The European Commission's January 2026 cybersecurity legislative package introduces binding obligations for operational technology (OT) environments in critical manufacturing, bringing industrial control systems, open-source software components, and software supply chains under heightened regulatory scrutiny for the first time.
Background
The package - which includes a revised Cybersecurity Act and targeted amendments to the NIS2 Directive - builds on a regulatory trajectory that has accelerated since adoption of the EU Cyber Resilience Act (CRA) in late 2024. The CRA entered into force on 10 December 2024, with vulnerability reporting obligations taking effect from 11 September 2026 and full compliance - including mandatory Software Bill of Materials (SBOM) requirements - required by 11 December 2027. Alongside the CRA, the revised Cybersecurity Act was formally proposed on 20 January 2026 and aims to prevent fragmentation across the EU's digital single market while enhancing the security of ICT supply chains.
Critically for metalworking and processing plants, the revised framework establishes dedicated certification pathways for OT environments and industrial control systems. The updated Cybersecurity Act introduces tiered assurance levels - basic, substantial, and high - aligned with risk profiles and technical requirements. Manufacturers operating programmable logic controllers (PLCs), SCADA systems, vision inspection platforms, and automation software stacks now face explicit obligations where previously guidance was voluntary or sector-inconsistent.
NIS2, which expanded coverage to 18 critical sectors including manufacturing and repealed its predecessor from 18 October 2024, was further amended on 20 January 2026 to increase legal clarity and simplify compliance for an estimated 28,700 companies, including 6,200 micro and small-sized enterprises.
Key Requirements and Industry Response
The central technical obligation driving concern on the shop floor is the SBOM mandate. Under the CRA, manufacturers of products with digital elements must create and maintain a Software Bill of Materials in a commonly used, machine-readable format - at minimum covering top-level software dependencies - and make it available to market surveillance authorities on request. For plants running mixed-vendor automation environments, this requirement extends to embedded firmware, third-party libraries, and open-source components integrated into OT stacks.
The open-source dimension is drawing particular attention. The CRA requires manufacturers to report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware of them, a requirement that applies to legacy products placed on the market before 11 December 2027 as well as new releases. Plants relying on open-source machine vision libraries or custom SCADA integrations built on community software must now establish continuous vulnerability monitoring and defined patching cadences to meet these timelines.
ENISA has opened a public consultation on SBOM implementation guidance and published a draft 84-page report noting that SBOMs should function not only as static compliance artifacts but as dynamic operational intelligence assets supporting forensic analysis, patch targeting, and supply chain integrity verification.
The financial stakes are material. Non-compliance with the CRA carries penalties of up to €15 million or 2.5% of global annual revenue, whichever is higher. NIS2 enforcement, meanwhile, carries administrative fines of up to €10 million or 2% of global annual turnover, with management bodies personally accountable for compliance failures.
The compliance burden for OT environments is compounded by the age of installed equipment. OT assets typically remain in production for 20 to 30 years, meaning SCADA systems commissioned as early as 2005 may still govern active production lines while running outdated operating systems that lack basic patching capabilities. Industry experts, including analysts at SANS Institute, have flagged that generic IT incident response frameworks cannot directly substitute for ICS-specific procedures in these environments, particularly where containment decisions may require halting production or switching to manual control.
Outlook
The first hard compliance deadline under the EU's current cybersecurity framework falls on 11 September 2026, when vulnerability reporting to ENISA becomes mandatory for all manufacturers of products with digital elements sold in the EU. For critical manufacturing sites, this means SBOM infrastructure, internal escalation paths, and ENISA notification workflows must be operational before that date - independent of the December 2027 full-compliance deadline. Policymakers have signaled support for harmonized SBOM data formats, with CycloneDX and SPDX emerging as the leading machine-readable standards aligned with both EU and U.S. regulatory requirements. Manufacturers integrating digital twin and AI vision initiatives will need to demonstrate that the software components underpinning those systems carry traceable provenance and comply with the same patching and disclosure obligations as production-line OT systems.
