EU Machinery Regulation 2023/1230 Explained: What Machine Builders Need to Do Before 20 January 2027

Jure Špeh Co-founder and CTO MSc of Electrical Engineering, building AI tools that turn video recordings into structured work instructions and SOPs.

5/13/2026

A plain-English guide to Regulation (EU) 2023/1230 on machinery for OEMs and machine builders. Scope, key dates, digital instructions, cybersecurity, and a practical checklist.

TL;DR

Regulation (EU) 2023/1230 replaces the old Machinery Directive 2006/42/EC. It applies on a mandatory basis from 20 January 2027.
It covers anyone placing machinery on the EU market: manufacturers (OEMs), importers, distributors, and in some cases system integrators who modify a machine after it shipped.
The biggest day-to-day change for OEMs: instructions for use can now be digital by default. Paper is only required if the user asks for it at purchase, or for non-professional users.
New essential requirements cover cybersecurity in machine safety functions, AI and self-evolving behaviour, autonomous mobile machinery, and ergonomics.
“Substantial modification” is now defined in the regulation (Article 3(16)). Anyone who modifies a machine in a way that adds a new hazard becomes the new manufacturer for that part of the line.
Fines are set by each Member State but are expected to track NIS2 levels (up to €10 million or 2% of global turnover).
42 months sounds long. Rewriting manuals, re-running conformity assessment, and adding cybersecurity controls is not. Start now.

What this regulation is, in one paragraph

The EU Machinery Regulation 2023/1230 is the new rulebook for any machine, safety component, lifting accessory, chain, rope, removable transmission device, or partly-completed machinery that gets placed on the EU market. It replaces Directive 2006/42/EC, which has not been updated in any meaningful way since 2009. The Commission ran an impact assessment in 2020 as part of the “Europe fit for the Digital Age” programme and concluded that the old directive had five gaps: emerging tech (AI, IoT, robotics), unclear definitions, weak rules for high-risk machines, no path to digital manuals, and member states interpreting the directive differently. 2023/1230 fixes those.

I’m writing this for OEMs and machine builders who keep getting forwarded LinkedIn posts about the new regulation and want a real answer to “what do I actually have to do, and by when.” If that’s you, keep reading.

Who has to comply

The regulation applies to economic operators along the supply chain:

Manufacturers (OEMs). You design and build the machine. You carry most of the burden: conformity assessment, technical documentation, EU Declaration of Conformity, CE marking, instructions for use.
Authorised representatives. Non-EU manufacturers must appoint one inside the EU.
Importers. You bring non-EU machinery into the EU market. You verify the manufacturer did their job and keep records for 10 years.
Distributors. You sell the machine downstream. You verify CE marking, the EU Declaration of Conformity, and that instructions for use are provided.
Anyone performing a “substantial modification.” New under 2023/1230. If you retrofit, integrate, or upgrade a machine in a way that introduces a new hazard or increases an existing one and requires new protective measures, you become the manufacturer for the modified part. This catches system integrators, in-house automation teams, and retrofit projects that used to slip through.

If you are a 30-person SME building special-purpose machinery for European customers, this regulation applies to you. If you are a US or Asian OEM exporting one assembly line a year to Germany, it applies to you. If you are a food producer that buys machinery and then has a third party retrofit it with an AI vision system, the substantial-modification rule probably applies to that retrofit.

For a deeper breakdown of how this affects manufacturing operations, see our industry guide.

The dates you need to remember

Date	What happens
29 June 2023	Regulation published in the Official Journal
19 July 2023	Regulation enters into force
July 2025	Member States start providing data on machinery-related incidents
July 2026	First Member State report on effectiveness of Articles 6(4) and 6(5)
October 2026	Member States must notify the Commission of their penalty rules
20 January 2027	Mandatory application date. All new machinery placed on the EU market must comply with 2023/1230

Machinery placed on the market before 20 January 2027 stays under 2006/42/EC and does not need re-certification. Machinery placed on the market on or after that date must carry an EU Declaration of Conformity under 2023/1230. There is no overlap period where you can choose. Pick one regime per machine based on the placement date.

