According to Rockwell Automation's 2025 State of Smart Manufacturing Report, 21% of manufacturing leaders cite integration challenges as a top internal obstacle - yet the industry is now migrating those very integrations into the cloud at scale. The December 2025 launch of Rockwell Automation's Elastic MES portfolio1Elastic MES portfolio marks more than a product announcement. It signals a structural shift in how manufacturers must govern, secure, and recover their production operations.
As cloud-native MES platforms expand across European operations - spanning automotive, consumer electronics, pharmaceuticals, and food and beverage - the governance questions they raise are no less urgent than the efficiency gains they promise. Data sovereignty, identity management, supply chain integrity, and OT-specific disaster recovery are no longer implementation afterthoughts. They are board-level obligations.
What Elastic MES Actually Changes for OT/IT Integration
Rockwell's Elastic MES portfolio is a cloud-native, interoperable platform2cloud-native, interoperable platform designed to unify operations across operational technology (OT) and information technology (IT). The platform supports discrete, hybrid, and regulated industries through a multi-tenant Software-as-a-Service (SaaS) environment with embedded AI, open APIs, and flexible deployment options spanning cloud-only to hybrid edge-to-cloud configurations.
The significance for OT/IT convergence lies in the architecture's scope. Traditional MES deployments have historically operated in silos, limiting visibility across OT and IT layers. The elastic model breaks those silos by connecting the full manufacturing lifecycle - from materials and inventory management to production workflows and tooling coordination - through a single unified platform. Embedded analytics and AI-driven insights then operate across that unified data layer in real time.
"Legacy MES systems, while foundational, have become barriers to agility in an era defined by rapid change," said Lorenzo Veronesi2cloud-native, interoperable platform, associate research director at IDC. The firm positions modern elastic MES as essential for on-demand process reconfiguration and seamless digital-thread integration.
The practical implication: when MES moves to the cloud, the attack surface, the compliance perimeter, and the governance model all expand simultaneously. Plant IT and OT teams that previously maintained separate tool chains, credentials, and change processes now operate on shared infrastructure - and share responsibility for its integrity.
The European Regulatory Pressure: NIS2, GDPR, and Data Sovereignty
European manufacturers piloting or scaling elastic MES face a regulatory landscape that has grown materially more demanding since cloud-first MES strategies began gaining traction.
The NIS2 Directive (Directive 2022/2555), which entered enforcement from October 2024, establishes cybersecurity risk management and incident reporting obligations across 18 critical sectors - including manufacturing - across EU member states. Non-compliant essential entities face administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher, while management bodies are personally accountable for governance failures.
The transposition of NIS2 into national law remains uneven. As of mid-2025, 16 EU and EEA countries have adopted national NIS2 legislation3As of mid-2025, 16 EU and EEA countries have adopted national NIS2 legislation, while the European Commission issued formal "reasoned opinions" against lagging states in May 2025. Reporting obligations, incident notification thresholds, and audit timelines vary significantly across jurisdictions4Reporting obligations, incident notification thresholds, and audit timelines vary significantly across jurisdictions, creating a fragmented compliance landscape for manufacturers operating in multiple EU countries.
For elastic MES deployments, NIS2 compliance requires specific attention to:
- Supply chain security: Research indicates that 60% of data breaches originate from third-party vendors, underscoring the need for security standards embedded in vendor contracts and RFQs. NIS2 explicitly requires procurement processes to evolve5NIS2 explicitly requires procurement processes to evolve, making supply chains a source of resilience rather than vulnerability.
- Incident reporting: NIS2's standard model requires initial notification within 24 hours of detecting a significant incident. MES-linked OT events that disrupt production may trigger this threshold.
- Cross-functional governance: ENISA's NIS2 guidance4Reporting obligations, incident notification thresholds, and audit timelines vary significantly across jurisdictions explicitly requires cross-functional teams - IT, cybersecurity, legal, and compliance - to be mapped to NIS2 obligations.
