Software and cybersecurity of machinery and mechanisms, Regulation 2023/1230.

The Machinery Regulation stipulates that manufacturers must protect machinery and control systems from cyber threats. Cybersecurity was not directly addressed in the directive, as it was not yet a priority issue in 2006.

Regulation 2023/1230 defines manufacturers' responsibilities for traceability and safety monitoring of machines throughout their life cycle, stricter requirements for machine labelling and the provision of safety information (e.g. instructions), including in digital formats.

Intelligent machines and systems are closely linked to information technology. It has become easier for attackers to infiltrate automation and control systems, manipulate them and compromise the safety of equipment. If attackers succeed in exploiting a vulnerability, this can have devastating consequences for a company, ranging from production downtime to threats to people in the event of deliberate manipulation of safety measures. The provisions on cybersecurity are set out in Annex III to the Regulation.

The machine must be designed in such a way as to prevent subsequent unauthorized access. In this regard, the regulation requires the manufacturer to document which software and data are important for safe operation and what measures have been taken to protect them. The machine must also record changes to software and data. This rule applies regardless of whether these changes were made with or without authorization.

The manufacturer is also obliged to ensure the fault tolerance of the software and its control system, guaranteeing that the safety functions of the machine will always operate within the specified parameters. This applies not only to attacks, but also to intentional or unintentional changes made by users or administrators, as well as to self-learning systems based on artificial intelligence. The audit log must be stored and accessible for five years.

Machines are learning and becoming increasingly autonomous. Real-time information processing, problem-solving, flexibility, sensor systems, learning, adaptability and the ability to operate in unstructured environments (e.g. construction sites) are new digital functions that also bring new safety risks. And these risks increase as these technologies become more widespread. The likelihood of abuse is growing, and new attack surfaces are emerging.

The risks arising from new digital technologies are the focus of the Machinery Regulation. It introduces new cybersecurity obligations for machine manufacturers and other economic operators. The new regulation takes greater account of the digital and networked aspects of modern machinery.

Manufacturers must ensure that a thorough risk analysis is carried out, including potential cybersecurity risks. This analysis should identify potential threats related to unauthorized access, hacking or other cyberattacks.

Based on the risk analysis, appropriate technical and organizational measures must be implemented to minimize these risks. These include, for example, secure communication protocols, data encryption and access control.

Manufacturers are obliged to ensure the security of equipment throughout its entire service life. This includes releasing software updates to address security vulnerabilities and eliminate new threats.

It must be ensured that updates are authentic and have not been tampered with by third parties.

Machines must be equipped with means of preventing unauthorized access, especially to safety-related functions and data. This includes, for example, password protection, user authentication and role-based access control.

Confidential data collected or processed during the operation of the equipment must be protected against unauthorized access. This also applies to personal data.

Manufacturers must provide detailed information on the cybersecurity measures implemented in the technical documentation for the machine.

Equipment operators must be informed of potential cybersecurity risks and the necessary protective measures. This includes providing instructions on safe use and update management.

Cybersecurity measures must take into account the entire service life of the device. Manufacturers must also develop plans in case support for the device is discontinued (release security updates for a certain period after the end of sales).

As part of the conformity assessment, manufacturers must demonstrate compliance with the cybersecurity requirements of the regulation. This can be done through a third-party assessment (e.g., by notified bodies) or through an internal conformity assessment, depending on the category of equipment.