Which laws and regulations will be relevant for industry in 2026?

In February, the new year no longer feels so new – especially in turbulent times like these. But even though everyday life presents more than enough challenges, companies should pay attention to what is happening in terms of legislation and regulations. This is because both German lawmakers and the European Union have new developments in store that the industry must adapt to.

Although this list cannot claim to be exhaustive, here we provide information about laws and regulations that will come into force or be applied in 2026 and beyond – specifically in the areas of

• Product safety & digitalization,
• Sustainability, energy & climate, and
• Supply chains & corporate responsibility.

Product safety & digitalization: Machinery Directive, AI Act, NIS2, and more

Manufacturers must ensure that their machines, systems, and safety components are safe and that software also meets safety and security requirements. Artificial intelligence is a new addition in this regard. In general, legislators are placing greater emphasis on cybersecurity and data protection.

The EU Machinery Regulation

The new EU Machinery Regulation (EU) 2023/1230 will replace the previous Machinery Directive 2006/42/EC on January 20, 2027, and will then apply directly in all member states. It was adopted by the European Parliament and Council and modernizes the legal framework for machinery, equipment, safety components, and increasingly also software as a safety function.

For manufacturers and operators in industry, this means that CE processes, risk assessments, and technical documentation must be aligned with the new requirements in good time – particularly with regard to functional safety, industrial security, and the legally compliant handling of “significant changes” to existing machinery.

Those who adapt their procurement and retrofit strategies at an early stage and establish clear internal rules for modifications will reduce liability risks, avoid downtime, and ensure the conformity of their plant inventory beyond 2027.

The EU AI Act

The EU AI Act has been in force since August 1, 2024, introducing a risk-based legal framework for artificial intelligence in Europe. Bans on “unacceptable” AI practices have been in effect since February 2, 2025, followed by governance rules for providers of general-purpose AI since August 2, 2025. From August 2, 2026, the core obligations for high-risk AI systems will take effect, with an extended transition period until August 2, 2027, for AI used as a safety component in regulated products such as machines.

For manufacturers and operators in industry, this means that AI applications in areas such as quality control, predictive maintenance, process optimization, access control, or human resources processes must be reviewed to determine whether they are classified as high-risk systems. In these cases, the requirements for data quality, testing and validation, documentation, human oversight, and transparency increase significantly – and where AI takes on safety functions, the AI Act and the EU Machinery Regulation must be considered in close conjunction.

The NIS 2 Directive

The EU‘s NIS 2 Directive and the German NIS 2 Implementation Act, which has been in force since December 6, 2025, elevate cybersecurity to the level of a regulated compliance obligation – far beyond traditional KRITIS operators. In addition to energy, transportation, and healthcare, many manufacturing companies and industrial equipment suppliers are now also coming into focus, classified as “important” or “particularly important” facilities depending on their employee and revenue thresholds.

For these companies, structured information security risk management, emergency and business continuity concepts, technical and organizational security measures in IT and OT, supply chain security, and closely timed reporting obligations for security incidents are mandatory. Management bears explicit responsibility and must monitor the appropriateness and effectiveness of the measures.

For operators of production facilities, this means that OT security, patch and asset management, backup concepts, and crisis processes are no longer best practices, but legally required standards – with corresponding risks of fines for non-compliance.

The EU Data Act

The EU Data Act has been in force since January 11, 2024, and will be gradually implemented starting September 12, 2025, or for certain product specifications starting in 2026. Its core principle is that users of connected products – such as machines, systems, or industrial IoT devices – have a legal right to access the data generated by these systems and can also make this data available to third-party providers.

For machine and plant manufacturers, this means that they must adapt their data and cloud strategies and contracts (e.g., as-a-service models, platform use, remote services), open interfaces, and establish clear rules for data use, security, and confidentiality.

This gives operators bargaining power and new opportunities for data-based services, maintenance, and process optimization – but at the same time, they must organize governance, IT compliance, and know-how protection in a much more professional manner.

Sustainability, Energy & Climate: CSRD, Energy Efficiency, Digital Product Passport

There have been signs of fatigue recently when it comes to sustainability and resource conservation. However, setbacks such as postponing the ban on combustion engines or less ambitious climate targets do not mean that EU countries are losing their focus on sustainability. Companies must therefore be prepared for changes in this area as well.

Corporate Sustainability Reporting

The Corporate Sustainability Reporting Directive (CSRD) and the associated European Sustainability Reporting Standards (ESRS) significantly expand sustainability reporting in the EU and affect far more companies than the previous Non-Financial Reporting Directive. Gradually, starting in the reporting years 2024 to 2028, large capital market-oriented companies will be required to comply, followed by other large corporations and limited liability partnerships, and later also capital market-oriented SMEs and certain non-EU groups.

For many manufacturing companies, this means that sustainability will become an auditable reporting element on a par with the financial section – including detailed information on climate and energy, emissions, resource and water use, waste, occupational safety, and the supply chain.

Operationally, this increases the pressure on plants and production areas to provide reliable, auditable data on energy management, environmental indicators, and occupational safety, and to document processes in such a way that they can withstand an audit. Even companies that are not (yet) directly subject to reporting requirements are being drawn into the CSRD maelstrom by customer requirements and supply chain questionnaires: suppliers who cannot provide their ESG data risk competitive disadvantages in tenders and framework agreements in the medium term.