A regulation, unlike a directive, has no national transposition. The same text applies in all 27 Member States and EFTA countries from day one. Less room for “the German interpretation” vs “the French interpretation” arguments.

What actually changed (the four shifts that matter)

1. The annexes were reordered

The old Annex I (essential health and safety requirements) is now Annex III in 2023/1230. The new Annex I is “categories of machinery or related products” and is split into Part A (high-risk, third-party conformity assessment) and Part B (high-risk, but self-certification is possible if you follow harmonised standards). Annex II is the indicative list of safety components. Annex IV covers technical documentation. Annex V covers the EU Declaration of Conformity and Declaration of Incorporation. Annexes VI to IX cover the conformity assessment modules.

If your compliance documentation references “Annex I” of the old directive, every mention needs to be updated to “Annex III” of the new regulation.

2. New essential health and safety requirements

Annex III adds clauses that did not exist in the old directive:

Ergonomics (1.1.6) now explicitly covers how operators interact with machinery that has fully or partially self-evolving behaviour. AI cobots, in other words.
Protection against corruption (1.1.9) is the cybersecurity clause. Hardware and software components that affect safety must resist accidental and intentional corruption, and the machine must keep a tamper-evidence log of legitimate and illegitimate interventions.
Safety and reliability of control systems (1.2.1) explicitly mentions “reasonably foreseeable malicious attempts from third parties.” Cybersecurity is now treated as a machine safety problem, not just an IT problem.
Autonomous mobile machinery (3.6.3.3) adds requirements specific to mobile robots and AMRs.

The clause that makes most OEMs nervous: software and data critical for safety must be identified, protected, and the machine must collect evidence of any modification. That data has to be retained for one year for software-based safety systems, and version history retained for five years after every safety-software upload. This is a real engineering and documentation lift.

3. AI and self-evolving behaviour are in scope

For the first time, machines with safety functions that use machine learning or self-evolving behaviour are explicitly regulated. Annex I Part A lists “safety components with fully or partially self-evolving behaviour using machine learning approaches ensuring safety functions” and “machinery that has embedded systems with fully or partially self-evolving behaviour using machine learning approaches ensuring safety functions.” Both go through third-party conformity assessment.

The regulation also says these systems “shall not cause the machinery or related product to perform actions beyond their defined task and movement space.” If you are building a vision-guided robotic cell with a model that updates in the field, you need a documented task-and-movement boundary the model cannot exceed.

4. Substantial modification is now legally defined

Article 3(16) defines a substantial modification as a physical or digital change to placed-on-market machinery that introduces a new hazard or increases an existing risk and requires new protective measures. Whoever performs that modification is treated as the manufacturer of the modified portion and has to re-run conformity assessment for that part. It does not require redoing the entire line.

This is a big deal for system integrators and for in-house automation teams. If your retrofit adds a new robot arm with a different workspace, that part of the line needs its own DoC and CE marking. The catch: if you are not careful, you can become liable for compliance you did not plan for.

Digital instructions for use: the change that hits docs teams hardest

Under the old directive, instructions for use were almost always paper. A few national authorities tolerated digital, but the directive itself did not provide clear cover. 2023/1230 fixes this. The headline rules:

Digital is the default. Manufacturers can provide instructions for use, the EU Declaration of Conformity, and certain other information in digital format.
Paper on request, free of charge. If a user requests paper at the moment of purchase, the manufacturer must provide it free of charge within one month.
Safety information for non-professional users stays on paper. If your machine reaches consumers or non-trained users, the basic safety info ships on paper.
Available for 10 years minimum. Digital instructions must remain accessible online for the expected lifetime of the machinery, and at minimum for 10 years after placement on the market.
Language of the user. Instructions must be in a language that can be easily understood by the user, as determined by the Member State where the machine is placed on the market.
Accessibility. The user must be told how to access digital instructions on the machine itself (a label, a QR code, a clear pointer) and the format must be downloadable and printable.

