Back to Resources

2026 Regulatory Changes Reshaping Manufacturing Supply Chains

Blog
January 30, 2026

Manufacturing organizations are heading into 2026 with more requirements placed on suppliers and less flexibility when information is late or incomplete. New and updated regulations touch carbon reporting, product cybersecurity, traceability, and liability. While the topics differ, the expectations are similar.

Regulators expect manufacturers to know which suppliers are in scope, to collect specific information from them, and to produce that information quickly when asked. In most cases, the responsibility sits with first-tier suppliers. If those suppliers are not ready, the manufacturer still carries the risk.

For third-party risk management and supply chain teams, this means supplier oversight must be more consistent and more repeatable than it has been in the past.

Below is a practical overview of the main manufacturing industry 2026 regulatory changes and what they mean for day-to-day third-party or supplier risk management.

EU Carbon Border Adjustment Mechanism (CBAM)

Effective January 1, 2026

CBAM requires companies importing certain goods into the EU to report verified carbon emissions tied to those goods. For manufacturers, this means emissions data must be collected from suppliers and maintained as part of normal supplier oversight.

Even if emissions data originates earlier in the supply chain, regulators expect manufacturers to obtain reliable information from their direct suppliers.

What this means for TPRM

  • Emissions data becomes required supplier documentation.
  • Data must be consistent, updated over time, and available for review.
  • Supplier contracts need to support ongoing reporting.

Action Items

  • Identify which Tier 1 suppliers fall under CBAM.
  • Define what emissions documentation is required and how often it must be updated.
  • Update contracts to require emissions reporting and cooperation.
  • Store submissions so previous versions can be referenced if needed.

EU Cyber Resilience Act (CRA)

Reporting obligations begin September 11, 2026

The Cyber Resilience Act applies to products with digital elements and introduces reporting obligations for actively exploited vulnerabilities and severe incidents. For manufacturers, this pulls suppliers into the spotlight, especially those providing components, firmware, software libraries, and embedded services.

Two related developments help explain why this matters and why timelines are tightening:

  • NIS2 (EU) is raising expectations around supply-chain cybersecurity. Even when a specific manufacturer is not directly in scope, customers and auditors increasingly expect clear supplier security requirements and ongoing oversight, not one-time reviews.
  • CIRCIA (US) is expected to set formal reporting timelines for significant cyber incidents. If a supplier incident affects operations, reporting clocks may start quickly, which makes supplier notification and escalation speed a practical requirement.

During an incident, the questions are basic but urgent, what is affected, which products, which suppliers, what mitigation is in progress, and what the timeline looks like. The ability to answer depends on first-tier supplier responsiveness and a tested escalation path.

TPRM implications

  • Supplier SLAs for vulnerability disclosure and incident notification become essential.
  • Tier 1 suppliers need the ability to identify affected components quickly.
  • Evidence of actions and timing must be captured and retained.

Action items

  • Review supplier contracts to confirm notification timelines, escalation contacts, and required detail.
  • Require suppliers to provide impact scope, mitigations, and next update timing, not just alerts.
  • Maintain product-to-supplier dependency mapping for critical products.
  • Run incident response walkthroughs with critical suppliers to validate speed and completeness.

EU Deforestation Regulation (EUDR)

Applies December 30, 2026

EUDR requires companies to show that certain materials are not linked to deforestation. This relies on traceability and due diligence information provided by suppliers.

Manufacturers are expected to obtain this information from their direct suppliers and ensure it relates to actual shipments or materials.

What this means for TPRM

  • Traceability documents become standard supplier records.
  • Information must be tied to specific goods, not general statements.
  • Not all suppliers carry the same level of risk.

Action Items

  • Identify suppliers and materials that fall under EUDR.
  • Define traceability requirements based on risk.
  • Require suppliers to provide documentation with shipments where needed.
  • Decide in advance how to handle missing or incomplete information.

EU Machinery Regulation

Applies January 20, 2027, preparation during 2026

This regulation strengthens safety and cybersecurity requirements for machinery, including software updates and remote access. Many manufacturers rely on suppliers for equipment, firmware, and maintenance services.

If a supplier controls updates or access, their practices affect compliance.

What this means for TPRM

  • Equipment and system suppliers become part of compliance efforts.
  • Documentation related to updates and security becomes important.
  • Responsibility for fixes and updates must be clear.

Action Items

  • Identify suppliers that provide machinery or remote access.
  • Request documentation on update and security practices.
  • Clarify responsibilities for fixing issues and applying updates.
  • Keep documentation accessible for review.

