Finally vacation season:
and then comes the new machinery regulation

Although the new European Machinery Regulation does not come into force until 2027, companies should start looking into it now, explains our columnist Siegfried Müller.

Vacation time at last. Most of you are probably thinking primarily about the sun, the sea, the beach or perhaps the mountains, and probably less about “what about my cyber security”. Or am I wrong? Nevertheless or perhaps because of this, the inevitable tips on cyber security for vacations appear in the relevant IT trade magazines just in time – every year – shortly before the longed-for start of the vacations. From “what to look out for before you leave the office” to “what can happen just before and during vacation”.

In all likelihood, you already know a lot of things. For example, you’d better not enter any confidential data on a page that doesn’t have a lock symbol – or even more strikingly, a “Not secure” symbol – in the browser bar. Okay. But the advice that it makes sense to create a backup before you go on vacation or that you should think carefully about what you communicate in the out-of-office message is more helpful – because both can get lost in the stress before the vacation.

And yet it’s obvious: when companies empty out during the vacation season, it’s the peak time for hackers – not least because they assume that not everything has been thought through in terms of cyber security.

In most cases, they are probably right in this assumption – but have you ever received a guidebook that provides similar advice on production and lists appropriate procedures for securing it during the vacation season?

You (hopefully) don’t expect this from me either. Because this subject area is too complex for that and must be approached strategically, as has been proven, especially under the aspect of advancing digitalization. This is precisely the reason for the new Machinery Regulation, which I would like to explain to you today. Why now of all times? Because at the moment, when things are a little quieter, you may have more time to take a closer look at the background.

What you should know about the new Machinery Regulation

First things first: the new Machinery Regulation (EU) 2023/1230 came into force on July 19, 2023. A transition period of 42 months is provided for its implementation. After that, its application is mandatory and replaces the Machinery Directive 2006/42/EC, which has been in force for 17 years. The path to the new central set of regulations was appropriate to the topic: The first draft of the new EU Machinery Regulation was published at the end of April 2021, and after the usual procedure – from the submission of possible amendment proposals to the conclusion of the trialogue negotiations in mid-December 2022 – the announcement in the EU Official Journal took place on June 29, 2023.

Although the EU Machinery Regulation does not represent a paradigm shift, it does involve some changes of practical relevance. A key feature is that the regulations have been adapted to take account of the risks and challenges – resulting, among other things, from increasing digitalization in the area of cyber security and from the use of new technologies such as AI in and for machine products – and thus ensure that they can be operated safely in the long term.

The EU regulation is in the context of other new EU regulations, including the AI Act, which regulates overall what could be important in the future for manufacturers, importers, (online) dealers, authorized representatives and distributors of machines. This applies, among other things, to the CE marking: The importance of this marking results from the fact that it is by no means a self-declaration, but the result of a conformity assessment procedure by the manufacturer.

The bottom line is that the manufacturer is responsible to the market surveillance authorities for ensuring that his product complies with all applicable legislation that requires the CE mark to be affixed.

Machinery Regulation in particular: Cyber security

One of the main changes in the regulations is that in the future, machine builders will not only have to meet all requirements in the area of safety, but that the regulation also extends the scope to include cyber security, meaning that machine builders will have to ensure the protection of control systems. Among other things, this means that measures must be taken to ensure that they cannot be tampered with.

Although no specific implementation instructions are defined in this regard, it follows from this that a risk assessment must be carried out by the manufacturer in order to be able to take cyber security measures by anticipating potential criminal acts or attacks by third parties so that machine safety can be adequately guaranteed. In addition, further documentation requirements can be conclusively derived from this.

There is still a need for clarification, for example, as to how the passage “meet the requirements” listed in the Machinery Regulation can be implemented. While the machine builder has always been able to precisely record safety requirements for a specific application as part of his risk analysis, this is not so simple in the context of machine safety. A wide variety of factors play a role here, since a machine is always integrated into an overall system – which is why it is necessary to approach the implementation of requirements holistically, which means that protection cannot be be implemented as an isolated solution.

Conclusion: What is advisable now?

My most important advice in this context is that companies should now take a more in-depth look at this set of rules and the topic as a whole in a timely manner. In my opinion, it is also advisable to stay continuously up to date here in order to keep an eye on the changes that could result from this – for example, with regard to the classification of the criticality of the machines.

It is also essential to raise awareness of this issue among the company’s own employees so that they can positively support any changes that may be necessary. Under no circumstances should the time frame of three and a half years be overestimated – as we have already seen, unexpected events such as a pandemic or supply chain bottlenecks can suddenly demand all of our attention and the deadline is just around the corner, but preparations for the regulation are still in full swing.



The column was published in its original German version on

Find your sales partner

Find your personal contact person in your area.

Start your remote services

Are you looking for an all-in-one solution? Try our web-based remote access portal today.


We are here to help you

Questions? We can help you. For direct support, you can also call us.

Stay informed

Subscribe here to get updates on IoT and remote access solutions, products and features and get the latest cybersecurity updates.

You have questions?

Write us!

Allgemeine Anfrage EN


As an expert for secure remote access, IIoT and industrial security, we are committed to the highest standards in cyber security and the protection of industrial control systems.

With certifications such as IEC 62443-4-1, we are demonstrating a strong commitment to quality, security and trust in our development processes and products.

for more than 25 years.