Machinery Regulation (EU) 2023/1230 is already being reduced online to a lazy shortcut: the EU rules for AI in machines. It sounds modern. It is also misleading. The regulation is not a general AI law for factories, and it does not pull every analytics tool, OEE dashboard, or predictive maintenance model into the CE process. What it actually asks is much more concrete and much more demanding: can software, data, connectivity, remote access, updates, configuration changes, or self-changing behaviour affect machine safety and put a person into a hazardous situation? That is the real line. If a digital function can change the behaviour of the machine, the control system, or a safety function, the issue is no longer just IT. It becomes a machine safety issue, and the manufacturer or integrator has to show that it was assessed and controlled.
That is why the old habit of asking whether the components already have CE is not enough. A machine is assessed as a whole. Once components are assembled, connected, updated, or integrated with external systems, new risks can appear. Risk assessment is where those risks have to be found, explained, and reduced.
Machinery Regulation (EU) 2023/1230 is not an AI law
Start with the myth, because it is everywhere. If a machine uses AI, do we automatically have a conformity problem? No. That is the wrong starting point.
A system can analyse production data, estimate downtime, predict failures, calculate OEE, or recommend process settings and still have no role in a safety function. In that case, the label AI does not magically turn it into a safety component. The regulation does not care about buzzwords. It cares about whether the function can affect safe behaviour of the machine and human exposure to risk.
The right question is blunt: can this system, connection, or change alter machine behaviour in a way that creates a hazardous event? That question belongs to risk assessment, not marketing slides, not digital transformation slogans, and not a generic IT checklist.
This is where the regulation is more precise than the public debate. AI matters under the regulation in a specific technical context: where a safety component, or a system embedded in a machine, has fully or partially self-evolving behaviour using machine learning and provides a safety function. That is a serious conformity topic. But that is not the same as saying the regulation governs AI in factories as such. It governs machines and safety components where machine learning affects safety.
Ask who or what can change machine behaviour
That is the practical test. Not whether a machine has AI. Not whether SCADA is connected. Not whether remote access exists. Not whether the machine was relocated. The real issue starts when behaviour, operating conditions, or the human interaction with the machine changes.
Take a simple example. A machine has remote service access. Somebody exploits a vulnerability, uses weak account protection, or simply uploads the wrong PLC program. At first glance everything still looks fine. Guards are still in place. The emergency stop button is still red. The component declarations are still sitting in the file. The nameplate still looks professional.
But the machine may now behave differently. Motion sequences may change. Stop delay may change. Speed may change. Restart conditions may change. Guard opening response may change. A limitation that previously reduced risk may disappear. Calling that only an IT incident is too weak. If the result can be unexpected movement, failure to stop, unexpected restart, or human access to a danger zone, then the machine risk assessment now includes a potential hazardous event.
The same logic applies to SCADA. If SCADA only reads data, the safety impact may be limited. It still needs checking, but observation alone does not automatically change machine safety. If SCADA can change recipes, parameters, operating modes, permissions, cycle order, or restart conditions, the story changes. That is no longer passive monitoring. That is external influence over machine behaviour. Once that influence exists, it belongs inside the risk assessment.
Relocation is another trap. Moving a machine is not always a substantial modification. But a machine designed and assessed for one environment may face different hazards in another. If it is relocated to a region where seismic conditions are relevant, stability and mechanical strength may require additional protective measures. The documentation cannot pretend the machine still operates under the original machine limits. It was not designed in a vacuum, and risk assessment cannot be either.
What Machinery Regulation (EU) 2023/1230 really changes
The regulation does not reinvent conformity from zero. Intended use, reasonably foreseeable misuse, technical documentation, instructions for use, declarations, and the hierarchy of protective measures were already part of the Machinery Directive 2006/42/EC. The big change is not that risk assessment suddenly exists from 2027 onward. It already existed. The change is that the regulation gives real legal weight to things too many projects used to treat as extras: software, data, digital safety functions, autonomous behaviour, remote start, connectivity, and protection against digital interference.
In other words, the machine is no longer treated mainly as mechanics, drives, guards, and an electrical cabinet. The machine is treated as a connected technical system whose safety may depend on software logic, sensor data, updates, configuration, communication, and resistance to intentional or accidental digital manipulation.
1. Software is no longer a side note
One of the most practical changes appears in the definition of a machine. A machine can fall within scope even where the application-specific software intended by the manufacturer is not yet installed. That matters a lot. It ends the fiction that software is always something outside the machine.
If the machine can only perform its intended use after installation of specific software, that software is not decoration. It is part of what determines function, behaviour, and safety. So the real question is not only whether the mechanical build is complete. It is whether the software that makes the machine perform as intended has been considered in conformity assessment. If not, the file may describe a model of a machine, not the machine the user will actually put into service.