Read that list and what it really says is: you need a content system, not a folder of PDFs on a shared drive. You need versioning so the link points to the current revision. You need multilingual output that is consistent across 20+ Member State languages. You need to keep the content live for at least a decade. You need a fallback to PDF for paper-on-request.

This is exactly the gap most OEMs hit when they look at their current process.

What “substantial modification” actually looks like

Three quick scenarios from machine builders I’ve talked to:

You retrofit a 2018 packaging line with a new vision system and a faster conveyor. New hazard (faster reach for operators, new pinch points), new protective measures needed. The retrofit becomes a substantially modified machine. You, the integrator, are the manufacturer for that retrofit and need to run conformity assessment on the modified part.
You update the firmware on an AI quality inspection cell to a model that now controls a reject pusher. Digital modification with new hazard scope. Substantial. Re-assessment required for the safety chain of that subsystem.
You replace a worn sensor with an equivalent part on the same machine. Not a substantial modification. No new hazard, no new protective measures.

The line is “new hazard or increased existing risk requiring new protective measures.” Document the change. If you cannot defend the answer in writing, you are not done.

Fines and penalties

Article 50 leaves each Member State to set fines and penalty rules. The Rockwell Automation guide notes the expectation that these will align with NIS2, which allows fines up to €10 million or 2% of global annual revenue, whichever is higher. Member States had until October 2026 to notify the Commission of their penalty framework, so by the time the regulation applies in January 2027 you will know your exposure per country.

The market surveillance authorities can also order machinery off the market and require corrective action. Brand damage from being on a public non-compliance list is usually a bigger problem than the fine itself.

A practical checklist for machine builders

If your machines reach the EU market and you have not started yet, here is the order I would work in:

Inventory your current machinery. For each model, identify whether it falls under Annex I Part A or Part B of 2023/1230, or neither.
Map your current Annex I (old) references to Annex III (new). Every doc that references “essential health and safety requirements” needs to be re-anchored.
Run a gap analysis on the new EHSRs. Ergonomics (1.1.6), cybersecurity (1.1.9), control systems (1.2.1), autonomous mobile (3.6.3.3). Document where you already comply and where you do not.
Plan the conformity route. If you build anything in Annex I Part A, you need third-party assessment. Find your notified body now; their calendars fill up.
Run a cybersecurity vulnerability assessment. Hardware and software components that affect safety functions, network exposure, tamper evidence, software version logging.
Decide your digital instructions strategy. Where will manuals live? What is the URL or QR code on the machine? How will users request paper? How will translations be kept consistent across languages? How will you keep them online for 10 years?
Update technical documentation under Annex IV. This is the internal compliance file (design, risk assessment, test reports, standards used). It is not the same as the operator manual.
Update the EU Declaration of Conformity template to reference 2023/1230 instead of 2006/42/EC. Effective for machines placed on the market on or after 20 January 2027.
Train your integrators and after-sales team on substantial modification rules. If they retrofit a machine in the field, they may be triggering a new conformity assessment without realising.
Set up a process to keep instructions current. When the machine changes, the digital manual has to change too. See our guide on keeping work instructions up to date.

Where SOPX fits in this picture

A direct disclosure: I am cofounder of SOPX, which is a digital instructions and SOP platform. SOPX does not replace your CE conformity assessment, your notified body, your technical documentation under Annex IV, or your cybersecurity audit. Those are engineering and certification activities. What SOPX does is solve the operator-facing instructions for use side of 2023/1230, which is where most OEMs lose months of time.

Here is the honest mapping:

2023/1230 requirement (instructions side)	How SOPX helps
Digital instructions, accessible via URL or QR code	Every SOP gets a public link and QR code the moment you enable it
Paper version on request, free of charge	One-click export to PDF or Word from any SOP
Available online for 10+ years	Hosted SaaS, links remain stable as content versions update
Language of the user (multilingual EU)	AI translation into 50+ languages with side-by-side review (not just Google Translate)
Always the current revision	Version control built in; published link always serves the latest approved revision
Convert existing PDF manuals to digital	Import a PDF, AI extracts text, images, and structures the content into steps
Convert build-time video to a procedure	Upload a phone or screen recording, get a structured SOP in under 10 minutes
Operator can read on the floor without an account	Public link works on any browser, no login, no app install

For the customer side, this means an operator scans a QR code on the machine and sees the current version of the manual in their own language, on their own phone, with no account. For the OEM side, you maintain one source of truth per procedure, push translations once, and keep the same link live for the life of the machine.

