A converging wave of EU legislation is reshaping how manufacturers procure, deploy, and audit cloud-native Manufacturing Execution Systems (MES) in operational technology (OT) environments, imposing new security, data governance, and vendor-contract obligations on both operators and software providers.
The regulatory pressure stems from four overlapping instruments now entering enforcement phases simultaneously: the NIS2 Directive, the Cyber Resilience Act (CRA), the EU Data Act, and the forthcoming Cloud and AI Development Act (CADA). Together, they establish what legal analysts at Reed Smith describe as "an entire ecosystem of overlapping requirements" that industrial operators must navigate in parallel.
Background
The NIS2 Directive establishes a unified legal framework to uphold cybersecurity across 18 critical sectors in the EU. Beyond sectors already covered by NIS1, the updated rules extend to critical product manufacturing, among other domains. Member states were required to transpose NIS2 into national law by October 17, 2024, though as of June 30, 2025, only 14 had fully done so. The European Commission continues infringement proceedings against 13 member states - including Germany, France, Spain, and Poland - for failing to complete transposition on time.
The Cyber Resilience Act entered into force on December 10, 2024, with main obligations applying from December 11, 2027, and reporting obligations taking effect September 11, 2026. The CRA introduces mandatory cybersecurity requirements for manufacturers covering the planning, design, development, and maintenance of products with digital elements - obligations that must be met at every stage of the value chain. For MES vendors, this directly implicates software delivered as cloud-native SaaS into OT environments.
The EU Data Act entered into force on January 11, 2024, and became fully applicable September 12, 2025, establishing cloud switching and interoperability requirements for data processing services - including IaaS, PaaS, and SaaS - to reduce vendor lock-in. Egress fee elimination is scheduled for January 12, 2027.
Details
For manufacturers deploying cloud-native MES on OT networks, the CRA's secure-by-design mandate intersects directly with existing industrial cybersecurity standards. Compliance has become a key driver of cybersecurity maturity, with businesses using global standards such as NIST and ISA/IEC 62443 to guide their security strategies. Fines for non-compliance with the CRA's essential cybersecurity requirements can reach up to €15 million or 2.5% of worldwide annual turnover, whichever is higher, according to the regulation's text.
The Data Act's anti-lock-in provisions carry direct procurement implications. The EU's emerging cloud certification regime and associated digital sovereignty policies, while formally non-mandatory in some aspects, create legal pathways - when combined with NIS2 and the Data Act - for national authorities to require businesses to use only EU-certified providers. A service hosted in an EU data center may still fall under laws from outside the EU, such as the US CLOUD Act, which could compel the provider to hand over customer data regardless of where it is stored - a growing concern for regulated industries.
OT security vendors are adapting their platforms to address these converging demands. Rockwell Automation, TXOne Networks, Industrial Defender, and Radiflow continue gaining traction within high-demand industrial sectors through asset governance, policy enforcement, and compliance-driven OT services. The Plex integration, completed in December 2025, into Rockwell's FactoryTalk created a unified cloud-edge MES suite; the platform signed 87 new customers by enabling real-time IIoT data threads. Verve Industrial Protection, acquired in 2023, was rebranded as SecureOT, adding OT-specific vulnerability management to the stack. On the monitoring side, Nozomi Networks was named a Leader in the 2025 Gartner Magic Quadrant for CPS Protection Platforms. According to Nozomi Networks' threat intelligence data covering the second half of 2025, transportation and manufacturing remained the first and second most targeted sectors for the full calendar year.
Supply chain assurance is also under scrutiny. In 2025, compliance requirements intensified around supply chain cybersecurity; a global survey of CISOs found 88% of organizations concerned about cyber risks from their supply chain, with over 70% having experienced a significant cybersecurity incident originating from a third party in the past year.
The EU is also advancing longer-term cloud infrastructure legislation. In 2026, the Commission plans to propose the Cloud and AI Development Act, aiming to at least triple EU data center capacity within five to seven years. To strengthen Europe's digital sovereignty in the cloud sector, the Act will work in tandem with a proposed single EU-wide cloud policy for public administrations and public procurement, fostering the growth of European cloud providers and prioritizing highly secure cloud capacity for critical use cases.
Outlook
A significant convergence point identified in the EU's Cybersecurity Act review is the need to harmonize definitions and reporting requirements across major EU acts - NIS2, the CRA, and GDPR - and establish a single EU incident notification platform. As enforcement timelines for NIS2, DORA, and the CRA unfold in parallel, the EU is forging a tightly interwoven cybersecurity regulatory framework spanning operational resilience, product security, and governance accountability. For MES vendors and manufacturing operators, audit readiness, contractual data portability provisions, and OT-aligned secure-by-design certification will define procurement decisions through 2027 and beyond.
