What is the EU Machinery Regulation?

By Pekka Alasaari, Senior Global Product Manager, Drive Products, ABB and Johanna Schüßler, Global Product Manager – Safety PLC, Drive Products, ABB

The EU Machinery Regulation (MR), coming into force in January 2027, is set to redefine the way machine safety and security are managed throughout Europe. Replacing the long‑standing Machinery Directive (2006), the new regulation removes the need for national variations and forms a single rulebook for all member states.

At its heart, the MR aims to modernise how machines are designed, assessed, and documented for safety. But at a time when production equipment no longer operates in isolation, the regulation takes on new significance. For connected and automated systems, it signals a shift in focus: proactive safety is the only real defence.

Connectivity brings responsibility

Under the MR, machine builders and operators must include cybersecurity risk assessments as part of their overall machine risk assessment. The goal is to pinpoint where and how a machine could be exposed to cybersecurity risks that might affect the safe operation of machinery.

To support this, the new EN 50742 Protection Against Corruption standard sets out how to run these assessments and what security features machines should have built-in. For most manufacturers, following it will be the simplest way to tick the MR compliance box with confidence.

But the requirements go even further. Any component in a machine with safety software and/or safety parameters such as safety PLCs or drive-based safety functions will be expected to log safety‑related interventions automatically and to retain those records for at least five years. Each change – whether a safety software update or a change in safety parameter – must be logged directly after the change happens.

According to the requirements of EN50742, each machine or component must maintain a log of the most recent safety-related intervention for every category – including changes to safety parameters, safety software, and safety-related application software.

A narrowing window for preparation

For many companies, the challenge lies in finding the time and expertise to deliver compliance before the January 2027 deadline. Including cybersecurity threats into machine safety risk assessments is one step; demonstrating implementation of its findings is another. Some adjustments will be technical, while others will depend on internal processes: establishing methods for the logging of safety interventions, where data is stored, and so on.

Awareness is growing, but it remains worryingly low given how close the January 2027 deadline is now drawing. In recent months, we have seen more customers for our drive and PLC products reaching out with early questions, but mainly about how and when products will comply, rather than the deeper details of required improvements to risk assessments or documentation. The bigger industrial manufacturers with dedicated compliance teams are starting to prepare, but many smaller manufacturers are only now waking up to the fact that they need to act soon if they’re to be ready in time.

Complicating the picture further is the Cyber Resilience Act (CRA), which addresses broader network security across connected devices. But importantly, while the CRA and MR complement one another, they are not interchangeable. The MR covers machinery cybersecurity aspects only insofar as they affect health and safety; the CRA casts a wider net, touching on everyday products like mobile phones and laptops and their data integrity.

Sharing responsibility in a connected world

The MR sets clear expectations for manufacturers when it comes to designing and assessing their machines, but responsibility doesn’t end there. Once a compliant machine is installed, the end user also has obligations – especially if additional digital features are added later.

If an operator integrates Cloud connectivity or remote diagnostics to a machine that was originally commissioned under the Machinery Directive era, that modification could constitute a substantial modification under the MR, triggering the need for a new round of assessment and documentation. Operators planning retrofits should plan ahead and start early. Each machine’s risk profile will differ depending on its function, environment, and connection points, so preparation takes time. Beginning sooner allows for proper evaluation and mitigation, rather than a last-minute scramble.

But in the rush to protect digital assets, it’s easy to forget that physical safeguards remain just as vital. Limiting access to control cabinets, managing user permissions, and restricting removable‑media interfaces are all part of keeping connected safety systems under lock and key. Equally important is network segmentation, a basic security practice that limits exposure by isolating network segments from each other.

How ABB is helping manufacturers prepare

Our aim at ABB is to ensure that our core automation components – PLCs, drives, motors, and related equipment – meet the new regulatory expectations and are backed by clear, security‑level documentation. ABB offers pre-certified components according to EN50742 that offer automatic logging of safety interventions and all MR-related requirements to simplify compliance for machine builders and reduce the need for late‑stage redesigns.

While the industry moves toward secure‑by‑design devices, such as drives and PLCs expected to carry independent third‑party certification, technical compliance is only part of the equation. We are also supporting customers worldwide through ABB’s extensive service network, providing local-language guidance to help manufacturers understand and meet the regulation’s requirements.

From compliance to confidence

It’s tempting to view the Machinery Regulation as another administrative hurdle, but in reality, it’s laying the groundwork for a safer, more connected industrial ecosystem. Cybersecurity doesn’t hinder digitalisation, it enables it. And only when manufacturers can trust the integrity of their networks will data‑driven automation reach its full potential.

The next steps are clear: start risk assessing cybersecurity threats, start documenting them, and start early. Those operating and overseeing connected machinery who make cybersecurity part of everyday decision making will be better placed to meet the 2027 deadline, and to lead in the connected future that follows.