EU Machinery Regulation 2023/1230. Deadline: 20 January 2027.
Replaces the Machinery Directive 2006/42/EC and is directly applicable in all Member States without national transposition. New requirements on AI, cybersecurity and remote software updates. IgeraIndustria helps you answer which ones apply to each of your machine families.
18 months to adapt your technical file
Regulation (EU) 2023/1230 requires no national transposition: from 20 January 2027 any new machine placed on the market must comply with it in full. Manufacturers with dozens of product families must act now.
20 Jan 2027
application deadline — 18 months to adapt from today
Mandatory cybersecurity
for machines with remotely updatable software (new Art. 10 and Section 1.1.9)
AI in machinery
requires additional risk assessment if the machine uses AI or machine learning (Annex I, 1.1.10)
Technical file
must now include cybersecurity risk analysis and software lifecycle documentation
Unlike a directive, Regulation 2023/1230 is binding in its entirety and directly applicable in all Member States from the day of its entry into application. There is no scope for partial national transpositions or country-differentiated timelines. All manufacturers placing machines on the European market share the same date: 20 January 2027.
What is new compared to Directive 2006/42/EC
Regulation 2023/1230 is not a minor revision: it introduces fundamentally new requirements for 21st-century connected, automated and intelligent machinery.
Direct regulation — no national transposition
Unlike Directive 2006/42/EC, the Regulation is directly applicable in all EU Member States from 20 January 2027 without the need for national transposition laws. Full legal uniformity across the entire Union.
AI and machine learning in machinery
New Annex I, Section 1.1.10. Machines incorporating AI systems that influence safety must include a specific risk assessment for the adaptive behaviours of the system throughout the lifecycle.
Cybersecurity and protection against tampering
New Art. 1.1.9. All machines with connectivity or remote access must protect their control systems against unauthorised access, ensure software integrity through digital signatures, and document all communication vectors.
Remotely updatable software
Machines whose software can be modified after being placed on the market must include in the technical file the secure update procedure, the version log, and the impact analysis of updates on safety.
Hazardous substances in machinery (new Annex I.1.7)
Reinforced requirements for machines that contain, process or emit hazardous substances. The manufacturer must assess potential exposure throughout the complete lifecycle (installation, maintenance, decommissioning).
Expanded technical documentation
The technical file must now include: cybersecurity risk analysis, software lifecycle documentation, AI risk assessment (where applicable), and instruction manual in digital format (Art. 10).
Manufacturer obligations under Regulation 2023/1230
Regulation 2023/1230 expands manufacturer obligations across six critical areas compared to the former Directive. IgeraIndustria answers what applies to each machine family.
Updated risk assessment including cybersecurity
The Annex I risk analysis must now incorporate a specific cybersecurity risk section, independent of the functional safety analysis. It must identify attack vectors, exposure surfaces and implemented countermeasures.
Renewed EU Declaration of Conformity
The Declaration of Conformity must reference Regulation (EU) 2023/1230 (not Directive 2006/42/EC). It must include the notified bodies involved in the assessment and the harmonised standards applied, updated to the new framework.
Mandatory digital instruction manual (Art. 10)
The Regulation makes the digital format of the instruction manual mandatory. The manufacturer may choose to supply it solely in digital format, but must make it available in paper form if the customer expressly requests it. A permanent access URL is required.
Software lifecycle analysis
For machines with embedded software, the technical file must document: software versions, update procedure, impact of updates on safety, and software support and end-of-life policy.
Post-market software modification log
Any software update after market placement must be recorded, assessed for its safety impact, and, if substantial, may require a new conformity assessment. The manufacturer must keep the log up to date.
Review of existing technical file
Manufacturers with machines already on the market under Directive 2006/42/EC that continue producing them after January 2027 must completely update the technical file for each model, incorporating all new Regulation requirements.
Timelines and transitional regime
The Regulation establishes a coexistence period with Directive 2006/42/EC and a transitional regime for already-certified machines. It is essential to know exactly what applies at each point in time.
Entry into force: 19 July 2023
Regulation (EU) 2023/1230 was published in the Official Journal of the EU (OJEU L 165/2023) and entered into force 20 days after publication. From that date manufacturers may voluntarily choose to certify under the new Regulation.
Mandatory application: 20 January 2027
From 20 January 2027, every new machine placed on the EU market must comply with Regulation 2023/1230 in full. Directive 2006/42/EC ceases to be valid for new machines from that date.
Directive 2006/42/EC valid until 19 January 2027
During the transition period (July 2023 — January 2027) both frameworks coexist. Manufacturers can certify under the existing Directive or get ahead and certify under the new Regulation. Both CE markings are valid during this period.
Machines certified before 2027: 2-year grace period
Machines that already hold CE marking under Directive 2006/42/EC before 20 January 2027 may continue to be placed on the market until 20 January 2029 without recertification, provided they have not undergone substantial modifications.
Recommendation: Manufacturers with multiple machine families should start now by inventorying affected models, identifying which incorporate connectivity, updatable software or AI functions, and prioritising the technical file update for the most complex machines. IgeraIndustria lets you run this analysis directly from existing technical documentation.
How IgeraIndustria accelerates your adaptation to Regulation 2023/1230
From the inventory of affected machines to the answer on which specific requirement applies to each model: all in seconds.
Index your existing technical files
Upload your current technical files (under Directive 2006/42/EC), instruction manuals and current declarations of conformity. IgeraIndustria processes them and creates a structured knowledge base by machine family.
Natural-language queries on the Regulation
“Does my CNC milling machine with remote access need a cybersecurity analysis?”, “What changes in the technical file of my hydraulic press?”. IgeraIndustria answers by citing the exact article of the Regulation.
