Newsroom
EU Machinery Regulation (EU) 2023/1230: LAST Technology’s Approach for the Pharmaceutical Sector
20 January 2027 is a date that every technical manager, quality manager, and production director in the pharmaceutical industry must mark in their calendar. From that day onward, Regulation (EU) 2023/1230 will definitively repeal the Machinery Directive 2006/42/EC, introducing stricter requirements on cybersecurity, safety-related software, and artificial intelligence.
Unlike a Directive, which required national transposition and allowed room for interpretation, a Regulation applies directly and uniformly across all Member States. For manufacturers and users of pharmaceutical machinery (GMP equipment, depyrogenation tunnels, autoclaves, saturated steam sterilizers, etc.), this translates into clear obligations, fixed deadlines, and well-defined responsibilities throughout the entire supply chain.
LAST Technology, an Italian company specialized in the design and manufacturing of equipment for the pharmaceutical industry, has already integrated the new Regulation’s requirements into its engineering workflow. This guide consolidates everything needed to prepare for 2027.
Why the Machinery Regulation (EU) 2023/1230 Was Introduced
Directive 2006/42/EC was drafted in a “pre-digital” era, when industrial machinery was essentially mechanical. Today, pharmaceutical equipment is an interconnected cyber-physical system: networked PLCs, IoT sensors, supervisory software.
The European legislator recognized this transformation and updated the Essential Health and Safety Requirements (Annex III) to address four critical areas:
- Cyber risks: cyberattacks capable of compromising safety functions
- Software as a safety function
- Self-evolving systems: Artificial Intelligence and machine learning
- Substantial modifications after commissioning: the entity performing the modification becomes the new manufacturer
Key Changes for the Pharmaceutical Industry
1. Cybersecurity integrated into functional safety
Connected machinery must be designed to withstand cyberattacks that could compromise safety functions such as emergency stop, interlocks, or process-parameter monitoring. In the pharmaceutical sector—where Data Integrity (ALCOA+ principles) is a primary regulatory requirement—cybersecurity directly protects the integrity of sterilization and depyrogenation cycles, data routinely verified by FDA and EMA during inspections.
2. A rigorous definition of “substantial modification”
Regulation 2023/1230 introduces precise criteria to determine when a mechanical, electrical, or software modification generates new risks or alters existing safety functions. In such cases, the entity performing the modification assumes the role of new manufacturer, with all associated obligations: a complete new risk assessment, a new EU Declaration of Conformity, and new CE marking.
For the pharmaceutical sector, this point is particularly critical: many modifications to installed equipment (PLC upgrades, recipe changes, SCADA integrations) that today are treated as simple updates may qualify as substantial modifications starting in 2027.
3. Fully digital technical documentation
User manuals, maintenance instructions, and Declarations of Conformity may be provided in digital format (QR code, URL link). They must remain accessible online for at least 10 years. Users retain the right to request a printed version at no cost. For pharmaceutical companies, this aligns perfectly with GMP documentation-traceability requirements and simplifies document management during FDA/EMA audits.
4. Clearer obligations for partly completed machinery, importers, and distributors
The Regulation precisely defines the roles and responsibilities of all economic operators in the supply chain: manufacturers, importers, distributors, and—importantly—those performing substantial modifications. It also clarifies requirements for safety components (sensors, PLCs, software), which must be compliant before being integrated into the final machine.
| Feature | Directive 2006/42/EC | Regulation (EU) 2023/1230 |
|---|---|---|
| Regulatory Instrument | Directive (National Transposition) | Regulation (Direct EU Application) |
| Full Applicability | Since 2009 — Currently in force | January 20, 2027 |
| Cybersecurity | Not explicitly addressed | Integrated into functional safety |
| Software and AI | Not contemplated | Explicit safety functions |
| Substantial Modifications | Vague definition | Strict criteria → New manufacturer |
| User Manuals | Primarily paper-based | Digitally native (paper on request) |
| Technical Documentation | 10 years of storage | 10 years of online accessibility |
| Supply Chain | Obligations centered on the manufacturer | Importers and distributors included |
The Specific Impact on GMP Pharmaceutical Machinery
The pharmaceutical sector presents characteristics that make the transition to Regulation (EU) 2023/1230 more complex than in other industrial domains. Pharmaceutical machinery operates in environments governed by overlapping regulatory frameworks—EU GMP (Annex 1 for sterile medicinal products), FDA 21 CFR Part 11 for computerized systems, and GAMP 5 for software validation—which already require high standards of documentation and traceability.