GDPR adds a parallel layer for production data containing personal information. European manufacturers must ensure that cloud MES regions do not transfer sovereignty-sensitive data outside jurisdictions in violation of data residency requirements. A sovereign cloud's infrastructure enforces jurisdictional control over data, operations, and compliance6A sovereign cloud's infrastructure enforces jurisdictional control over data, operations, and compliance - but governance configuration and internal security practices remain the manufacturer's responsibility, not the provider's.
Governance at the Convergence Layer: Where IT and OT Policies Collide
At most manufacturing enterprises, there is no joint governance model covering both IT and OT, resulting in high degrees of overlapping processes and a lack of interdisciplinary skills. Cloud-native elastic MES directly exposes that gap. The platform sits at the IT/OT boundary, receiving data from SCADA and PLC systems below and feeding ERP, quality management, and analytics platforms above.
The following comparison maps how governance requirements shift when moving from traditional on-premises MES to a cloud-native elastic architecture.
| Governance Dimension | Traditional On-Prem MES | Cloud-Native Elastic MES |
|---|---|---|
| Data Sovereignty | Data within plant perimeter; jurisdiction clear | Multi-region cloud hosting; GDPR-aligned residency controls required |
| Access Control | Network-perimeter-based; siloed IT/OT credentials | Identity-first RBAC and MFA across cloud and OT layers |
| Incident Response | IT and OT teams respond in isolation | Unified cross-domain playbook; shared-responsibility model applies |
| Change Management | Infrequent, vendor-scheduled patch cycles | Continuous SaaS updates; joint IT/OT change advisory process needed |
| Audit & Traceability | On-site log repositories; limited cross-site visibility | Centralized cloud audit trails; aligned to NIS2 notification timelines |
| Disaster Recovery | Secondary on-prem site; manual failover | Geo-redundant cloud DR; OT edge nodes require autonomous fallback mode |
| Supply Chain Risk | Vendor access managed at plant level | API-connected supply chain; third-party risk embedded in SLAs |
Three challenges consistently emerge for systems integrators deploying elastic MES across European plants:
Role-based access control at the OT boundary. Introducing cloud technologies such as RBAC and software-defined networking into OT environments7Introducing cloud technologies such as RBAC and software-defined networking into OT environments requires reconciling IT identity management frameworks with OT operational reality, where shared accounts and physical proximity have historically substituted for formal authentication. Without clear segmentation and session monitoring, third-party vendor access can introduce systemic risk that propagates from IT into production networks.
Legacy asset integration. Approximately 50% of manufacturers operate OT assets that are 15 or more years old8Approximately 50% of manufacturers operate OT assets that are 15 or more years old, complicating secure integration with cloud MES platforms. Protocol translation, DMZ architecture, and edge gateway security all require explicit design - not assumptions carried over from IT-only cloud migrations.
Fragmented logging and SIEM coverage. Cloud MES generates audit events in the SaaS layer; OT gateways generate separate logs at the plant level; identity providers and corporate SIEMs operate on different cadences. Without a unified logging strategy, incident response during a cross-domain event becomes a coordination failure.
Cloud Resilience for OT: Rethinking Disaster Recovery When Production Lines Are at Stake
The resilience model for cloud manufacturing differs fundamentally from enterprise IT disaster recovery. When MES loses connectivity, the consequences are not degraded user experience - they are halted production lines, batch failures, traceability gaps, and potential safety events.
Cloud platforms can use geo-redundant architectures to distribute loads across data centers9Cloud platforms can use geo-redundant architectures to distribute loads across data centers, with automatic failover maintaining availability during regional outages. Elastic MES architectures address this through edge-to-cloud design: edge nodes at the plant level maintain local operation during cloud connectivity loss, synchronizing with the cloud layer when connectivity resumes. This approach is architecturally sound - but only if failback procedures are documented, tested, and jointly owned by both IT and OT teams.
