A convergence of EU legislation - spanning the Cyber Resilience Act (CRA), NIS2, the EU Data Act, and the Cloud Sovereignty Framework - is reshaping compliance requirements for manufacturers deploying cloud-native manufacturing execution systems (MES) and accelerating OT/IT integration. The combined effect of these overlapping frameworks is forcing manufacturers, MES vendors, and system integrators to rethink vendor selection, audit readiness, and cross-border data governance, with the most immediate deadlines now less than 16 months away.

Background

The EU's regulatory overhaul of digital infrastructure and industrial software has been building since 2024. The CRA entered into force on 10 December 2024, with main obligations applying from 11 December 2027 and reporting obligations beginning 11 September 2026. The EU Data Act entered into force on 11 January 2024 and became fully applicable on 12 September 2025. On 20 January 2026, the European Commission proposed a new cybersecurity package to further strengthen EU resilience, including amendments to the NIS2 Directive.

Separately, in October 2025, the European Commission launched a EUR 180 million tender for sovereign-ready cloud services. The tender operationalizes strict criteria for data autonomy and security in public procurement, compelling both global providers and European firms to meet enforceable standards. It is the first to directly implement the Cloud Sovereignty Framework, which mandates measurable standards in data localisation, operational control, legal jurisdiction, transparency, and supply chain security.

The EUCS framework, combined with the NIS2 Directive and the Data Act, creates legal pathways for national authorities to require businesses to use only EU-certified cloud providers.[1] For manufacturers operating cloud-native MES platforms, this layered architecture creates intersecting obligations that cannot be addressed in isolation.

Key Compliance Obligations Affecting Cloud MES and OT/IT Convergence

The CRA introduces requirements with direct implications for MES software vendors and industrial software components. The EU Cyber Resilience Act legally requires a machine-readable Software Bill of Materials (SBOM) for all products with digital elements placed on the EU market, with full compliance mandatory by 11 December 2027. The SBOM must use a commonly accepted, machine-readable format and include, at minimum, the top-level dependencies of the product. Manufacturers must incorporate it into technical documentation and provide it to market surveillance authorities upon request.

From 11 September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours. Additional details must follow within 72 hours, and a final vulnerability report is due no later than 14 days after a security update or workaround becomes available. For MES platforms with embedded OT-facing software components - including SCADA connectors, edge agents, and production control interfaces - these obligations apply to the product itself, not just the IT perimeter.

On supplier risk, the CRA requires manufacturers to vet suppliers and software vendors for security posture against standards such as ISO 27001 or IEC 62443, embed security requirements in contracts, and define responsibilities for patches and incident notifications. The revised Cybersecurity Act also aims to reduce risks in the EU's ICT supply chain from third-country suppliers with cybersecurity concerns.

Data sovereignty requirements add a further layer of complexity. Unlike the General Data Protection Regulation (GDPR), which focuses on personal data protection, the EU Data Act addresses non-personal and industrial data. It prohibits unlawful third-country access to non-personal data stored or processed in the EU, extending sovereignty obligations to strategic, industrial, and operational datasets. The US CLOUD Act's extraterritorial data access provisions contradict EU data sovereignty principles, as US cloud providers remain subject to American legal demands regardless of where data is physically stored. This tension is particularly acute for mid-sized manufacturers using hyperscaler-hosted MES platforms.

An estimated 97% of Europe's cloud infrastructure market is dominated by non-European providers, according to industry research, underscoring European industry's reliance on foreign technology for critical data operations.

The New Cybersecurity Package, introduced by the European Commission in January 2026, represents a significant legislative shift toward securing the Union's critical infrastructure. It provides a horizontal framework designed to address ICT supply chain security risks as global cybercrime costs exceeded EUR 9 trillion in 2025.

Outlook

On 20 January 2026, the Commission proposed targeted amendments to the NIS2 Directive to increase legal clarity, simplify compliance, and ease the regulatory burden for an estimated 28,700 companies, including 6,200 micro and small-sized enterprises. For mid-sized manufacturers, this simplification may reduce transposition friction, but core obligations - incident response readiness, SBOM documentation, supplier vetting, and data sovereignty controls - remain intact.

Major providers are likely to accelerate compliance announcements and joint ventures. However, buyers face uncertainty as a patchwork of sovereignty levels emerges among competing offerings. Market fragmentation carries a realistic possibility of higher costs and operational challenges, especially for SMEs and niche providers. MES vendors targeting EU manufacturing customers will face mounting pressure to align product architectures with the CRA's SBOM and incident reporting obligations ahead of the September 2026 reporting deadline - a milestone that is now imminent.