FAQEU

Machinery Regulation FAQ Cybersecurity evidence

Regulation (EU) 2023/1230 treats connected functions, safety software, control-system logic, and data integrity as machinery safety issues when corruption or malicious interference could create a hazardous situation.

Use this FAQ to decide what to keep in the technical file for Annex III protection against corruption and safety-related control-system evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

For connected or software-enabled machinery, cybersecurity evidence should show how the manufacturer identified safety-critical software and data, protected them against accidental or intentional corruption, logged relevant interventions, and assessed whether control-system faults, logic errors, or reasonably foreseeable malicious attempts could lead to a hazardous situation.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What cybersecurity evidence is needed for connected or software-enabled machinery?

The evidence should start with the Machinery Regulation safety question: could a connected device, remote communication path, software change, data change, or control-system logic failure create a hazardous situation? If yes, the cybersecurity record belongs inside the machinery risk assessment and technical documentation, not only in a separate IT security file.

Annex III section 1.1.9 requires protection against corruption for safety-critical signal or data hardware, software, and data. It also requires the machinery or related product to identify software necessary for safe operation and to collect evidence of legitimate or illegitimate interventions in relevant hardware, software, installed software, or configuration.

  • List each external connection, remote access route, safety bus, update path, configuration interface, and supplier component that can reach software or data relevant to essential health and safety requirements.
  • Identify the installed software needed for safe operation and keep a version record that can be produced in an easily accessible form.
  • Show how safety-critical software and data are protected against accidental or intentional corruption, including configuration changes and uploaded safety software.
  • Keep intervention evidence: authorised changes, unauthorised attempts where detectable, configuration modifications, firmware or software uploads, test results, and remediation records.
  • Tie each control to the machinery risk assessment, the relevant Annex III EHSR, and the design-verification evidence that shows hazardous situations are prevented.
Citations
Regulation (EU) 2023/1230 on machinery

Supports the protection-against-corruption evidence requirements in Annex III section 1.1.9 for connected devices, safety-critical hardware, software, data, installed software identification, and intervention evidence.

ISO/TR 22100-4:2018

Supports treating IT-security and cybersecurity threats as machinery safety considerations when they can influence machinery safety.

Recommended next step

Map cybersecurity controls to Annex III safety evidence

Turn software, connection, update, and control-system records into a Machinery Regulation evidence file tied to safety functions, Annex III requirements, and product versions.

Research workflow
Open Research Copilot

Build cited Machinery Regulation answers for software, safety functions, and technical documentation.

Explore next step
Talk to Sorena
Talk through implementation

Review your machinery cybersecurity evidence map, safety functions, and standards coverage.

Explore next step
Question 3

How do standards and ISO/TR 22100-4 fit into the evidence file?

Use standards evidence carefully. A harmonised standard can support presumption of conformity only for the essential requirements it covers, and the Machinery Regulation also allows cybersecurity certificates or statements under an EU cybersecurity certification scheme to support Annex III sections 1.1.9 and 1.2.1 only to the extent their covered requirements match those sections.

ISO/TR 22100-4 is useful context because it is machinery-specific guidance for considering IT-security threats that can influence machinery safety. It should not be presented as a complete legal answer by itself; the evidence file still needs the product-specific Annex III mapping, risk assessment, test results, software identification, intervention logs, and standards coverage analysis.

  • Create an Annex III crosswalk showing which standard clauses, tests, or technical specifications cover section 1.1.9 protection against corruption and section 1.2.1 control-system reliability.
  • Mark gaps explicitly where an applied standard does not cover connected interfaces, software updates, configuration changes, malicious attempts, or self-evolving safety logic.
  • Keep the actual standard list, version, scope limits, test reports, supplier declarations, and any restrictions or assumptions together with the technical file.
  • If relying on a cybersecurity certificate or statement for Machinery Regulation evidence, document exactly which Annex III cybersecurity requirements it covers and which product versions, configurations, and safety functions are in scope.
Citations
Regulation (EU) 2023/1230 on machinery

Supports the limited presumption-of-conformity point for cybersecurity certification schemes and the need to map evidence to Annex III sections 1.1.9 and 1.2.1.

ISO 12100:2010

Supports using machinery risk assessment and risk reduction as the organizing frame for safety evidence.

ISO/TR 22100-4:2018

Supports the machinery-specific role of IT-security guidance while noting that it does not provide detailed implementation specifications.

Question 4

What should be avoided in Machinery Regulation cybersecurity evidence?

Avoid evidence that cannot be traced to a safety function or Annex III requirement. General IT policy, cloud security documentation, supplier marketing material, or a product-wide cybersecurity badge is weak if it does not show how corruption, software changes, data changes, or malicious attempts were assessed for the specific machinery configuration.

