European regulators are moving to formalize governance standards for cloud-based Manufacturing Execution Systems (MES) as accelerating IT/OT convergence exposes new risk surfaces across manufacturing, energy, and critical infrastructure sectors. The draft framework, drawing on the NIS2 Directive and emerging EU cloud policy instruments, would establish uniform compliance baselines covering OT asset inventories, access controls, incident reporting, and supply-chain transparency for cloud-native MES deployments across EU member states.
Background
The regulatory push arrives as the EU's industrial cybersecurity posture undergoes structural change. The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU, explicitly including manufacturing, energy, and digital infrastructure. On January 20, 2026, the European Commission proposed targeted amendments to the NIS2 Directive to increase legal clarity and simplify compliance for companies operating in the EU. Germany transposed NIS2 into national law with immediate effect: In Germany, the NIS2 implementation law came into force on December 6, 2025, with central provisions in the amended BSI Act, without a general transition period.
Cloud certification is evolving in parallel. The European Union Cloud Services Scheme (EUCS) is a cybersecurity certification framework established under the EU Cybersecurity Act and developed by the European Union Agency for Cybersecurity (ENISA) to standardize cloud service security across the European Union.1NIST NCCoE OT Cybersecurity Project Boosts Visibility While formally non-mandatory, the EUCS framework, combined with the NIS2 Directive and Data Act, creates legal pathways for national authorities to require businesses to use only EU-certified providers.2NIST cyber center to launch OT ‘visibility’ project | Federal News Network The EU Data Act entered into force on January 11, 2024, and became fully applicable on September 12, 2025, establishing cloud switching and interoperability requirements for data processing services - including IaaS, PaaS, and SaaS - to reduce vendor lock-in.
On the US side, a parallel effort is taking shape at the NIST National Cybersecurity Center of Excellence (NCCoE). Cherilyn Pascoe, director of NIST's NCCoE, confirmed the center is launching an OT cybersecurity project following work on several efforts tied to specific critical infrastructure sectors. Across multiple conversations with different sectors, asset management and asset visibility emerged as the largest challenge.
Details
For MES vendors and manufacturers, the compliance implications are operational, not merely legal. NIS2 shifts cybersecurity from an internal IT matter to a management responsibility with auditable requirements while increasing pressure on supply chain security: companies must demonstrate that relevant IT and OT suppliers meet adequate security standards. This makes security evidence for networked production systems - MES, SCADA, OT gateways, remote services, and data pipelines - a hard procurement criterion.
Enforcement carries substantial financial exposure. NIS2 grants national authorities stronger enforcement powers, including regular audits, security inspections, binding instructions, and administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher. Management bodies are personally accountable for compliance, and governance failures may result in temporary bans or disqualification of individuals from leadership roles.
OT asset visibility is a central sticking point in both the EU and US frameworks. Industry practitioners have noted that most sectors have not completed an OT asset inventory - in many cases, organizations do not know what assets they possess. The NCCoE project will directly address that gap. NIST confirmed it would launch a consortium with industry and government agencies to advance the OT visibility project, with the explicit goal of demonstrating how to leverage existing standards and frameworks to enhance visibility and build architectures using commercially available technologies.
Data localization requirements add further complexity for cross-border MES deployments. Digital sovereignty regulations have driven 65% of executives to alter their cloud strategies, according to Kyndryl's 2025 Cloud Readiness Report. Hyperscalers are responding: Amazon, Microsoft, and Google have redesigned service offerings with physically and logically separate infrastructures, EU-based personnel, and customer control of encryption keys to satisfy requirements for operational autonomy and legal jurisdiction.
Outlook
The EU's proposed cloud-native MES compliance framework is expected to follow a phased implementation timeline, with regulators signaling audit rights and sector-by-sector rollout. Buyers are likely to face uncertainty amid a patchwork of sovereignty levels among competing offers. Market fragmentation could lead to higher costs and operational challenges, especially for SMEs and niche integrators. For manufacturers already expanding cloud MES adoption, the immediate priority is governance realignment: organizations evaluating a cloud MES or OT integration platform should treat NIS2 requirements as a mandatory part of the RFP. The convergence of EU cloud sovereignty regulation and the NIST NCCoE's cross-sector OT visibility work signals that unified risk management across OT and IT environments is becoming a non-negotiable baseline across regions.
