The EU Machinery Regulation (EU) 2023/1230 presents manufacturers and operators with new requirements – not only technical, but increasingly in cybersecurity. The regulation is relevant for Swiss companies: Switzerland is aiming for simultaneous and equivalent implementation to secure access to the EU market (Swissmem).
From NIST assessment to NIS2 compliance: Why cybersecurity is central to machine safety
In Part 1 of this series, we outlined the fundamentals of the EU Machinery Regulation and noted the expected legal implications for Swiss manufacturers. In Part 2, we focus on the interfaces between classic machinery requirements and modern cyber requirements: How does a NIST-based assessment lead to practical NIS2 compliance – and what role does this play in meeting the new Machinery Regulation?
In brief: A NIST assessment provides a structured inventory of technical and organisational safeguards. This foundation helps implement NIS2 requirements – for example in governance, risk management and supply chain control. For machines with connected components, this translates into concrete requirements to secure firmware, establish safe update processes and access controls, which also fall under the conformity requirements of the new regulation.
1. NIST assessment: Foundation for technical integrity and process security
A NIST Framework assessment (e.g., NIST CSF) is not an end in itself, but a pragmatic tool to measure maturity: identify, protect, detect incidents, respond and recover. These domains correspond directly to machinery requirements such as secure design, secure development of software/firmware and traceability of changes. Manufacturers should use the assessment to:
– inventory the attack surfaces of connected controls (PLC, IIoT modules);
– map supplier and component dependencies;
– define processes for secure updates and patch management;
– establish responsibilities along product lifecycles.
2. NIS2: Enhanced governance and notification duties for operators of digital services
The EU NIS2 Directive (already the subject of intense implementation debate) tightens requirements for cybersecurity, incident notification and governance. For machinery manufacturers and operators of critical facilities, this means: technical measures must be accompanied by clear governance processes. A NIST-based assessment shows where technical gaps exist; NIS2 additionally requires documented decision paths, responsibilities at executive level and processes to report significant incidents to authorities.
For Switzerland, proximity to the EU is of particular relevance: simultaneous implementation of the EU Machinery Regulation is sought to maintain legal equivalence and avoid jeopardising market access (Swissmem: Transition).
3. Concrete overlaps: What this means for machinery
The linkage between a NIST assessment and NIS2 compliance materialises in concrete requirements that are also reflected in the EU Machinery Regulation:
– Secure-by-design: Proof that products are engineered against misuse and manipulation (including cyber-physical attacks);
– Software/firmware integrity: Concepts for signing, secure boot processes and controlled update pipelines;
– Supply chain transparency: Traceable origin of components and security evaluations of suppliers;
– Incident management: Processes for detection, reporting and recovery that address both product owners and operators.
These aspects correspond to recommendations and points of discussion on Swiss information pages about the new regulation, such as those of the State Secretariat for Economic Affairs (SECO: Machinery) and industry associations (Swissmem).
4. Practical steps for CISOs and manufacturers
For CISOs and security leads, a pragmatic roadmap is advisable that integrates NIST principles with NIS2 and Machinery Regulation requirements:
1) Scope & Inventory: Create a complete inventory of connected machines and their communication paths. Without this step, assessments remain incomplete.
2) Risk-based prioritisation: Use NIST assessment results to prioritise critical components (e.g., controllers, HMIs, remote access interfaces).
3) Secure development lifecycle: Anchor security requirements in product development and document them as part of the conformity file.
4) Supplier risk management: Implement supplier evaluations and contractual clauses on security responsibilities.
5) Incident response & reporting: Establish processes that cover both NIS2 notification duties and product-related reporting requirements.
6) Documentation for conformity: Prepare technical documentation that addresses the requirements of the Machinery Regulation (risk assessment, technical dossiers, user manuals with safety information).
Further technical resources on practical implementation can be found in specialist articles and events dealing with the new regulation and machine safety (IBF Solutions, SAVE: Machine Safety 2025).
5. Borderline issue market access: Legal and practical implications for Switzerland
Switzerland plans equivalent implementation, but international coordination remains decisive. As long as the Mutual Recognition Agreement (MRA) with the EU is not updated, additional bureaucratic hurdles may arise for Swiss manufacturers exporting to the EU. This increases the pressure to maintain clean technical documentation, evidence of security testing and processes for updates as well as security and risk assessments (Federal Administration).
For boards and managing directors this means: compliance is not only a technical matter, but strategic risk preparedness. Gaps in risk management can directly affect export capability and liability exposure.
Conclusion
A NIST assessment is a pragmatic starting point to identify technical and organisational security gaps. NIS2 complements this with governance, reporting and supply chain obligations relevant to connected machinery. The EU Machinery Regulation further requires technical evidence and documentation that are difficult to provide without close integration of cybersecurity and product development. For Swiss companies, those who actively bridge NIST, NIS2 and the Machinery Regulation secure not only compliance but also market opportunities in the EU.
Next steps (Part 3)
In Part 3 of this series, we will delve into implementation in Switzerland: concrete requirements for export documentation, adjustments in product development and action points for the board and CEO. As discussed in Part 1, we laid the groundwork – in Part 3, we will show the operational steps to secure market access.
Key take-away – Integration is imperative
Embed cybersecurity in the product lifecycle: conduct NIST-based assessments, implement NIS2-compatible governance processes and document technical evidence for the EU Machinery Regulation. Use available information resources and specialist events to harmonise practices (Machinery Directive Newsletter, NSBIV guidance).