  • Do not treat CRA, NIS2, or enterprise security controls as substitutes for Annex III machinery-safety evidence unless the record explains the exact Machinery Regulation requirement they support.
  • Do not cite a standard without identifying the clauses, scope limits, product version, and EHSRs it covers.
  • Do not omit software and configuration intervention records for safety-critical functions merely because the change was made after release.
  • Do not rely on one historic test after changes to remote access, supplier components, software versions, safety logic, configurations, or operating modes.
Citations
ISO/TR 22100-4:2018

Supports avoiding overclaiming because the ISO technical report gives guidance and not detailed specifications for every IT-security implementation.

Primary sources

References and citations

ISO 12100:2010
iso.org
Referenced sections
  • Supports using machinery risk assessment and risk reduction as the organizing frame for safety evidence.
"risk assessment and risk reduction"
ISO/TR 22100-4:2018
iso.org
Referenced sections
  • Supports avoiding overclaiming because the ISO technical report gives guidance and not detailed specifications for every IT-security implementation.
"guidance but does not provide detailed specifications"
Regulation (EU) 2023/1230 on machinery
eur-lex.europa.eu
Referenced sections
  • Supports keeping the evidence focused on Annex III machinery-safety requirements rather than broad cybersecurity program claims.
"hazardous situation"
Related guides