2. A safety component can be digital
This change looks innocent until you apply it. A safety component may be physical or digital, including software. That is a major shift in mindset. If software performs a safety function, it is not just the controls programmer's code. It becomes part of the safety architecture.
That brings hard questions with it. Who supplied it? Which version is installed? Who can change it? Is the change controlled? Is there a trace of interventions? Can an update modify the safety function? Can the technical documentation show how conformity was achieved? Many companies will struggle here not because their engineers are weak, but because their documentation still treats software decisions as invisible background work.
3. Cybersecurity now enters machine safety
This point needs precision. The regulation does not turn every machine builder into a cybersecurity service provider. It does not require manufacturers to pretend they are running SOC or MDR operations. But it does say something very important: if accidental corruption, intentional interference, data manipulation, software alteration, or external digital influence can lead to a hazardous situation, then cybersecurity becomes part of machine safety.
You can see this in the requirements for protection against corruption and for the safety and reliability of control systems. A machine must be designed so that connection to another device, or to a remote communicating device, does not create a hazardous situation. Software and data relevant to conformity must be identified and protected. Interventions in software or configuration should leave a trace. Control systems have to withstand not only foreseeable faults, but also reasonably foreseeable malicious attempts by third parties to cause a hazardous situation.
That is a real shift. Writing remote access protected by password is not enough. You need to show whether remote access can affect safety-related behaviour at all. If it can, the risk and the protective measures have to be documented. If it cannot, that conclusion also needs a technical basis. This is exactly where ISO 12100 and IEC 62443 meet in practice.
4. Technical documentation must prove the reasoning
Under the new regime, technical documentation cannot be a pile of drawings, declarations, and a generic risk table assembled to satisfy a file request. It has to show how the manufacturer thinks about the machine.
For machines and related products, the technical documentation includes the description of the machine and its intended use, the risk assessment documentation, the applicable essential health and safety requirements, the protective measures adopted, drawings, diagrams, calculations, test results, instructions for use, component declarations, and measures ensuring conformity of production. Where relevant, it also has to address source code or programming logic for safety-related software, and it has to describe sensor-based, remotely controlled, or autonomous systems where safety depends on sensor data, together with system characteristics, capabilities, limitations, data, and validation processes.
That is the end of the old habit of dumping files into a folder and calling it a technical file. The documentation now has to demonstrate understanding.
5. Annex I part A and part B change the conformity logic
The old market reflex was to think in terms of the old high-risk annex. Under the regulation, Annex I divides categories of machines and related products into part A and part B. That is not just a renumbering exercise.
Part A is the tougher category. It includes, among other things, safety components with fully or partially self-evolving behaviour using machine learning that provide a safety function, and machines incorporating such systems in relation to those systems. It also includes classic machine categories that have nothing to do with AI. So no, part A is not just about AI. Anyone saying that has not read far enough.
For part A, ordinary internal production control is not the default escape route. You are looking at conformity assessment paths involving a notified body, such as module B plus C, module H, or module G. Part B covers many familiar higher-risk categories where internal production control may still be possible if the machine is designed and manufactured in accordance with harmonised standards or common specifications that cover all relevant requirements.
6. Digital instructions for use and declarations are allowed, but only on strict terms
This sounds like simple good news, and it is, but only if the fine print is taken seriously. Instructions for use and the EU Declaration of Conformity may be provided in digital form. However, they must be accessible in the way indicated on the machine, product, packaging, or accompanying document. They must be possible to print, download, and save. They must remain available online for the expected lifetime of the machine and for at least 10 years after the machine is placed on the market or put into service.
That is not the same as uploading a PDF to a forgotten page on a company website. Digital documentation creates new organisational obligations. It does not remove old legal ones.
7. Importers and distributors are not bystanders anymore
The regulation spells out the duties of economic operators far more clearly. Importers must check whether the manufacturer carried out the proper conformity assessment procedure, prepared the technical documentation, affixed CE marking, supplied the required documents, and provided the necessary identification and contact details. Distributors also have to verify key formal points before making a machine available on the market.
This does not turn the distributor into the designer of the machine. But it does remove a lot of room for convenient ignorance. And if the importer or distributor places the product on the market under its own name or modifies it in a way that may affect conformity, manufacturer obligations can land on that party very quickly.
8. Autonomous mobile machinery is treated as a serious safety case
The regulation explicitly addresses the autonomous mobile machine, the supervisor, and the supervisory function. That matters because the risk is not just that something moves. The real questions are who or what decides movement, how persons and obstacles are detected, what happens when communication is lost, whether operation without active supervision is possible, and whether the supervisor has meaningful awareness of the machine situation.
