What does the Machinery Directive have to do with Cyber Security?

The European Machinery Regulation (EU) 2023/1230 replaces the former Machinery Directive 2006/42/EC and regulates the safety requirements for machinery placed on the market within the European Union. While the original Machinery Directive primarily focused on physical safety aspects, the new Machinery Regulation explicitly addresses cyber security as an increasingly important aspect due to the growing use of connected and digital technologies in machinery.
In view of technological developments and the increasing relevance of cyber security, the Machinery Directive is constantly being revised and developed. The draft for a new Machinery Regulation (COM(2021) 202 final) aims to address current challenges, including cybersecurity. This new set of rules is expected to include clear requirements for protection against cyber threats, as connected machines are vulnerable to such risks.
The text of Regulation (EU) 2023/1230 mainly refers to machinery and not specifically to cybersecurity. However, there are some sections that indirectly relate to cybersecurity through protection against malicious interference. Particularly relevant are Sections 1.1.9 and 1.2.1, which deal with protection against corruption and the security and reliability of controls:

1. Connections and interoperability: Section 1.1.9 also states that hardware components that are critical for connecting to or accessing the safety-related software must be protected against corruption. These protective measures are essential to ensure the integrity and security of communication, especially in networked environments, and can be verified by a penetration test.
2. Risk assessment and risk reduction: According to Annex III Section 1.1 in the general principles for risk assessment, manufacturers must consider not only mechanical and physical risks, but also risks related to digital interfaces and possible cyber threats.
3. Logging and verification: It is pointed out at various points that machines or their control systems must be able to collect evidence of lawful or unlawful interventions. This helps to track cyber attacks and clarify responsibility.
4. Software updates: The documentation and labelling of the software version required for the safe operation of a machine must be kept up to date and protected from fraudulent changes and unauthorised access.
5. Cybersecurity certification: According to Article 20, there is a presumption of conformity for machines that have been certified under cybersecurity certification schemes in accordance with Regulation (EU) 2019/881 (the so-called Cybersecurity Regulation). This refers to the conformity certification in connection with digital risks.