EU Machinery Regulation 2023: New challenges for machine manufacturers, system integrators, and operators

Digitalisation, new developments such as artificial intelligence or autonomous machines, as well as requirements for cyber security and safety have made it necessary for the EU to revise the Machinery Directive 2006/42/EC, which has been in force since 2006. Its aim is to harmonise the fundamental health and safety requirements for machinery in the EU.

The new EU regulation on machinery products was approved by a large majority and will come into force on 14 January 2027. Thus, there is a transitional period of three and a half years until its mandatory application. It is recommended to find out now about the exact requirements of the new Machinery Regulation and the specific norms and standards that are relevant for the respective area of application.

Safety and security as major goals of the EU Machinery Regulation

The new EU Machinery Regulation poses new challenges for machinery manufacturers and operators. It requires manufacturers, system integrators, and operators to fulfil obligations for the safe manufacture, commissioning, operation and maintenance of machines and associated products. Safety and security go hand in hand. Safety refers to the protection of people, machines and the environment from risks and damage. Industrial Cyber Security refers to the protective measures and strategies aimed at securing critical industrial infrastructures and systems from cyber-attacks.

There are also links between machine manufacturers and machine operators: once the manufacturer has handed over the safe machine, the operator is responsible for its safety. Likewise, importers and distributors are held accountable to distribute only compliant products.

OT security standards und good practices

“The goal is a holistic approach to protect people, machines and the environment from risks and damage with the help of safety measures and strategies“, Herbert Dirnberger, Industrial Cyber Security Expert at IKARUS, explains the concept of Security for Safety. To ensure the safety integrity of industrial automation and control systems, it is necessary to implement protective measures that protect safety-critical processes from unintentional errors, technical failures, human error, but also cyber-attacks.

For the practical approach, Herbert Dirnberger recommends a clear focus and orientation on Good Practices: “Rely on homogeneous standards, for example with OPC UA (Open Platform Communications Unified Architecture) with TLS encryption, an open communication standard to securely exchange information between devices, machines, and systems. Use safe real-time protocols such as Profisafe, CIP Safety, FsoE or Safetynet-p and allow degrees of freedom in product selection. In addition, follow proven industrial cyber security concepts such as Defense in Depth or secure by design, e.g. according to IEC 62443.”

Important aspects in protecting machinery and equipment from cyber-attacks

1. Risk assessment
   The risk assessment required for the EU Machinery Regulation must also consider possible future risks – for example from autonomous behaviour, software installations or updates. In addition, it is necessary to safeguard against risks that may arise from intentional or unintentional manipulations, i.e., from cyber-attacks as well as from human error.
2. Security measures
   Appropriate security measures include, for example, managing access rights, storing log files, setting up backup systems and determining suitable storage locations. The manufacturer must consider in advance future requirements arising from subsequent use and system integration. Also, there is a need to take measures to protect against deliberate malicious acts by third parties as well as unintentional misconduct by employees.
3. Norms and standards
   For industrial networks, automation and control systems, the standards of the IEC 62443 series are particularly relevant. They describe, for example, the process of risk analysis and define requirements for the safe development and integration, system architecture, safety functions as well as the safe operation of such systems.
4. Training and awareness
   Employees should be regularly trained and made aware of cyber security risks to identify potential vulnerabilities and respond appropriately. Modern technologies developed specifically for use in industrial systems can help companies make all assets, protocols, and communication processes in their industrial networks visible and more secure.

Prioritise and integrate OT security

Industrial cyber security is becoming increasingly important as, on the one hand, the volume and severity of cyber threats increases and, on the other hand, regulations such as the EU NIS2 Directive and the EU Machinery Regulation demand adequate security in industry. Close cooperation between automation engineers, network engineers, OT and IT security experts is crucial to meet the challenges of today’s industrial world.

This might also interest you:
Who takes care of security in the OT?
Cyber Threat Intelligence for OT and Critical Infrastructure

Sources:
https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32023R1230
https://www.tuvsud.com/en/press-and-media/2023/may/important-changes-for-manufacturers-and-operators
https://www.produktentwicklung.ihk.de/produktmarken/ce-kennzeichnung/leitfaden-eu-maschinenverordnung-5549614