EU regulation: Why industrial companies need to pay close attention now

Interestingly, alongside introducing new regulations, the EU is at the same time discussing relief measures for businesses. This mix of regulation and deregulation makes planning and investment decisions more difficult. Many of the new rules have a direct impact on development, production, or digital infrastructure. Anyone who develops machines, equipment, or other products with software, uses international supply chains, or operates digital services must deal with a whole series of new requirements.

Many of these regulatory frameworks are interconnected. Digital security, data access, product liability, and sustainability requirements often affect the same products or supply chains. Companies therefore not only have to implement individual rules, but also further develop their compliance structures as a whole – from product development and IT security through to supply chain management.

Cybersecurity becomes part of product development

With the implementation of the NIS2 directive (EU 2022/2555), significantly stricter requirements for cyber risk management have applied since the end of 2025. The rules now cover not only traditional operators of critical infrastructure, but, in addition to operators of essential services, also providers of digital services that were previously not covered by the regulations, such as cloud services, data centers, or online marketplaces. Security measures must be strengthened across the board, these measures documented, and IT incidents reported within short deadlines. Applies to: Operators of essential and important entities, especially medium-sized and large companies in critical sectors (e.g., energy, transport, healthcare, digital infrastructure).

The Cyber Resilience Act (CRA) (EU 2024/2847) intervenes even more strongly in product development. In the future, manufacturers must ensure that their products can be operated securely over their entire life cycle. The CRA has been in force since 2024. However, initial obligations, such as reporting obligations for security incidents, only apply from September 2026, and the full regulation from 2027. From June 11, 2026, a conformity assessment body (“notified body”) can check whether a product meets the security requirements of the Cyber Resilience Act and thus fulfills the conditions for CE marking. Applies to: manufacturers, importers and distributors of products with digital elements (e.g. software, IoT devices, machines with digital control systems). 

Machinery regulation is getting closer

The new EU machinery regulation (EU 2023/1230) will gradually replace the previous machinery directive and will apply on a mandatory basis from 2027. The requirements for technical documentation and risk assessment are increasing. In addition, growing digitalization of machinery is explicitly addressed. Among other things, the regulation contains new requirements for software and network security, for example for updates, as well as for autonomous functions and for the interaction between humans and machines. For companies with complex machinery or automated production systems, this may mean that existing conformity assessments have to be revised. Applies to: manufacturers, importers and distributors of machinery and safety-relevant machine components. 

Data access and AI under regulation

There are also new obligations for handling data and artificial intelligence. The EU Data Act (EU 2023/2854) requires manufacturers of connected products to enable users to access the data generated by their devices. This also affects many industrial products such as machines, vehicles or IoT devices. From September 2026, new products must already be designed so that this data access is technically possible (“access by design”). Applies to: manufacturers of connected products, providers of related digital services, and data holders. In parallel, the AI Act (EU 2024/1689) will impose extensive requirements for so-called high-risk AI systems starting in August 2026. Transparency is essential: AI-generated content must be clearly labeled, and the functioning of AI systems must be explainable. Providers are required to establish risk management, document training data and ensure that human control over AI decisions remains possible. Applies to: providers of AI systems as well as companies that use or place AI systems on the market. 

AI, robotics and regulation shape logistics in 2026

In 2026, operational AI, mobile robotics and new EU rules converge. Open platforms, digital twins and sustainability are fundamentally transforming warehousing, fulfillment and transport.

Redaktion Produktion

Sustainability rules affect supply chains

In addition to digitalization, sustainability remains a key driver of regulation. On January 1, 2026, the CO₂ border adjustment mechanism CBAM (EU 2023/956) entered a new phase. For certain emissions-intensive imported goods, companies will in future have to purchase CO₂ certificates. The aim is to avoid distortions of competition caused by differing climate standards. Reporting obligations are also increasing. Applies to: companies that import certain CO₂-intensive goods from third countries into the EU (e.g. steel, cement, aluminum, fertilizers). 

Under the Corporate Sustainability Reporting Directive (CSRD) (EU 2022/2464), companies must report for the first time for the 2025 financial year. To prevent so-called greenwashing, environmental claims may only be made if they can be verified with evidence. Applies to: large companies and listed companies with more than 1,000 employees. Sustainability labels must, under the EmpCo Directive (“Empowering Consumers for the Green Transition”) (EU 2024/825), be based on a recognized certification system or be established by public authorities. The federal government has already presented a draft bill to amend the Act Against Unfair Competition. Applies to: companies that advertise with environmental or sustainability claims. 

Product liability and repair obligation

The new EU Product Liability Directive (EU 2024/2853), which must be transposed by December 2026, significantly expands the scope of liability. In future, it will explicitly also apply to digital products, software or AI systems, including software updates. If an injured party plausibly demonstrates that a product could have caused damage, a court can oblige the manufacturer to disclose relevant technical documentation. In parallel, the so-called right to repair is being strengthened. Manufacturers of certain product groups will in future have to provide spare parts and enable repairs over longer periods of time. Applies to: manufacturers, importers and distributors of products, including software and AI systems. 

Regulation becomes a management task

At the same time, the EU is promising to reduce regulatory burdens for companies in other areas and is not ruling out simplifications of rules that have already been adopted. However, as long as it remains unclear whether individual requirements will be postponed, companies must provisionally plan for the originally scheduled dates. For many companies, regulation is thus becoming a strategic management task. Those who analyze at an early stage which requirements are actually relevant can integrate new obligations into existing processes before they turn into an operational problem.