2024/07/23

EU Regulation 2023/1230, which will come into force on January 14, 2027, repealing Directive 2006/42/EC, “lays down health and safety requirements for the design and construction of machinery, related products and partly completed machinery to allow them to be made available on the market or put into service while ensuring a high level of protection of the health and safety of persons”.

One more change from Directive 2006/42/EC concerns everything digital and related to cybersecurity. EU Regulation 2023/1230, in fact, requires manufacturers to take measures related to new digital technologies: technological evolution has consequently also led to the evolution of software, which plays an increasingly important role in machine design.

The definition of “machine” itself changes as a result of this consideration; EU Regulation 2023/1230 specifies that “machinery missing only the upload of software intended for the specific application foreseen by the manufacturer, and which is the subject of the conformity assessment procedure of the machinery, should fall under the definition of machinery and not under the definitions of related products or partly completed machinery”.

In addition, software that performs a security function and is independently placed on the market should be considered a security component.

EU Regulation 2023/1230 goes into specifics with the EHSR – Annex III. Specifically, EHSR 1.1.9 (“Protection against corruption”), calls for the “software and data that are critical for the compliance of the machinery or related product with the relevant essential health and safety requirements shall be identified as such and shall be adequately protected against accidental or intentional corruption”. In addition, “the machinery or related product shall collect evidence of a legitimate or illegitimate intervention in the software or a modification of the software installed on the machinery or related product or its configuration”.

EHRS 1.2.1, on the other hand, specifies that control systems must be constructed in such a way that they can withstand “the intended operating stresses and intended and unintended external influences, including reasonably foreseeable malicious attempts from third parties leading to a hazardous situation”. For example, a failure in the wireless communication of a command should not create a dangerous situation”.

In this regard, a digital modification after the machine has been placed on the market is considered a “substantial modification.

As with hardware security functions, it becomes necessary to include the source code or programming logic of security-related software in the technical documentation, as it is complied with within the new cybersecurity aspects of EU Regulation 2023/1230.

At Advolo, we provide you with a team of experts who can help you with design and advice in accordance with EU Regulation 2023/1230. Please feel free to contact us for more information at the following email: commerciale@advolo.it