Machinery Regulation 2027: managing four EU frameworks as one project

On 20 January 2027 the new Machinery Regulation (EU) 2023/1230 becomes mandatory. Treating it as an isolated compliance file underestimates the challenge. For the project manager who has to lead it, the real work is aligning four EU frameworks that all take effect around the same time.
The deadline no one can miss
From 20 January 2027 the Machinery Regulation replaces the 2006 Machinery Directive. There is no transition period. New machines placed on the European market must comply from day one. For any organisation with a broad machine fleet or a full product roadmap, that is not an administrative formality. It is a programme that takes months to prepare.
Why this is not a single-file project
The novelty is not in the classic safety requirements, but in the fact that cybersecurity is now part of machine safety. A machine can harm people through technical failure and through a malicious digital attack. That immediately connects this file to three other European frameworks:
- Cyber Resilience Act (CRA): machine builders with digital components must also comply; the two regulations overlap on the cyber side and you have to demonstrate that consistency yourself.
- AI Act: as soon as a self-learning or AI-driven function is a safety component, it becomes high-risk with its own conformity route.
- NIS2: not about the product, but about your organisation and supply chain, a separate layer with its own obligations.
The project management challenge
Four frameworks, one deadline, overlapping but not identical requirements. The temptation is to set up four separate work streams. Four owners, four risk analyses, four document sets. That is exactly the approach that blows budgets and slips deadlines. The better approach is programmatic: treat the convergence as one integrated track with shared building blocks.
Shared building blocks as the foundation
An information security management system to ISO 27001 provides evidence for both your NIS2 obligations and the secure-development requirements in the CRA and Machinery Regulation. An AI management system to ISO/IEC 42001 governs your AI lifecycle and translates the AI Act into workable processes. The technical standard IEC 62443 covers the cyber side of the machine and product. Build once, use many times.
Key takeaway
Don’t treat 2027 as four compliance deadlines, but as one convergence point. Take the shared building blocks (ISO 27001, ISO 42001 and IEC 62443) as the foundation, and you build once but prove many times.
How to run it as a programme
- Scoping: map which of the four frameworks apply to which products and business units.
- Gap analysis: compare your current documentation, risk analyses and processes to the new requirements and identify the overlap.
- Integrated roadmap: schedule the shared building blocks first so each work package serves multiple frameworks.
- Governance: one steering committee, one risk register, one reporting line. No silos.
- Evidence: structure the technical files and declarations of conformity so overlapping requirements reinforce each other.
Start now, not in 2026
The transition window looks generous, but reworking technical files, risk analyses and internal processes takes time, especially with a broad product portfolio. Start now and you work step by step without pressure. Wait, and you risk delaying market introductions at exactly the wrong moment.
Facing this convergence and looking for someone to lead it as one programme?