The German Energy Efficiency Act

The German Energy Efficiency Act (EnEfG) has been in force since November 18, 2023, and tightens the requirements for companies with high energy consumption. Companies whose final energy consumption exceeds certain thresholds – typically 7.5 GWh per year – must introduce a certified energy or environmental management system (such as ISO 50001 or EMAS) within defined deadlines, systematically record their energy consumption, and identify, plan, and regularly report on specific efficiency measures.

For energy-intensive production sites, this means that energy monitoring, measurement concepts, waste heat utilization, and efficiency projects will become a legal requirement. Those who skillfully combine the requirements with existing initiatives on climate strategy, CSRD reporting, and cost reduction can translate the additional effort into a structured decarbonization and modernization path for their plants. Those who react too late, on the other hand, risk not only higher energy costs but also fines and damage to their reputation.

CO₂ border adjustment and emissions trading

The EU‘s Carbon Border Adjustment Mechanism (CBAM) and the parallel reform of emissions trading are making CO₂ costs for energy-intensive materials much more visible – long before they reach the chimney of your own plant. A transition phase has been underway since October 1, 2023, during which importers of cement, iron and steel, aluminum, fertilizers, electricity, and hydrogen are initially only required to report emissions. The financial phase will begin on January 1, 2026, when CBAM certificates will gradually have to be purchased and surrendered for these imports, parallel to the phasing out of free ETS certificates in the EU.

For operators, this means that the CO₂ footprint of raw materials is increasingly becoming a cost and competitive factor. Purchasing, supplier selection, material substitution, and companies' own decarbonization strategies are becoming more closely linked. Those who create transparency about emissions in the supply chain at an early stage and factor CO₂ costs into their investment and location decisions will gain an advantage over less prepared competitors.

Ecodesign and digital product passport

The Ecodesign for Sustainable Products Regulation (ESPR) extends the existing ecodesign framework for energy-related appliances to almost all physical products and has been in force as a regulation in the EU since July 2024. Specific requirements are now being introduced gradually via delegated acts for individual product groups – including, in the future, machines, components, and spare parts. The central instrument is the digital product passport, through which manufacturers will in future have to provide structured information on material composition, reparability, durability, recycled content, and environmental performance.

For machine builders and suppliers, this means that product development, parts lists, material data, and technical documentation must be geared toward the circular economy and data provision at an early stage. Operators will benefit in the long term from greater transparency for maintenance, spare parts management, modernization, and dismantling – but will have to adapt their own asset and spare parts strategies to the new information flows.

Corporate responsibility: Supply chains & due diligence

After the German Supply Chain Act came into force, politicians at the federal level suddenly backtracked. In the meantime, there have been calls for Germany to scale back or even completely abandon its due diligence obligations. However, as long as these remain only calls, companies must continue to comply with the applicable German regulations.

The German Supply Chain Act

With the German Supply Chain Due Diligence Act (LkSG), which has been in force since 2023 for companies with 3,000 or more employees and will apply to companies with 1,000 or more employees from 2024, human rights and selected environmental risks in the supply chain have moved from the CSR niche to a strict legal framework. Companies must conduct risk analyses, establish prevention and remedial measures, set up complaint procedures, and report regularly to the Federal Office for Economic Affairs and Export Control (BAFA) – with significant penalties for violations.

The EU Corporate Sustainability Due Diligence Directive

The EU-wide harmonized Corporate Sustainability Due Diligence Directive (CSDDD), which will be transposed into national law in the coming years, goes even further: it also includes large non-EU companies with high EU turnover, requires the establishment of climate plans, and increases liability and sanction risks.

For manufacturing companies, this means that purchasing, supplier management, and quality/ESG management must work more closely together. Those who establish clean processes, transparent supply chains, and reliable data today will be much better equipped for both LkSG audits and the upcoming CSDDD, while also reducing reputation and supply risks.

When is the bus coming?

A special feature of current EU regulation is the use of omnibus regulations or directives, which not only create new individual laws but also amend a whole series of existing legal acts at the same time. In the context of the Machinery Regulation, AI Act, NIS2, Data Act, CSRD, CBAM, and ESPR, this means, for example, that obligations for operators appear not only in the “main law” but often also in accompanying amendments to other regulations – for example, in product law, energy law, or reporting obligations.

It is therefore crucial for companies not only to be aware of the overarching themes of the major regulatory packages, but also to examine the omnibus amendments in their specific laws so as not to overlook any silent but effective tightening of regulations.

Conclusion: A structural change that offers opportunities

The coming years will not bring a “normal” regulatory cycle for the manufacturing industry, but rather a genuine structural change: the Machinery Regulation, AI Act, NIS2, Data Act, CSRD, LkSG/CSDDD, EnEfG, CBAM, and ESPR are all intertwined and make security, digitalization, sustainability, and responsibility for supply chains legally binding core tasks. Those who continue to treat these issues in isolation as individual projects run the risk of getting bogged down and incurring fines, liability risks, and competitive disadvantages.

At the same time, this consolidation of requirements presents an opportunity: Companies that adopt an integrated approach early on, clearly define responsibilities, and leverage synergies – for example, in data collection for CSRD, EnEfG, NIS2, and ESPR – can make their production more transparent, efficient, and resilient. Regulation then becomes not just a burden, but a driver for modern, secure, and sustainable factories in Europe.