Europe's converging cybersecurity regulations are compelling manufacturers to fundamentally redesign how cloud-native Manufacturing Execution Systems (MES) are secured, governed, and audited - with the first hard compliance deadline now less than four months away.
The EU's Cyber Resilience Act (CRA), NIS2 Directive, and EU Data Act collectively impose layered obligations on industrial software operators that exceed prior voluntary frameworks, covering software bill of materials (SBOM) documentation, vulnerability reporting, supply chain transparency, and cloud interoperability. For manufacturers operating cloud MES in OT/IT convergent environments, the combined regulatory demand represents the most significant compliance overhaul the sector has faced.
Background
NIS2 entered into force in January 2023, with EU member states required to transpose the directive into national law by October 17, 2024. The directive raises the EU's baseline cybersecurity ambition through broader scope, clearer rules, and stronger supervision tools. For manufacturers classified as essential or important entities, NIS2 imposes strict requirements around cyber risk management, incident response, and supply chain security.
The CRA, published as Regulation (EU) 2024/2847, escalates those demands to the product level. The CRA entered into force on December 10, 2024, with mandatory vulnerability reporting obligations taking effect on September 11, 2026, and full enforcement applying from December 11, 2027.
The threat environment driving this legislation is acute. Ransomware surged across the manufacturing sector in 2025, rising 56% year over year to 1,466 incidents and accounting for roughly half of all global attacks. Check Point Research attributed the spike to vulnerable legacy OT systems, complex supply chains, and the rapid scaling of ransomware-as-a-service operations. As OT and IT networks increasingly converge, 75% of OT attacks originate as IT breaches, adding complexity to the industrial security challenge.
Against this backdrop, the European MES market is projected to grow from USD 3.80 billion in 2025 to USD 5.88 billion by 2030, a CAGR of 9.1%.[1] On-premises MES currently dominates due to data security and regulatory compliance requirements[2], but demand for cloud and hybrid MES solutions is rising among multi-site manufacturers.
Details
The CRA's most immediate obligation for cloud MES operators concerns SBOMs - structured inventories of all software components within a product. The CRA legally requires SBOMs for products with digital elements, while NIS2 mandates supply chain security. Specifically, the CRA requires manufacturers to create and maintain an SBOM in a commonly used, machine-readable format that includes, at minimum, top-level dependencies. The SBOM must be provided to market surveillance authorities upon request, though public disclosure is not required.
Germany's Federal Office for Information Security (BSI) has published the first member-state technical interpretation of those CRA SBOM obligations. BSI Technical Guideline TR-03183-2, updated to version 2.1.0 in August 2025, specifies that CRA-compliant SBOMs must include recursive dependency resolution and require licence references using SPDX identifiers. BSI requires a "delivery item SBOM" with recursive dependency resolution performed on each path, with the first external component identified at minimum by creator, name, version, and other unique identifiers.
The September 2026 reporting deadline is particularly pressing for MES operators running AI or ML components embedded in production analytics modules. From September 11, 2026, all manufacturers of products with digital elements - including OT systems - must report actively exploited vulnerabilities within 24 hours to ENISA and designated national CSIRTs, even for legacy products. Without SBOMs and a vulnerability management process already in place, compliance is not achievable.
The EU Data Act adds a parallel obligation. The EU Data Act (Regulation 2023/2854) became fully applicable on September 12, 2025 and mandates cloud switching procedures that eliminate vendor lock-in barriers. For manufacturers running single-vendor cloud MES platforms, this creates direct pressure to demonstrate portability and open interfaces - requirements that intersect with patch governance and software supply chain transparency obligations under the CRA.
Non-compliance carries material financial risk. Under the CRA, non-compliant products can attract fines of up to the higher of €15 million or 2.5% of global annual turnover. The intersection of CRA and NIS2 is particularly significant for manufacturers of smart factory equipment: the CRA requires secure design and documentation for each product model, while NIS2 requires the company itself to maintain robust security operations. Some organizations are responding by establishing dedicated Product Security Teams alongside traditional IT/OT security functions.
Germany and France face heightened risks as MES systems converge with IT and OT networks, with cybersecurity threats including ransomware and data breaches challenging sensitive manufacturing processes and demanding robust security measures.
Outlook
The European Commission's CRA implementation roadmap includes initial guidance in early 2026, entry into application of conformity assessment body notification provisions on June 11, 2026, and the first standardization deliverables from CEN/CENELEC in Q3 2026. MES vendors and system integrators face pressure to certify platform components and deliver SBOM tooling ahead of those milestones. Threat activity is expected to intensify in 2026, with attackers shifting toward AI-driven campaigns and exploiting cloud, SaaS, and vendor ecosystems to launch broader attacks across industrial operations - a dynamic that reinforces the urgency of the EU's regulatory schedule for cloud MES operators across Europe's industrial base.
