system remains within intended boundaries. 

6. Stronger market surveillance & obligations on economic operators

   • The regulation tightens the obligations of manufacturers, importers, distributors, and authorized representatives (collectively “economic operators”). 

   • Member States must collect and report data on accidents, incidents, and risks related to machinery.

   • The regime for penalties and enforcement is more clearly defined within the regulation itself (rather than left to national laws) in many respects.

7. Alignment with the New Legislative Framework (NLF)

   • The regulation better aligns machinery regulation with the broader EU “New Legislative Framework” for product regulation (e.g. consistency in conformity assessment modules, CE marking rules). 

   • Where harmonised standards exist, they will provide presumption of conformity, but those standards may need updating to cover new requirements (e.g. cybersecurity, AI). 

Obligations of Economic Operators

Under the new regulation, different actors have explicit responsibilities:

• Manufacturer: design, construction, conformity assessment, technical documentation, CE marking, instructions, ensuring compliance over life cycle.

• Authorized representative: where designated, can take on certain tasks (e.g. keeping documentation, interacting with authorities) under a written contract.

• Importer: ensures that imported machinery meets requirements, that documentation is available, that instructions are in appropriate languages, and that operators in the EU can enforce obligations. 

• Distributor: must verify that machinery bears CE marking, that instructions are present, that storage/transport do not degrade compliance, and must act if they believe machinery is non-compliant.

• If an operator or user makes substantial modifications, they may become the “manufacturer” under the regulation, bearing corresponding obligations.

Practical Implications & Preparations for Manufacturers

• Gap analysis & early planning: Many manufacturers need to review their existing machinery, risk assessments, software, cybersecurity measures, digital documentation systems, etc., to identify gaps.

• Harmonised standards update: Existing standards may need revision or new standards developed to cover the expanded technical requirements (e.g. AI, cybersecurity).

• Involvement of Notified Bodies: Certain machinery will require third-party conformity assessment. Manufacturers should prepare by identifying suitable notified bodies and beginning liaison early. 

• Digital systems: Investment in systems to host/manipulate technical files, user manuals, software updates, version control, online access, QR codes, etc.

• Cybersecurity & software assurance: Incorporating security-by-design in control systems, with threat analysis, validation, and robustness testing against IT attacks.

• Rework of modification policies: Clear policies and traceability for changes, to assess whether they are “substantial modifications” requiring reassessment.

• Staff training & awareness: Engineering, QA, regulatory, legal teams must understand the new requirements, especially for software, connectivity, and safety liability.

• Timebuffer: The transition period is limited; by 2027 it becomes mandatory. Use the years ahead to phase in compliance.