EU Machinery Regulation 2023/1230
Regulation (EU) 2023/1230, known as the Machinery Regulation, replaces Directive 2006/42/EC and applies in all EU Member States from 20 January 2027. It updates the regime that gives industrial machinery its CE mark and lists, for the first time, AI safety components with self-evolving behaviour as a high-risk category (Annex I, Part A, items 5 and 6) requiring third-party Notified Body conformity assessment.
Frequently Asked Questions
When does the EU Machinery Regulation apply?
Regulation (EU) 2023/1230 was published on 29 June 2023 (OJ L 165) and applies in all EU Member States from 20 January 2027. The penalty provisions in Article 50(1) have been applicable since 14 October 2023. There is currently no adopted postponement for the AI-related Annex I items.
Does the Machinery Regulation apply to AI agents?
It applies when the AI component is a safety component, or is embedded in machinery as a safety function, and uses fully or partially self-evolving behaviour based on machine learning. Typical in-scope systems: autonomous mobile robots and AGVs, robot arms and cobots with adaptive control, drones with autonomous navigation, vision-based safety classifiers, predictive-maintenance agents with autonomous shutdown, and fleet orchestration agents. Software that only writes text or generates code is out of scope.
What is "self-evolving behaviour" under the Machinery Regulation?
The Regulation does not define the term precisely. It uses a capability-based reading: systems whose behaviour is shaped by a machine-learning training process, regardless of whether learning continues after deployment. Pre-trained models that are frozen in production still count, because their behaviour was learned from data and could be retrained. Pure rule-based software is excluded (Recital 55).
Which Annex III sections matter for AI safety components?
Three sections do most of the work. Annex III §1.1.6 (operator-machinery interface) requires the system to expose its intended behaviour and limits to a human operator. Annex III §1.1.9 (protection against corruption) requires cybersecurity controls on safety-relevant functions. Annex III §1.2.1 (safety and reliability of control systems) requires that control logic prevent hazardous situations under operating stress and reasonably foreseeable malicious input.
Does Machinery Regulation compliance require a Notified Body?
Yes for AI safety components. Annex I, Part A items 5 and 6 force the manufacturer through one of three procedures with Notified Body involvement: EU Type-Examination (Module B), Full Quality Assurance (Module H), or Conformity Based on Unit Verification (Module G). TÜV SÜD became the first Notified Body designated under the new Regulation in September 2024. Capacity is finite; treat the engagement as a long-lead-time dependency.
How does the Machinery Regulation overlap with the EU AI Act?
Annex I of the EU AI Act lists the Machinery Regulation as Union harmonisation legislation. Under AI Act Article 6, any AI system that is a safety component under Regulation (EU) 2023/1230 is automatically a high-risk AI system under the AI Act. It inherits all of AI Act Title III: risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness/cybersecurity (Art. 15). The controls overlap heavily, so the same evidence supports both regimes.
What are the penalties under the Machinery Regulation?
Article 50 leaves the level of penalties to Member States, requiring sanctions that are effective, proportionate, and dissuasive, with criminal sanctions possible for serious infringements. National implementations vary; Germany signals fines in the same order as historical Machinery Directive enforcement under the Produktsicherheitsgesetz. AI safety components face an additional EU AI Act penalty stack capped at €35M or 7% of global annual turnover for prohibited practices, and €15M or 3% for breaches of high-risk obligations.
How Inkog Detects This
Inkog scans AI agent code for the controls that match Annex III. Today it flags eight patterns that map onto §1.1.6 (operator interface), §1.1.9 (protection against corruption), and §1.2.1 (control system reliability): missing human oversight, missing output validation, overreliance on LLM output, infinite loops in agent execution, token bombing, missing rate limits, system prompt leak, and supply chain corruption. Each finding includes the EU AI Act article it maps to in SARIF output, which feeds directly into the code-level evidence section of a Machinery Regulation technical file. Read the deep dive at /labs/eu-machinery-regulation-ai-agents.
npx -y @inkog-io/cli scan .Check Your Annex III Gaps
Scan your AI agents for vulnerabilities. Free for developers.
Start Free Scan