On a conventional machine, risk assessment can easily focus on visible hardware. On an autonomous machine, you have to go deeper into decision logic, sensing, area limits, obstacle handling, and the changing human role.
Why ISO 12100 becomes even more important under Machinery Regulation (EU) 2023/1230
Some people talk as if software and cyber risk have replaced classic machine safety logic. They have not. If anything, ISO 12100 becomes more important, not less. It gives the structure you still need: machine limits, intended use, reasonably foreseeable misuse, life-cycle phases, operator tasks, hazards, hazardous situations, hazardous events, protective measures, and residual risk.
Only after that structure is clear does it make sense to add the cybersecurity layer, for example with IEC 62443, and to examine the relationship with CRA for products with digital elements. CRA can help with the digital product side. IEC 62443 can help organise industrial cybersecurity measures. But neither replaces the basic question ISO 12100 asks: does this affect the risk of the machine in real use?
This is also why post-integration surprises are so common. A risk assessment that starts with a list of guards and switches, instead of with machine limits, often ends up describing yesterday's reality. After integration with SCADA, a software update, a relocation, or a new remote access arrangement, yesterday's reality is not good enough.
Documentation traps after 20 January 2027
Some changes under the regulation look administrative. The old declaration name changes to EU Declaration of Conformity. The declaration for partly completed machinery becomes the EU Declaration of Incorporation. The Machinery Directive 2006/42/EC is replaced by a regulation. The old annex logic becomes Annex I part A and part B. The date to work to is 20 January 2027.
It is tempting to call this paperwork. Do not. This is exactly where you can see whether a company has updated its process or just performed a find-and-replace on an old template. After 20 January 2027, an old declaration format, an old reference to the directive, or an old annex citation is not a harmless editorial mistake. It is a warning sign that the whole CE process may still be built on the wrong framework.
The EU Declaration of Conformity must show the route to conformity
One practical change matters a great deal. The declaration should not hide behind a generic sentence saying the machine complies with the regulation. It should identify the harmonised standards or common specifications applied, with the necessary detail. If a standard was applied only in part, that partial application has to be stated. If other technical specifications were used, those must be identified too.
This is a hard wake-up call for weak documentation habits. A legal reference alone does not prove anything. The regulation sets the requirements. The declaration has to show the route used to demonstrate they were met.
The module used for conformity assessment must be visible
The declaration also has to reflect the conformity assessment procedure, meaning the relevant module. If the product does not fall within Annex I, internal production control under module A will often be the route. If Annex I part A or part B is involved, Article 25 and the product classification must be checked carefully. Depending on the case, the route may be module B plus C, module H, module G, or module A where the regulation allows it.
If the declaration does not make that route clear, the obvious question follows: was the correct conformity assessment path chosen at all?
Do not copy old declaration fields into the new world
The old declaration under the directive included a field for the person authorised to compile the technical documentation. That field is not part of the new declaration model in the same way, and it should not be copied blindly into current templates. This sounds minor, but it is a useful test of whether the company is using an updated process or a relic.
At the same time, do not confuse that point with the role of the authorised representative. An authorised representative may still act on the basis of written mandate, but that role does not replace the manufacturer. It does not take over responsibility for designing the machine in compliance with the essential health and safety requirements, and it does not rescue a poor risk assessment.
The EU Declaration of Incorporation is not just a new file name
The same warning applies to partly completed machinery. A partly completed machine is still not a complete machine ready for independent use. It still requires incorporation into the final machine. But the supporting declaration must now fit the regulation, not an old directive template pulled from an archive.
The EU Declaration of Incorporation should indicate which essential health and safety requirements have been applied and fulfilled, and it should align with the updated technical documentation approach. If a supplier still sends a declaration that looks untouched from another era, that is a red flag. Not because of the file name, but because the document may not support the conformity assessment of the final machine properly.
The worst update is a new heading on an old process
The biggest transition mistake is simple: changing the title of the declaration and leaving everything else untouched. That is not compliance. A proper update means checking the whole chain. Is the product a machine, a related product, or partly completed machinery? Are the machine limits defined? Has risk assessment been updated? Have the applicable essential health and safety requirements been identified? Has Annex I part A or part B been checked? Has the right module been selected? Is notified body involvement required? Are the standards or other technical specifications identified properly? Do the instructions for use match the real machine? Does the technical documentation support the declaration?
That is the actual test. Companies that understand Machinery Regulation (EU) 2023/1230 do not just update the last page of the file. They update the whole conformity process, from product classification and risk assessment to documentation, declarations, and responsibility across the supply chain.
Bottom line: do not ask whether the machine has AI. Ask who or what can change its behaviour, under what conditions, and with what consequences for human safety. That is where the regulation bites. And that is where competent manufacturers and integrators need to do the real work.