GDPR and European data residency requirements also constrain where backup data can be stored and replicated10GDPR and European data residency requirements also impose constraints on where backup data can be stored and replicated, meaning cloud DR configurations must align geo-replication policies with regulatory jurisdiction - not simply with lowest-latency availability zones.
Recovery time objectives (RTOs) and recovery point objectives (RPOs) negotiated for cloud MES contracts must be evaluated against OT realities, not generic IT SLAs. A 4-hour RTO may be acceptable for an enterprise application; it may represent four hours of lost production and a traceability compliance failure on a regulated manufacturing line.
A Framework for Evaluating Cloud-Based OT/IT Convergence Projects
For senior manufacturing and operations leaders assessing elastic MES deployment, the following six-step framework provides a structured path from evaluation to governance maturity. It is informed by the governance gaps most consistently identified by systems integrators and compliance assessors across European manufacturing programs.
Cloud OT/IT Convergence Governance Checklist
1. Establish Clear Data Ownership and Classification Define which production data is sovereignty-sensitive before cloud migration begins. Classify data by regulatory jurisdiction and assign explicit ownership to named roles across IT and OT teams.
2. Institute Unified IT/OT Change Management SaaS MES platforms receive continuous updates that can alter integrations with SCADA and edge systems. A joint IT/OT change advisory board should review all platform updates for OT impact before approving deployment windows.
3. Define Measurable Security and Performance SLAs Negotiate contractually binding SLAs specifying cloud availability minimums, maximum RTOs for OT-connected workloads, and incident notification timelines aligned with NIS2's 24-hour reporting requirement.
4. Implement Identity-First Access Controls Across Domains Deploy RBAC and MFA across all cloud MES interfaces, industrial DMZs, and OT network segments. Eliminate shared accounts and establish session monitoring for all third-party vendor access.
5. Test OT-Specific Disaster Recovery Scenarios Regularly Conduct tabletop exercises and partial failover drills that explicitly simulate MES cloud outages while production lines remain active. Validate that edge nodes sustain autonomous operation during connectivity loss.
6. Align Platform Interoperability with Open Standards Require ISA-95 and IEC 62443 compliance in MES vendor contracts. Open APIs and standardized data models reduce vendor lock-in and facilitate the integration audits required under NIS2 supply chain security provisions.
⚠️ NIS2 Enforcement Is Active and Uneven Across the EU
As of mid-2025, 16 EU and EEA countries have enacted NIS2 national legislation, while the European Commission has issued formal "reasoned opinions" against states still lagging. Reporting obligations, audit timelines, and incident notification thresholds vary significantly by jurisdiction. Manufacturers operating across multiple EU member states face a fragmented compliance landscape and should assess each national law individually - not assume uniform requirements.
Assess Your Organization's Readiness
Use the interactive assessment below to evaluate cloud OT/IT governance posture across the eight dimensions most critical to elastic MES deployment.
Conclusion: Elasticity Requires Equally Elastic Governance
Rockwell Automation's Elastic MES strategy reflects a broader industry trajectory: cloud-native manufacturing platforms are no longer experimental. They are production infrastructure, connected to physical processes, regulated operations, and cross-border supply chains operating under some of the world's most demanding compliance frameworks.
The OT/IT convergence opportunity that elastic MES enables - unified visibility, AI-driven operational insights, modular scalability - is real. But converging IT and OT without coordinated access management and governance increases exposure8Approximately 50% of manufacturers operate OT assets that are 15 or more years old in ways neither team can fully manage alone.
European manufacturers scaling cloud-based MES should treat governance maturity as a prerequisite, not a follow-on activity. That means clear data ownership before migration, unified change management across IT and OT, contractual SLAs calibrated to OT production realities, and continuous alignment with evolving European regulatory standards. The architecture is elastic. The accountability is not.
For additional analysis on federated data governance models and their role in enterprise MES scale-up, see Industrial Data Governance Accelerates MES Scale-up. For broader context on how MES platforms demonstrated OT/IT unity at scale in 2026, see MES Platforms Unite OT and IT at Hannover Messe 2026.