EU Product Liability Changes

Expected adoption in 2026

Proposed updates to product liability rules expand responsibility to cover software and digital services included in products. Supplier documentation and response behavior can affect liability outcomes.

What this means for TPRM

  • Suppliers providing software or digital services require closer oversight.
  • Change history and testing records become more important.
  • Delays or gaps in supplier response increase risk.

Action Items

  • Identify suppliers providing software or digital components.
  • Require basic documentation on testing and updates.
  • Ensure contracts require cooperation during investigations.
  • Review supplier performance at key product milestones.

EU Artificial Intelligence Act

Phased application beginning 2025 to 2026

Manufacturing organizations using AI for quality checks, robotics, or maintenance often rely on vendor systems. The AI Act introduces expectations around transparency and monitoring.

What this means for TPRM

  • AI suppliers may need to provide risk and performance information.
  • AI use cases may require additional oversight.
  • Issues involving AI behavior may require escalation.

Action Items

  • Identify suppliers providing AI-based tools.
  • Define what information is needed based on how the AI is used.
  • Include AI considerations in supplier reviews.
  • Clarify how issues are reported and handled.

What to Expect Beyond 2026

Looking ahead, several trends are likely to continue:

  • More requirements are tied to digital components and software updates.
  • Greater coordination between sustainability, cybersecurity, and supplier teams.
  • Shorter timelines for reporting incidents or providing documentation.
  • More frequent follow-ups from regulators.

Preparing for these patterns reduces last-minute work when new rules take effect.

How These Requirements Fit into the TPRM Lifecycle

Planning
Match suppliers to the right rules, then set evidence standards up front.

  • Example: Flag suppliers in scope for CBAM or EUDR and define exactly what emissions files or traceability documents are acceptable.

Onboarding
Collect the baseline evidence early and confirm timing expectations for cyber reporting.

  •  Example: Require EUDR shipment or lot traceability documentation at onboarding, not six months later.

Contracting
Make refresh, notification, and cooperation requirements enforceable in the contract.

  • Example: Add CRA incident notification timelines plus required details, scope, mitigation, next update time.

Ongoing Monitoring
Refresh the specific evidence that changes over time, and track what changed and when.

  • Example: Set a cadence to refresh CBAM emissions data and re-collect EUDR documents when sourcing shifts.

Incident Response
Be able to identify impacted suppliers and products fast, and document actions as they happen.

  • Example: When a vulnerability is reported under CRA, pull the supplier component list and log the notification timeline and mitigation steps.

Transition or Exit
Retain records that may be needed after the relationship ends.

  • Example: Keep CBAM emissions submissions and EUDR due diligence records for the required retention period even after offboarding.

What This Means in Practice

These 2026 changes make supplier oversight more specific and more time sensitive.

  • More types of supplier evidence: CBAM drives emissions data, EUDR drives shipment or lot-level traceability, CRA drives incident and vulnerability reporting, and machinery, AI, and liability changes increase the need for documentation around software and updates.
  • Faster response expectations: During cyber events, teams need to identify impacted products and suppliers quickly, and document actions as they happen.
  • Stronger record requirements: Regulators expect evidence that can be produced later, including updates, corrections, and follow-up, not a one-time collection.

In practice, the program needs clear supplier requests, owners, timelines, and retained evidence that can be retrieved quickly to meet regulatory requirements.

How Certa Can Help Manufacturing TPRM Teams Manage Regulatory Changes

Most of the 2026 regulations break down in the same place, execution. Teams need to collect supplier evidence, keep it current, route reviews, and show what happened when timelines matter.

Certa supports that work across the TPRM lifecycle:

  • Workflow setup tied to requirements: Quickly update questionnaires and workflows as evidence needs change under CBAM, EUDR, and the EU AI Act
  • Faster due diligence: Pre-fill supplier questionnaires using existing documents and prior submissions, reduce back-and-forth for suppliers in scope. 
  • Control evidence reuse: Reuse validated security evidence, so reviews focus on changes, supporting ongoing obligations under the Cyber Resilience Act and the Machinery Regulation
  • Continuous monitoring: Monitor supplier updates and documentation over time to support refresh expectations under CBAM and EUDR
  • Remediation tracking: Generate and manage remediation plans so gaps get assigned.

Download PDF
Download PDF
Download PDF
Download PDF
Share this post:
Back to Resources
Blog
January 30, 2026

2026 Regulatory Changes Reshaping Manufacturing Supply Chains

Manufacturing organizations are heading into 2026 with more requirements placed on suppliers and less flexibility when information is late or incomplete. New and updated regulations touch carbon reporting, product cybersecurity, traceability, and liability. While the topics differ, the expectations are similar.

