From January 20, 2027, the new EU Machinery Regulation will be binding in all EU member states – with far-reaching changes in the area of cybersecurity. Anyone who develops, imports, or distributes machines or networked products must take action now. This is because digital risks will be assessed just as strictly as mechanical hazards in the future.

Cybersecurity in the Machinery Directive is being redefined

The new Machinery Regulation replaces the previous Machinery Directive and significantly expands the concept of safety. Annex III, Section 1.1.9 in particular defines comprehensive requirements for the IT security of machines. The aim is to ensure the integrity, availability, and trustworthiness of digital components and data - even during operation.

Manufacturers are then obliged to:

  • Identify digital risks early on and evaluate them systematically

  • Implement protective measures that are fully functional and testable

  • Protect security-critical hardware and software from manipulation and corruption

  • Document changes to security-relevant software in a traceable manner

  • Equip machines with secure connectivity (e.g., through firewalls, encrypted communication, secure remote access)

In addition, the requirements for technical documentation will also be revised. In the future, declarations of conformity and operating instructions must be provided digitally. The following applies:

  • Exceptions may apply to machines used by laypersons or end users. In these cases, certain information must still be made physically available.

  • At the customer's request, the operating instructions must also be provided in paper form - the digital version does not completely replace the traditional documentation.

Manufacturers and operators are therefore obliged to ensure that digital documentation is legally compliant, transparent, and available at all times.

Testing and certification: More duties, more responsibility

The new regulation also tightens certification requirements for certain types of machinery and safety components with AI-based systems. Components that make safety-related decisions—for example, in the area of autonomous control or the detection of hazardous situations—are particularly affected.

A mandatory conformity assessment procedure is required if:

  • If significant changes are made to a machine,
  • or modifications that affect the CE marking.

Manufacturers will therefore have to document, test, and verify much more carefully in future how their products meet the applicable safety and cybersecurity requirements—especially in the case of self-learning or networked systems.

Good to know: Testing processes, risk analyses, and safety certifications are nothing new to imbus. In regulated industries such as medical technology and the automotive sector, we have been successfully supporting companies for years in implementing complex safety requirements. These methods are well established for us—but for many machine manufacturers, they are new and highly relevant.

Talk to us as your experienced partner for security, compliance, and digitalization—we know what matters.

Our services: Security at all levels

As your partner for functional safety and IT security, we offer support throughout the entire product life cycle:

Risk assessment & consulting

  • Identification of digital hazards
  • Evaluation of testable protective functions
  • Limit determination and risk analysis in accordance with Annex III of the EU Machinery Directive

Testing of critical components

  • Penetration tests in networked environments
  • Security analyses (e.g., fuzz testing, vulnerability scans)
  • Evaluation of logging and detection mechanisms in accordance with the regulation
  • Implementation of fully functional and testable protective measures

Secure connectivity & logging

  • Testing of interfaces for access security
  • Load and performance testing
  • Support with the introduction of cryptographically secured change logs

Documentation & compliance

  • Consulting on the integration of requirements from the EU Machinery Directive and IEC 62443

Act now: Cybersecurity is becoming mandatory

Cybersecurity in the Machinery Directive is not a topic for the future—it already affects product development and system architecture today. Failure to provide evidence of appropriate protective measures may result in recalls or market access barriers.

We help you not only meet these requirements, but also use them to your competitive advantage.

Contact us for an initial consultation or a security check of your machines!

Contact show/hide

Your contact person at imbus

Mr. Tobias Esser