Annex III — five new clauses that most OEMs haven't read yet

Annex III of the EU Machinery Regulation 2023/1230 is the section that contains the Essential Health and Safety Requirements — the technical rules that every machine sold in Europe must meet. The old Machinery Directive 2006/42/EC had its own version of these requirements, and about 90% of the content carried over. But the remaining 10% is where things get interesting.

Five clauses were added or substantially rewritten to address technologies that simply didn't exist when the directive was drafted. Neural networks running safety functions. Machines connected to the internet. Autonomous mobile systems making real-time decisions without a human in the loop.

Here's what each one says and why it matters.

§1.1.2 — Testability. Machines must be designed so that users — not just manufacturers — can test safety functions. This means the safety architecture has to be accessible, inspectable, and verifiable in the field. If a safety function can't be tested after deployment, it doesn't meet the requirement. This clause shifts responsibility: the manufacturer can't just declare safety at the factory gate.

§1.1.9 — Protection against corruption. This is the cybersecurity clause. Safety-related control systems and software must be protected against both accidental corruption and deliberate attack. Hardware components that transmit signals or data related to safety must be robustly protected. Every intervention in safety software — legitimate or illegitimate — must be logged. Those logs must be retained for a minimum of five years after upload. This clause didn't exist in the old directive. It reflects the reality that connected machines are attack surfaces.

§1.2.1 — Safety and reliability of control systems. Control systems must be designed so that hazardous situations do not arise from cyberattacks, hardware failures, software bugs, disrupted wireless connections, or faults in the control logic itself — including logic with autonomous or semi-autonomous behaviour. The phrase "reasonably foreseeable malicious attempts" now appears in the regulation. For OEMs building AI-driven control systems, this clause means your safety case must account for adversarial scenarios, not just accidental failure modes.

§1.1.6 — Ergonomics for AI. Machines with "fully or partially self-evolving behaviour" must be designed with consideration for how operators interact with systems whose responses may change over time. This is a quiet acknowledgment that an AI-controlled machine may behave differently from one interaction to the next — and the ergonomic design must account for that unpredictability.

§3.6.3.3 — Autonomous mobile machinery. Autonomous mobile machinery must not cause the machine to perform actions outside its designated tasks or operational boundaries. If the AI decides to do something it wasn't designed to do, the machine must prevent that action. This clause draws a hard line: autonomy within boundaries, not autonomy without limits.

None of these clauses existed in the Machinery Directive 2006/42/EC. All five become mandatory on 20 January 2027. There is no transition period. The old directive stops. The new regulation starts. For any OEM selling machines with AI, connectivity, or autonomous functions into Europe, these five clauses define the new baseline.