The convergence between the new Machinery Regulation and GMP requirements creates both challenges and opportunities.
Sterilization and Depyrogenation Equipment
Autoclaves, depyrogenation tunnels, and GMP washers manage critical process parameters directly linked to patient safety. The control software supervising temperature, pressure, and exposure time now explicitly falls under the safety functions defined by Regulation (EU) 2023/1230. This means such software must be validated using a documented risk-based approach, updated only through controlled processes, and protected against unauthorized access.
Data Integrity and Cybersecurity: An Inseparable Pair
In the pharmaceutical industry, Data Integrity is non-negotiable: FDA and EMA may revoke manufacturing authorization if batch data are not complete, accurate, and immutable (ALCOA+ principles). A cyberattack that alters sterilization-cycle data is not merely a cybersecurity issue—it constitutes a potential GMP non-compliance with severe consequences.
Regulation (EU) 2023/1230 elevates cybersecurity to a CE-marking requirement, creating a direct alignment with EMA/FDA expectations on Data Integrity.
LAST Technology’s “Native Compliance” Approach
LAST Technology does not simply declare compliance with current regulations: it already designs equipment that meets the requirements of Regulation (EU) 2023/1230 through an approach defined as Native Compliance, characterized by:
Digital-First Risk Assessment
Cybersecurity and software safety are integrated from the concept phase, not added as subsequent layers. Each new machine is analyzed to identify software safety functions, potential cyber-attack surfaces, and long-term update requirements.
Stable and Upgradable Control Architectures
LAST Technology’s control architectures are engineered to be upgradable without introducing new risks or qualifying as substantial modifications. This protects the customer: updates required to maintain long-term performance do not trigger a new CE-certification process.
Validatable Technical Documentation
Technical documentation is structured to support FDA/EMA audits as well as EU market surveillance. IQ/OQ/PQ, risk assessments, and change-control records form a complete documentation package maintained over time.
Post-Sales Support for Substantial Modifications
If a customer needs to modify a machine—such as a software update, MES/SCADA integration, or hardware upgrade—LAST Technology provides a preliminary assessment to determine whether the change qualifies as a substantial modification under Regulation (EU) 2023/1230. If so, the company manages the entire re-certification process.
Choosing a LAST Technology machine today means acquiring an asset already future-proof for 2027.
Operational Checklist for Pharmaceutical Companies
Pharmaceutical manufacturers should begin preparing now for Regulation (EU) 2023/1230:
- Inventory all installed machinery: identify equipment with PLCs, network connectivity, or control software performing safety functions.
- Assess cyber risk per machine: update the machine register to include cybersecurity risk evaluations for each connected system.
- Map ongoing and planned modifications: verify whether upcoming software updates, hardware upgrades, or SCADA integrations may qualify as substantial modifications.
- Request suppliers’ compliance roadmap: ask manufacturers—such as LAST Technology—for their roadmap toward full compliance with Regulation (EU) 2023/1230.
- Plan new purchases accordingly: for equipment being specified or procured, explicitly require compliance with Regulation (EU) 2023/1230.
- Train the quality team: update QA/QC and maintenance personnel on the implications of the new Regulation, especially the concept of substantial modification.
Conclusion: Turning Compliance into Competitive Advantage
Regulation (EU) 2023/1230 is not merely a regulatory obligation with a 2027 deadline. It is an opportunity to make pharmaceutical production lines safer, more digital, and more resilient. Companies that anticipate the transition—by choosing suppliers whose equipment is already compliant—reduce future adaptation costs and strengthen their position during regulatory audits.
LAST Technology supports all pharmaceutical companies wishing to turn this regulatory shift into a concrete competitive advantage.
If you want to verify whether your current machine or upcoming investment is already compliant with the Machinery Regulation 2023/1230, contact us: our specialists will provide a tailored assessment.
FAQ - Frequently Asked Questions on Regulation (EU) 2023/1230
20 January 2027. From that date, only Regulation (EU) 2023/1230 will apply to CE marking of new machinery placed on the EU market.
Related posts
mail
Subscribe to our newsletter
Stay up to date with the latest news from LAST Technology