The new EU Machinery Regulation comes into force in January 2027 and has potentially far-reaching consequences for machine-builders, particularly when it comes to cybersecurity. ABB UK’s industrial automation product manager, Carl Eely, explains some of the key points.

The EU’s Machinery Regulation (Regulation (EU) 2023-1230) comes into force on 14 January, 2027. It supersedes the Machinery Directive 2006/42/EC. At first glance, it may seem like a logical progression, with the usual expansion of scope and greater conformity requirements for health and safety.

However, whereas previously the directive’s focus was on physical machine safety, the new regulation links safety inextricably with cybersecurity. Furthermore, this is not merely a box-ticking exercise – it fundamentally changes how machine design needs to be approached. PLCs and drives, as connected components at the heart of many modern machines, sit squarely within its scope.

Machine-builders will have to carry out cybersecurity risk assessments, identifying where and how their systems might be exposed to the threat of cyberattacks. A risk assessment in itself is not hugely onerous, and it doesn’t necessarily have to be carried out by a third party (although this may be advisable if your organisation lacks in-house cybersecurity expertise). The risk assessment may reveal that the cybersecurity provisions for a machine are solid, and no specific actions are required.

A machine that operates entirely offline, for example, might need little more than a certificate of its isolation. However, any machine with remote access, network connections or cloud-based functions, will need evidence that its digital defences are solid and fit-for-purpose. It should also provide any recommended mitigation measures for end-users.

Even if the assessment requires no further action, this needs to be documented. However, this is where the regulation makes things slightly easier, with fully digital documentation now allowed. The intent of the regulation is to encourage deliberate and well-justified choices, rather than simply ticking a box.

The wider shift here is to encourage consideration of cybersecurity at the earliest stages of machine development, as well as throughout its lifecycle. One of the most straightforward ways to meet the new requirements is to use components that already comply. Reputable vendors will be able to advise on relevant products and how to implement them.

Source link