What SOPX does not do, and you should not buy it expecting:

It is not a CE marking tool. It does not generate Declarations of Conformity.
It is not a notified body. It does not perform conformity assessment.
It is not a PLC code analyser. It does not assess your safety control system.
It does not store your Annex IV technical documentation. That is a different system.

If your problem is “we need to turn 80 paper manuals into multilingual digital instructions that meet the new 2023/1230 rules and can be accessed from a QR code on every machine,” that is exactly what SOPX is built for. If your problem is “we need a notified body for a Part A machine,” that is not us.

Start free at app.sopx.io or contact us at [email protected]. Trial includes 10 AI-generated SOPs and 3 translations. No credit card.

Frequently asked questions

Is the EU Machinery Regulation a directive or a regulation?

A regulation. That matters. A directive needs national transposition, which is how the old 2006/42/EC ended up with country-specific quirks. A regulation applies directly in every Member State on the same day with the same text. From 20 January 2027 there is one rulebook, not 27.

Does 2023/1230 apply to machinery I built before January 2027?

No. Machinery placed on the market before that date remains under Directive 2006/42/EC and does not need re-certification. The new regulation kicks in for machines placed on the market on or after 20 January 2027.

What counts as “placing on the market”?

The first time the machine is made available on the EU market for distribution or use. For an OEM, that is usually the delivery to your first EU customer. Internal use, prototypes, and demos do not count.

Can I provide instructions for use as a PDF on my website?

Mostly yes. A PDF on a website meets the “digital format” requirement, but you also need to: tell the user how to access it (label or QR code on the machine), provide a paper copy free of charge on request, keep it online for at least 10 years, and offer it in the language of the Member State where the machine is sold. A flat PDF on a website does not handle multilingual or version control well, which is why most OEMs move to a structured digital instructions platform.

What’s the difference between instructions for use and technical documentation?

Instructions for use are what the operator reads to use the machine safely (Annex III content). Technical documentation (Annex IV) is internal: design files, risk assessment, test reports, harmonised standards used, conformity assessment records. Different audience, different system, different rules.

Do I need a notified body?

Only for machinery listed in Annex I Part A, or for Annex I Part B machines that you do not build to harmonised standards or common specifications. Machinery not listed in Annex I can self-certify (Module A in Annex VI), with a strong preference for using harmonised standards.

What about substantial modification by my end customer?

If your customer modifies the machine in a way that adds a new hazard requiring new protective measures, they become the manufacturer for that modification. You as the OEM are off the hook for the modification, but only for the modified part. Document delivery condition clearly so the line of responsibility is obvious if something goes wrong later.

Is cybersecurity now mandatory for every machine?

Cybersecurity requirements in Annex III apply where they are relevant, which is broadly any machine with network connectivity, software-based safety functions, or remote access. For an unconnected mechanical press, the cybersecurity clauses have limited bite. For a connected line with a remote monitoring portal, they apply in full.

Does 2023/1230 require AI for machinery?

No. The regulation regulates AI in safety functions when it is present. It does not require it. If your machine has no machine-learning components in safety-related functions, the AI clauses simply do not apply.

Sources and further reading

Regulation (EU) 2023/1230 official text on EUR-Lex
EU-OSHA: Regulation (EU) 2023/1230 on machinery
European Commission: Mechanical engineering / machinery
Rockwell Automation, A Guide to the Machinery Regulation (EU) 2023/1230: Key Changes and Challenges (Publication OEM-SP123A-EN-P, August 2024)

Get started with digital instructions

If your team is staring down a stack of paper manuals and a January 2027 deadline, the smallest sensible first step is to digitise your highest-impact procedure and see how it lands with your operators.

Try SOPX free for 14 days. Import an existing PDF or film a process with a phone. No credit card required.