Cybersecurity, today, is the safety of people

What changes for manufacturers and users under the Machinery Regulation 2023/1230

OT Cybersecurity and the Machinery Regulation (EU) 2023/1230

When an IT system is compromised in an office, the consequences remain digital. When the same kind of attack hits the control system of an industrial machine, the consequences leave the screen: they can disable safety functions, trigger dangerous movements, block emergency stops.

OT cybersecurity, which concerns the operating systems of plants, the PLCs, the field networks and the remote connections, has a direct impact on the physical safety of the people who work with those machines. The Machinery Regulation (EU) 2023/1230 has formalised this link, introducing for the first time specific requirements on the protection of software, control systems and critical data.

Quadro elettrico macchinario
Tecnico che analizza codice o interfaccia software su schermo

The perimeter of the machine has widened

The Machinery Directive 2006/42/EC was conceived for mechanical and electromechanical machinery. The text contained no explicit references to software, connectivity, artificial intelligence or cybersecurity. For twenty years, that part of the risk remained in a grey area.

The Machinery Regulation (EU) 2023/1230, which will apply from 20 January 2027, fills this gap. Embedded software, OT networks, remote access: the Regulation treats them as machine components in every respect, with the related design and safety obligations.

The new EHSR 1.1.9, Protection against corruption, states that machinery must be designed and constructed so that connections and remote access cannot allow the alteration of safety functions or the generation of hazardous situations. The requirement covers three distinct areas:

Further reading

SAFETY and SECURITY: two distinct concepts

In industrial machinery with digital components and connectivity, functional risks (safety) and cyber risks (security) can no longer be managed as separate domains.

Unauthorised access, a configuration change or an uncontrolled software update can affect the behaviour of the machine and therefore the safety of operators.

In Regulation (EU) 2023/1230, safety and security converge.

Safety

What it protects: Operators from the hazards arising from the operation of machinery.

Reference: Regulation (EU) 2023/1230.

Examples: Guards, barriers, emergency stop.

Type of measure: Physical and/or electronic.

Security

What it protects: Machinery and data from tampering and unauthorised access.

Reference: Cyber Resilience Act (EU) 2024/2847.

Examples: Authentication, encryption, firmware updates.

Type of measure: Technical and procedural.

Security

What it protects: Machinery and data from tampering and unauthorised access.

Reference: Cyber Resilience Act (EU) 2024/2847.

Examples: Authentication, encryption, firmware updates.

Type of measure: Technical and procedural.

Safety

What it protects: Operators from the hazards arising from the operation of machinery.

Reference: Regulation (EU) 2023/1230.

Examples: Guards, barriers, emergency stop.

Type of measure: Physical and/or electronic.

In other words, from 2027 it will not be enough to design a machine that is safe from a mechanical, electrical or functional point of view. It will be necessary to demonstrate that software, networks, connected devices and digital access cannot compromise the safety functions provided for by the design.

A machine may comply with the traditional safety requirements, but if it is vulnerable to IT manipulation that alters functions, parameters or control logic, the overall level of safety is compromised. The protection of people and the protection of digital systems thus become parts of the same risk management process.

The other novelties of the Regulation concerning software

EHSR 1.1.9 is not the only relevant point.

The Regulation addresses the software theme more broadly.

It requires control systems to be designed in a safe and reliable manner, including those that integrate evolving software or artificial intelligence.

Changes in the behaviour of the machine, even generated by self-adaptive systems, must be managed so as not to generate hazardous situations.

The Regulation introduces a clear definition for the first time.

A modification is substantial when it affects the safety of the machine by creating a new hazard or increasing an existing risk.

The novelty compared to the Directive is explicit: the modification may occur “by physical or digital means”. A software update that alters the behaviour of the safety system falls within this definition.

In Annex II of the Regulation, the list of safety components, software that ensures safety functions appears for the first time. Software of this kind, if placed on the market separately, will have to be CE marked and accompanied by an EU declaration of conformity and instructions for use.

The same obligation applies to safety components with self-evolving behaviour based on machine learning.

Tecnico che analizza codice o interfaccia software su schermo
Persona davanti a quadro elettrico

How we handle this part

The digitalisation of machinery has made OT cybersecurity an integral part of risk assessment. This means addressing the cybersecurity aspects relevant to the safety of people and to the regulatory compliance of the machine.

Our approach is calibrated on the real perimeter of the plant and on the applicable requirements. We keep the focus on the OT systems of the machine, away from IT activities that are not pertinent.

The services we offer on this front:

Contact our Safety Engineers

Fill in the quick form and speak with an expert straight away

Scroll to Top
Ask for your free quote!
Ask our safety engineers

    Please send us your design or layout
    Upload your projects in PDF, DWG, STP, JPG, PNG, CSV, XLSX, WORD, zip or rar format
    PLEASE NOTE: You can only upload a single file, with a maximum size of 8 MB. If you have more than one file, please send them in a compressed folder.




    * = mandatory field

    Ask for your free quote!
    Ask our safety engineers

      Please send us your design or layout
      Upload your projects in PDF, DWG, STP, JPG, PNG, CSV, XLSX, WORD, zip or rar format
      PLEASE NOTE: You can only upload a single file, with a maximum size of 8 MB. If you have more than one file, please send them in a compressed folder.




      * = mandatory field