Regulators expect manufacturers to know which suppliers are in scope, to collect specific information from them, and to produce that information quickly when asked. In most cases, the responsibility sits with first-tier suppliers. If those suppliers are not ready, the manufacturer still carries the risk.

For third-party risk management and supply chain teams, this means supplier oversight must be more consistent and more repeatable than it has been in the past.

Below is a practical overview of the main manufacturing industry 2026 regulatory changes and what they mean for day-to-day third-party or supplier risk management.

EU Carbon Border Adjustment Mechanism (CBAM)

Effective January 1, 2026

CBAM requires companies importing certain goods into the EU to report verified carbon emissions tied to those goods. For manufacturers, this means emissions data must be collected from suppliers and maintained as part of normal supplier oversight.

Even if emissions data originates earlier in the supply chain, regulators expect manufacturers to obtain reliable information from their direct suppliers.

What this means for TPRM

  • Emissions data becomes required supplier documentation.
  • Data must be consistent, updated over time, and available for review.
  • Supplier contracts need to support ongoing reporting.

Action Items

  • Identify which Tier 1 suppliers fall under CBAM.
  • Define what emissions documentation is required and how often it must be updated.
  • Update contracts to require emissions reporting and cooperation.
  • Store submissions so previous versions can be referenced if needed.

EU Cyber Resilience Act (CRA)

Reporting obligations begin September 11, 2026

The Cyber Resilience Act applies to products with digital elements and introduces reporting obligations for actively exploited vulnerabilities and severe incidents. For manufacturers, this pulls suppliers into the spotlight, especially those providing components, firmware, software libraries, and embedded services.

Two related developments help explain why this matters and why timelines are tightening:

  • NIS2 (EU) is raising expectations around supply-chain cybersecurity. Even when a specific manufacturer is not directly in scope, customers and auditors increasingly expect clear supplier security requirements and ongoing oversight, not one-time reviews.
  • CIRCIA (US) is expected to set formal reporting timelines for significant cyber incidents. If a supplier incident affects operations, reporting clocks may start quickly, which makes supplier notification and escalation speed a practical requirement.

During an incident, the questions are basic but urgent, what is affected, which products, which suppliers, what mitigation is in progress, and what the timeline looks like. The ability to answer depends on first-tier supplier responsiveness and a tested escalation path.

TPRM implications

  • Supplier SLAs for vulnerability disclosure and incident notification become essential.
  • Tier 1 suppliers need the ability to identify affected components quickly.
  • Evidence of actions and timing must be captured and retained.

Action items

  • Review supplier contracts to confirm notification timelines, escalation contacts, and required detail.
  • Require suppliers to provide impact scope, mitigations, and next update timing, not just alerts.
  • Maintain product-to-supplier dependency mapping for critical products.
  • Run incident response walkthroughs with critical suppliers to validate speed and completeness.

EU Deforestation Regulation (EUDR)

Applies December 30, 2026

EUDR requires companies to show that certain materials are not linked to deforestation. This relies on traceability and due diligence information provided by suppliers.

Manufacturers are expected to obtain this information from their direct suppliers and ensure it relates to actual shipments or materials.

What this means for TPRM

  • Traceability documents become standard supplier records.
  • Information must be tied to specific goods, not general statements.
  • Not all suppliers carry the same level of risk.

Action Items

  • Identify suppliers and materials that fall under EUDR.
  • Define traceability requirements based on risk.
  • Require suppliers to provide documentation with shipments where needed.
  • Decide in advance how to handle missing or incomplete information.

EU Machinery Regulation

Applies January 20, 2027, preparation during 2026

This regulation strengthens safety and cybersecurity requirements for machinery, including software updates and remote access. Many manufacturers rely on suppliers for equipment, firmware, and maintenance services.

If a supplier controls updates or access, their practices affect compliance.

What this means for TPRM

  • Equipment and system suppliers become part of compliance efforts.
  • Documentation related to updates and security becomes important.
  • Responsibility for fixes and updates must be clear.

Action Items

  • Identify suppliers that provide machinery or remote access.
  • Request documentation on update and security practices.
  • Clarify responsibilities for fixing issues and applying updates.
  • Keep documentation accessible for review.

EU Product Liability Changes

Expected adoption in 2026

Proposed updates to product liability rules expand responsibility to cover software and digital services included in products. Supplier documentation and response behavior can affect liability outcomes.

