Increased cyber security standards required by new machinery regulation

Against the backdrop of increasing digitalization, software components in machines and devices are taking up more and more space. The EU has responded to this with the new Machinery Regulation (MVO), which replaces the previous Machinery Directive after a transitional period. This regulation requires dealers, manufacturers and operators to make appropriate adjustments, with TÜV SÜD providing important tips for practical implementation.

One striking aspect of the regulation is the replacement of printed operating instructions with QR codes that refer to digital versions. Printed instructions will only be provided by the manufacturer at the express request of the customer. However, according to Regulation 2023/1230 (MVO), paper instructions are still required for machines that are operated by laypersons.

Numerous system components are affected

The latest Machinery Ordinance (MVO) addresses the growing risks posed by advancing digitalization, cybersecurity threats and the use of artificial intelligence (AI). It aims to better protect machines against misuse and fraud, problems that are inextricably linked to the digital transformation. This regulation was introduced to provide an effective response to these threats and ensure comprehensive protection.

The scope of the MVO is far-reaching and covers numerous types of equipment - from machines such as agitators, pumps and compressors to distillation, filtration and separation equipment. Pedelecs for internal operation and lifting equipment are also subject to this regulation. Electrically adjustable desks also fall under the regulations of the new MVO.

The new MVO addresses the increasing risks in the areas of digitalization, cyber security and artificial intelligence (AI).
Source: AdobeStock / Attasit

A significant change in the new Machinery Ordinance (MVO) is the clearly defined responsibility for its implementation. The regulation addresses manufacturers, dealers, importers and authorized representatives of machinery. In addition, operators who make “significant changes” to a machine are legally treated as manufacturers. “Significant change” also includes the modification of software. This means that operators who make changes to the factory settings of a machine after purchase must familiarize themselves in detail with the provisions of the MDR.

Retrofitting with additional software has increased

The new Machinery Ordinance (MVO), which came into force in July 2023 and replaces the previous Directive 2006/42/EC, will only become fully applicable after a transitional period of 42 months, i.e. from January 20, 2027. Despite this deadline, TÜV SÜD recommends preparing for the upcoming changes now in order to minimize potential safety and liability risks in the event of damage.

As digitalization progresses, the MVO now views machines together with their sensors and associated software as an integrated unit. The integration of networked sensors and additional software has increased vulnerability to cyber attacks, particularly in the chemical and process industries and in mechanical engineering. MVO is adapting the legal framework in line with technological developments.

The regulations on cyber security, including control systems and the artificial intelligence used, are being tightened. The MVO places particular focus on autonomous machines, remote-controlled devices and collaborative robots, known as cobots. It requires that all machines are designed in such a way that they are protected against both intentional and unintentional manipulation, including manipulation that could take place via remote access. These specific requirements are listed in Annex III Part B of the MD, among others.

The MVO came into force in July 2023 and replaces the previous Machinery Directive 2006/42/EC from January 20, 2027.
Source: AdobeStock / Attasit

However, the new Machinery Ordinance (MVO) provides some relief with regard to cybersecurity: If a certification or a declaration of conformity in accordance with the European Cybersecurity Act 2019/881 already exists, the requirements of the MVO with regard to cybersecurity are deemed to be fulfilled. In this case, it is assumed that the specific requirements set out in sections 1.1.9 and 1.2.1 of the MDR are met. This makes it easier for companies to comply with the regulatory requirements without having to undergo additional certification procedures.

Experts advise checking the MVO regularly

The Machinery Ordinance tightens the safety requirements for certain categories of machinery, which are listed in Annex I Part B and divided into six risk categories. Machines that fall into these categories due to their high risk potential must undergo a stricter conformity assessment, which cannot be carried out internally but must be carried out by a notified body to ensure compliance with the highest safety standards.

In particular, systems that use artificial intelligence and machine learning for critical safety functions and evolve autonomously fall under this requirement. Other examples of machines that require an external assessment are removable drive shafts with guards, vehicle maintenance lifts and fastening and assembly devices equipped with magazines for screws or nails.

TÜV SÜD experts recommend regularly reviewing the annex to the Machinery Directive, as the list of machines that require an assessment by a notified body is continuously updated. Although the MDR has many similarities with the previous Machinery Directive, the new regulations on cybersecurity and the use of AI represent significant innovations.

It is therefore advisable for company decision-makers to prepare for these changes at an early stage. A reassessment of existing machines is often necessary, whether due to software changes or the integration of new AI systems. A proactive approach can help to minimize safety and liability risks in the event of damage.