Explore more topics

Declaration of Conformity vs Declaration of Incorporation | Machinery Regulation FAQ
FAQ on when machinery needs an EU Declaration of Conformity and when partly completed machinery needs an EU Declaration of Incorporation under Regulation (EU) 2023/1230.
Directive 2006/42/EC to Machinery Regulation transition
Transition guide for moving EU machinery files from Directive 2006/42/EC to Regulation (EU) 2023/1230, focused on the 20 January 2027 changeover, pipeline products, declarations, standards, technical documentation, software, cybersecurity, and digital instructions.
EU Machinery Regulation Applicability Test
Test whether a product is machinery, a related product, partly completed machinery, a safety component, substantially modified, excluded, or covered by overlapping EU product laws.
EU Machinery Regulation compliance
Machinery Regulation compliance checklist covering scope, EHSR risk assessment, technical documentation, instructions, conformity assessment, EU declarations, CE marking, software, transition, and market surveillance.
EU Machinery Regulation compliance checklist
Checklist for Regulation (EU) 2023/1230 covering scope, EHSR risk assessment, technical documentation, instructions, conformity assessment, EU declarations, CE marking, digital duties, transition, and market surveillance.
EU Machinery Regulation deadlines and compliance calendar
Calendar for Regulation (EU) 2023/1230 dates, Directive 2006/42/EC transition, release documentation gates, standards monitoring, and substantial-modification reviews.
EU Machinery Regulation FAQ
Answers to Machinery Regulation questions on scope, partly completed machinery, Annex I categories, Article 25 conformity assessment, digital instructions, software, cybersecurity, transition, CE files, and overlap with other EU product laws.
EU Machinery Regulation Partly Completed Machinery
What counts as partly completed machinery under Regulation (EU) 2023/1230, what documents travel with it, and where the final assembler takes over.
EU Machinery Regulation requirements
Requirements under Regulation (EU) 2023/1230: machinery scope, EHSR risk assessment, technical documentation, instructions, conformity assessment, EU declaration, CE marking, software evidence, transition, and surveillance.
EU Machinery Regulation Safety Components
Definition, scope, conformity assessment, technical documentation, declaration, CE marking, and grounded examples for safety components under Regulation (EU) 2023/1230.
EU Machinery Regulation scope and machine categories
Scope guide for Regulation (EU) 2023/1230 covering machinery, related products, partly completed machinery, Annex I categories, exclusions, substantial modification, and category evidence.
EU Machinery Regulation substantial modification decision workflow
Workflow for assessing substantial modification under Regulation (EU) 2023/1230: change facts, hazard and risk impact, manufacturer obligations, conformity assessment, CE marking, and evidence.
EU Machinery Regulation vs LVD
Compare the EU Machinery Regulation and Low Voltage Directive boundary for machinery EHSRs, electrical risks, excluded electrical products, CE documentation, and evidence reuse.
EU Machinery Regulation vs Market Surveillance Regulation: compliance comparison
Compare Machinery Regulation product compliance duties with EU MSR market surveillance duties, authority requests, online sales, corrective action and evidence records.
EU Machinery Regulation: autonomous mobile and collaborative machinery
Grounded guide to Regulation (EU) 2023/1230 requirements for autonomous mobile machinery, human-machine interaction, controls, software, cybersecurity, risk assessment, technical documentation, and conformity routes.
EU Machinery Regulation: when does a modification constitute substantial modification?
Guide to substantial modification under Regulation (EU) 2023/1230: change triggers, risk assessment, EHSRs, technical documentation, conformity assessment, CE marking, and records.
EU Machinery Risk Assessment Method
How to document an EU Machinery Regulation risk assessment: ISO 12100 hazard identification, EHSR mapping, risk reduction, residual risk, software, cybersecurity, and technical-file evidence.
How to map Annex III EHSRs under the EU Machinery Regulation | Machinery Regulation FAQ
FAQ on mapping Annex III essential health and safety requirements to hazards, risk reduction, software controls, technical documentation, and Annex I classification under Regulation (EU) 2023/1230.
Machinery CE documentation template for Regulation (EU) 2023/1230
Template fields for Machinery Regulation CE documentation: product identity, scope, EHSR risk assessment, standards, tests, instructions, EU declaration, CE marking, notified body route, software, cyber, and substantial modification checks.
Machinery Regulation and EU AI Act overlap for AI-enabled safety functions
FAQ on Machinery Regulation overlap with the EU AI Act for self-evolving or machine-learning safety functions, Annex I categories, standards work, and technical documentation boundaries.
Machinery Regulation Annex I conformity route workflow
Classify machinery against Annex I Part A and Part B, choose the Article 25 conformity assessment route, and assemble the technical evidence file.
Machinery Regulation Annex I high-risk categories
Explain what Annex I does under Regulation (EU) 2023/1230, which listed machinery categories trigger special conformity routes, and what evidence to keep.
Machinery Regulation category and scope checks
Check whether a product is machinery, a related product, partly completed machinery, a safety component, excluded from scope, or listed in Annex I under Regulation (EU) 2023/1230.
Machinery Regulation conformity assessment and CE marking
EU Machinery Regulation guide to Article 25 conformity assessment routes, Annex I machinery categories, technical documentation, EU declarations, CE marking, and instructions.
Machinery Regulation digital instructions
EU Machinery Regulation guide to digital instructions for use: access marking, print and download access, paper copies, non-professional safety information, languages, and records.
Machinery Regulation penalties and enforcement
EU Machinery Regulation enforcement guide covering Member State penalty rules, corrective action, market surveillance powers, and cross-border authority cooperation.
Machinery Regulation related products scope guide
Classify EU Machinery Regulation related products, including interchangeable equipment, safety components, lifting accessories, lifting chains, ropes, webbing, and removable transmission devices.
Machinery Regulation software and cybersecurity considerations
How Regulation (EU) 2023/1230 treats safety-related software, control systems, corruption protection, technical documentation, and cyber-safety risk evidence.
Machinery Regulation Technical Documentation and Technical File
What to keep in the EU Machinery Regulation technical file: product identification, risk assessment, EHSR mapping, standards, tests, instructions, declarations, software evidence, retention, and notified-body records.
Machinery Regulation technical file acceptance workflow
Release-gate workflow for accepting an EU Machinery Regulation technical file: scope, EHSR risk evidence, standards, tests, declarations, notified-body records, software, cyber, and signoff.
Machinery Regulation Timeline and Transition: practical guide
EU Machinery Regulation guide to Timeline and Transition with scope decisions, owner actions, evidence records, source-linked citations, and practical next steps.
Machinery Regulation vs EMC Directive
Compare EU machinery safety duties with EMC duties for equipment, CE documentation, harmonised standards, declarations, and combined technical files.
Machinery Regulation vs EU AI Act: machinery safety overlap
A grounded comparison of the EU Machinery Regulation and EU AI Act for machinery with AI-enabled safety functions, software, cyber-safety and technical documentation overlap.
Machinery Regulation vs Machinery Directive
Grounded comparison of Regulation (EU) 2023/1230 and Directive 2006/42/EC across legal form, timing, scope, digital instructions, cybersecurity, conformity assessment, documentation, and CE marking.
Machinery vs RED comparison
Compare EU Machinery Regulation and Radio Equipment Directive boundaries for machinery safety, radio equipment scope, CE documentation, and shared evidence.
What counts as machinery under Regulation (EU) 2023/1230?
FAQ on the Machinery Regulation definition of machinery, including assemblies, drive systems, missing components, software, related products, partly completed machinery, safety components, and exclusions.
When can a software update affect Machinery Regulation compliance?
FAQ on when machinery software updates can trigger Machinery Regulation review, including safety functions, substantial modification, corruption protection, instructions, and CE technical-file evidence.
When does used or modified machinery need a new conformity assessment? | Machinery Regulation FAQ
FAQ on used and modified machinery under Regulation (EU) 2023/1230, including substantial modification, first EU use, technical documentation, and market surveillance evidence.
When is a notified body needed under the EU Machinery Regulation?
FAQ on when Machinery Regulation Annex I products need a notified body, how to find designated bodies, and what manufacturers still own.
Which Article 25 conformity assessment module applies? | EU Machinery Regulation FAQ
FAQ on Article 25 of Regulation (EU) 2023/1230: Module A, Module B plus C, Module H, Module G, Annex I triggers, notified body involvement, and technical file evidence.