What this means for TPRM

  • Suppliers providing software or digital services require closer oversight.
  • Change history and testing records become more important.
  • Delays or gaps in supplier response increase risk.

Action Items

  • Identify suppliers providing software or digital components.
  • Require basic documentation on testing and updates.
  • Ensure contracts require cooperation during investigations.
  • Review supplier performance at key product milestones.

EU Artificial Intelligence Act

Phased application beginning 2025 to 2026

Manufacturing organizations using AI for quality checks, robotics, or maintenance often rely on vendor systems. The AI Act introduces expectations around transparency and monitoring.

What this means for TPRM

  • AI suppliers may need to provide risk and performance information.
  • AI use cases may require additional oversight.
  • Issues involving AI behavior may require escalation.

Action Items

  • Identify suppliers providing AI-based tools.
  • Define what information is needed based on how the AI is used.
  • Include AI considerations in supplier reviews.
  • Clarify how issues are reported and handled.

What to Expect Beyond 2026

Looking ahead, several trends are likely to continue:

  • More requirements are tied to digital components and software updates.
  • Greater coordination between sustainability, cybersecurity, and supplier teams.
  • Shorter timelines for reporting incidents or providing documentation.
  • More frequent follow-ups from regulators.

Preparing for these patterns reduces last-minute work when new rules take effect.

How These Requirements Fit into the TPRM Lifecycle

Planning
Match suppliers to the right rules, then set evidence standards up front.

  • Example: Flag suppliers in scope for CBAM or EUDR and define exactly what emissions files or traceability documents are acceptable.

Onboarding
Collect the baseline evidence early and confirm timing expectations for cyber reporting.

  •  Example: Require EUDR shipment or lot traceability documentation at onboarding, not six months later.

Contracting
Make refresh, notification, and cooperation requirements enforceable in the contract.

  • Example: Add CRA incident notification timelines plus required details, scope, mitigation, next update time.

Ongoing Monitoring
Refresh the specific evidence that changes over time, and track what changed and when.

  • Example: Set a cadence to refresh CBAM emissions data and re-collect EUDR documents when sourcing shifts.

Incident Response
Be able to identify impacted suppliers and products fast, and document actions as they happen.

  • Example: When a vulnerability is reported under CRA, pull the supplier component list and log the notification timeline and mitigation steps.

Transition or Exit
Retain records that may be needed after the relationship ends.

  • Example: Keep CBAM emissions submissions and EUDR due diligence records for the required retention period even after offboarding.

What This Means in Practice

These 2026 changes make supplier oversight more specific and more time sensitive.

  • More types of supplier evidence: CBAM drives emissions data, EUDR drives shipment or lot-level traceability, CRA drives incident and vulnerability reporting, and machinery, AI, and liability changes increase the need for documentation around software and updates.
  • Faster response expectations: During cyber events, teams need to identify impacted products and suppliers quickly, and document actions as they happen.
  • Stronger record requirements: Regulators expect evidence that can be produced later, including updates, corrections, and follow-up, not a one-time collection.

In practice, the program needs clear supplier requests, owners, timelines, and retained evidence that can be retrieved quickly to meet regulatory requirements.

How Certa Can Help Manufacturing TPRM Teams Manage Regulatory Changes

Most of the 2026 regulations break down in the same place, execution. Teams need to collect supplier evidence, keep it current, route reviews, and show what happened when timelines matter.

Certa supports that work across the TPRM lifecycle:

  • Workflow setup tied to requirements: Quickly update questionnaires and workflows as evidence needs change under CBAM, EUDR, and the EU AI Act
  • Faster due diligence: Pre-fill supplier questionnaires using existing documents and prior submissions, reduce back-and-forth for suppliers in scope. 
  • Control evidence reuse: Reuse validated security evidence, so reviews focus on changes, supporting ongoing obligations under the Cyber Resilience Act and the Machinery Regulation
  • Continuous monitoring: Monitor supplier updates and documentation over time to support refresh expectations under CBAM and EUDR
  • Remediation tracking: Generate and manage remediation plans so gaps get assigned.

Related Resources

Blog

Navigating the Third Party Regulatory Landscape In 2026 for Financial Service Companies

January 30, 2026
Infographic

Automation, Orchestration, AI: Know the Difference

December 31, 2025
Blog

AI Governance in Third-Party Risk Management: How to Make Automated Decisions Defensible

December 29, 2025
Infographic

Your TPRM is Designed Backwards: Here's How to Fix It

November 21, 2025