Gap analysis by machine family
For each model or machine family, IgeraIndustria identifies which requirements of Regulation 2023/1230 are not covered by the existing technical file: cybersecurity section, AI documentation, software lifecycle.
Answers with exact article citation
Each answer references the article or section of Annex I of Regulation 2023/1230 where the requirement is established. Full traceability for the engineering team and the notified body.
Harmonised standard alerts
When CEN/CENELEC publishes new harmonised standards under Regulation 2023/1230, or the European Commission issues decisions on existing standards, IgeraIndustria alerts you and updates the knowledge base automatically.
IgeraIndustria in action — cybersecurity query Reg. 2023/1230
Query on cybersecurity requirements for a CNC milling machine with remote access, answered with an exact reference to the Regulation article.
Product Engineer
What cybersecurity requirements does the EU Machinery Regulation 2023/1230 impose on a CNC milling machine with remote access?
IgeraIndustria
Reg. (EU) 2023/1230 — Annex I, Section 1.1.9 — Cybersecurity
APPLICABLE REQUIREMENTS (machine with remote access):
- Protection against unauthorised access to control functions (Art. 1.1.9.a)
- Software integrity: digital signature of updates (Art. 1.1.9.b)
- Document all communication ports and protocols in the technical file
- Cybersecurity risk analysis separate from functional safety analysis
- Manual must include: secure update instructions + vulnerability contact
⚠ If the CNC uses AI for cutting optimisation: also apply Section 1.1.10 (AI)
✓ Reg. (EU) 2023/1230 · Published OJEU L 165/2023 · Applicable 20/01/2027
45
employees in manufacturing
28
machine families to adapt
6 months
to complete the adaptation
We had 28 machine families certified under Directive 2006/42/EC, some with remote connectivity and others with adaptive control functions. When Regulation 2023/1230 was published we needed to know exactly what changed for each model. IgeraIndustria let us query the Regulation directly against our technical documentation. We completed the technical file adaptation for all 28 families in 6 months, with the certainty that every new requirement was covered and documented.
*Representative testimonial based on results from real clients
Frequently asked questions — EU Machinery Regulation 2023/1230
What happens to machines already certified under Directive 2006/42/EC?
Machines that obtained CE marking before 20 January 2027 under Directive 2006/42/EC may continue to be placed on the market during a transitional period of 2 years after the Regulation comes into application, i.e. until 20 January 2029. After that deadline, any new machine placed on the market must comply with Regulation (EU) 2023/1230 in full. Existing models in stock that already held CE marking pre-2027 do not require recertification provided they have not undergone substantial modifications.
When exactly do I have to apply the new regulation?
Regulation (EU) 2023/1230 entered into force on 19 July 2023 (20 days after its publication in the OJEU L 165/2023). However, its mandatory application does not begin until 20 January 2027. This means that between July 2023 and January 2027 both regulatory frameworks coexist: a manufacturer may choose to certify its machines under the new Regulation or continue using Directive 2006/42/EC. From 20 January 2027 only the Regulation is valid.
Does it apply to machines with AI even if they do not update software remotely?
Yes. Regulation 2023/1230 introduces Annex I, Section 1.1.10, specifically for machines incorporating AI or machine-learning systems, regardless of whether software is updated remotely. If the machine uses AI for safety-relevant decisions —such as automatic adjustment of process parameters, anomaly detection or adaptive control— a specific risk assessment for that AI functionality must be included, documented in the technical file.
Does the conformity assessment procedure change?
The Regulation retains conformity assessment procedures similar to the Directive but introduces important nuances. For machines with cybersecurity and AI, the notified body (NB) must specifically verify the cybersecurity risk analyses and documents on the software lifecycle. In addition, the instruction manual in digital format becomes mandatory (Art. 10), although it must also be provided in paper form on request from the customer.
Does the CE marking change under the new regulation?
The CE marking symbol itself does not change visually. What changes is the content of the EU Declaration of Conformity that accompanies it: it must reference Regulation (EU) 2023/1230 instead of Directive 2006/42/EC. The mandatory content of the technical file also changes: it must now include the cybersecurity risk analysis, software lifecycle documentation and, where applicable, the specific AI risk assessment.
Are harmonised standards already published for Reg. 2023/1230?
At the date of publication of the Regulation (July 2023), the European Commission initiated the process for standardisation bodies (CEN/CENELEC) to develop harmonised standards under the new Regulation. Existing EN standards under Directive 2006/42/EC continue to serve as useful technical references, but their presumption of conformity to Regulation 2023/1230 will depend on their update or on the publication of an explicit Commission decision in the OJEU. IgeraIndustria alerts you when new harmonised standards are published.
IgeraIndustria plans — Machinery Regulation
No lock-in. Cancel anytime.
Starter
For manufacturers with a limited range of machines and basic adaptation needs for Regulation 2023/1230.
- Up to 10 indexed machine families
- Regulation (EU) 2023/1230 pre-indexed
- Directive 2006/42/EC for comparison
- 500 queries/month
- Basic gap analysis
- Email support
Professional
For manufacturers with multiple machine families, some with connectivity and updatable software.
- Up to 50 machine families
- Regulation 2023/1230 + harmonised standards
- Cybersecurity analysis per model
- CEN/CENELEC standard alerts
- 3,000 queries/month
- Priority support
Enterprise
For industrial groups with dozens of machine families, international presence and management of multiple notified bodies.
- Unlimited machine families
- Multi-plant and multi-country
- PLM/ERP integration
- Unlimited queries
- SLA 99.9% uptime
- Dedicated customer success
Start today preparing your technical files for 20 January 2027.
- 14-day free trial — no credit card required
- Regulation (EU) 2023/1230 and Directive 2006/42/EC pre-indexed from day 1
- Upload your existing technical files for gap analysis
- Automatic alerts when new harmonised standards are published
