Safely leading machines into the future

EU machinery regulation: What applies from 2027

In 2027, no machine manufacturer will be able to ignore it: The new EU machinery regulation overhauls safety standards - with implications for design, software, and AI. Forward-thinking is required now, instead of battling risks later.

TÜV Süd TÜV Süd
Published
Die EU-Maschinenverordnung (EU) 2023/1230 ist ab dem 20. Januar 2027 vollständig verpflichtend anzuwenden. Sie definiert Anforderungen an die Sicherheit von Maschinen und dazugehörigen Produkten sowie unvollständigen Maschinen. Die MVO beinhaltet zahlreiche Neuerungen, auf die sich Hersteller, Betreiber, Händler und Importeure frühzeitig vorbereiten müssen.
The EU Machinery Regulation (EU) 2023/1230 is fully mandatory from January 20, 2027. It defines requirements for the safety of machinery and related products as well as incomplete machinery. The MVO includes numerous innovations that manufacturers, operators, dealers, and importers must prepare for early.

What is behind the new machinery regulation?

With the EU Regulation 2023/1230, a new chapter in European mechanical engineering begins. From January 20, 2027, it will be mandatory - replacing the well-known Machinery Directive 2006/42/EC. What reads like a classic update on paper has significant implications in practice: for the first time, topics such as cybersecurity, artificial intelligence and the digital handling of sensitive information take center stage in machinery certification.

Not only classic machines are covered. Software components with safety functions, partially completed machinery or even significantly modified existing machines also come into focus. TÜV Süd has taken a closer look at the changes:

Where do risks need to be reassessed?

Mechanical engineering has learned to deal with classic sources of danger - rotating parts, pressure, temperature, mechanical stress. But the new regulation goes further. It requires a comprehensive risk assessment that treats digital threats equally:

  • What happens if a machine is hacked?

  • What dangers lurk in software updates?

  • How can manipulation from the outside be technically prevented?

The MVO demands clear answers - and requires precise documentation of all protective measures. So, those who have only focused on technical safety must now fully include IT security and digital processes.

EU Machinery Regulation: An overview of the seven fields of action of the MVO:

  1. Expand risk assessment to include digital hazards

  2. Implement and demonstrate cybersecurity technically

  3. Certify AI systems separately and independently

  4. Document machine changes legally securely

  5. Protect digital operating instructions from manipulation

  6. Elevate CE marking to new standards

  7. Continue to train teams and strengthen risk competence

Why is cybersecurity becoming mandatory?

What was previously considered optional is now mandatory: Machines must be built in such a way that safety-relevant functions are protected from manipulation, sabotage, or unauthorized access - whether from inside or outside.

This specifically means:

  • Software, firmware, and network interfaces must not be alterable,

  • Security measures such as firewalls, access controls, or authentication must be technically implemented and documented,

  • Companies must proactively analyze potential threat scenarios and derive protection concepts from them.

Cybersecurity thus becomes a real interface between development, IT, and risk management.

What will apply to AI in machines in the future?

Learning systems are considered the hope of the industry - and at the same time a security risk. The MVO classifies AI systems with safety-related tasks into their own risk category. This means:

  • These machines require a separate conformity assessment procedure,

  • An independent review by a notified body is mandatory - even if there are (still) no harmonized standards,

  • Manufacturers must also consider future requirements for “responsible AI use” - looking beyond the horizon is therefore mandatory.

Exciting: TÜV SÜD has already developed testing procedures with which such systems can be evaluated - even without applicable standards. This allows innovation projects to be secured before they end up in regulatory no man's land.

When does the operator become the manufacturer?

One of the biggest legal pitfalls of the new regulation lurks in the details: Anyone who significantly modifies a machine - whether mechanically, electrically, or digitally - automatically becomes the manufacturer legally.

The consequence:

  • The full responsibility for safety, testing, and CE conformity is transferred,

  • All requirements of the new MVO must be met,

  • Topics such as cybersecurity and AI testing must also be reassessed.

What was previously accomplished with a quick modification or a software update becomes a highly regulated measure. Therefore, always consider legal aspects when making changes.

Why digital operating manuals need protection now

The digital operating manual replaces the printed handbook - this sounds practical but brings new obligations. Because: The manual contains safety-critical information and must not be tampered with or altered.

Technical measures that must now be implemented:

  • Access protection (e.g., through password-protected platforms),

  • Version security and change documentation,

  • Encryption of sensitive content.

This makes the operating manual an integral part of machine safety.

Why the CE mark has new conditions

The well-known CE mark is also getting an update. In the future, it will apply: No cybersecurity proof, no conformity. The requirements for CE documentation are increasing significantly. Among other things, it requires:

  • Proof of cyber risk analyses,

  • technical protection concepts against attacks,

  • procedures for secure software and firmware maintenance.

This turns a familiar symbol into a comprehensive security promise.

What modern risk management must look like

The new MVO makes it clear: Reactive measures are no longer sufficient. Risk management must be proactive, holistic, and continuous. Especially regarding digital risks and AI, companies need new structures:

  • Departments for cybersecurity in mechanical engineering,

  • interdisciplinary training concepts,

  • ongoing further qualification in standards, technology, and law.

With material from TÜV Süd

FAQ on the EU Machinery Regulation 2023/1230

What is the EU Machinery Regulation (MVO)?

The MVO is the new European legal basis for the safety of machinery and replaces the previous Machinery Directive 2006/42/EC from January 20, 2027.

Who is the new regulation for? 

It affects manufacturers, operators, dealers, and importers - for machinery, incomplete machinery, software components with safety functions, and significantly modified machinery.

What are the biggest innovations? 

New obligations for cybersecurity, handling artificial intelligence, protection of digital operating instructions, and expanded requirements for CE marking are added.

What applies to machines with AI functions? 

Machines with safety-relevant, self-learning components require an independent conformity procedure and must be independently tested by a notified body.

When is a change considered “significant”? 

As soon as modifications or software changes are safety-relevant, the change can be considered significant. In this case, the company becomes the legally responsible manufacturer.

Can the operating instructions only be digital in the future? 

Yes, but only on the condition that the digital instructions are secured against manipulation, loss, and unauthorized access.

What changes with the CE marking?

The CE marking will in the future require proven protection against cyberattacks. Existing processes and technical documentation must be updated accordingly.

When does the regulation come into force?

The MVO is already in force but will be mandatory from January 20, 2027.

Are there transitional periods?

There is currently no transitional period. Companies are well advised to prepare now to avoid later certification pressure.

cybersecurity ce marking eu regulation metaverse tüv süd artificial intelligence

PERSONALISED RECOMMENDATIONS FOR YOU

Powered by Labrador CMS