Getready Compliance Logo
Product has been added to your cart.

Home > Blog

The New Wave of EU Regulation: What Manufacturers and Businesses Must Know for 2025–2030

The European Union is in the middle of one of the most significant regulatory transformations in its history. Between 2023 and 2030, a wave of new legislation is reshaping the obligations of manufacturers, importers, and businesses that operate in or sell to the European market.

This is not a routine update cycle. The EU is systematically restructuring its regulatory framework around four converging priorities: sustainability, digitalisation, cybersecurity, and product transparency. The result is a body of legislation that is broader in scope, more demanding in its documentation requirements, and more tightly enforced than anything that came before it.

This article provides a structured overview of the most significant regulatory developments manufacturers need to track — what they are, who they affect, and when they apply.

The Shift from Directives to Regulations

Before examining specific legislation, it is worth understanding a structural shift that runs through almost all of the new EU regulatory output: the move from directives to regulations.

EU directives require member states to transpose them into national law, which historically created inconsistencies in implementation across the single market. EU regulations, by contrast, are directly applicable in all member states without transposition. They come into force on the same date everywhere, with the same requirements, enforced by the same framework.

This shift has practical consequences for manufacturers. It means less room for interpretation, fewer national variations to navigate, and — where enforcement is concerned — a more uniform level of scrutiny across the EU. Companies that previously relied on lighter enforcement in specific member states should not expect that approach to remain viable.

Digital Product Passport (DPP)

The Digital Product Passport is one of the most structurally significant innovations in the EU’s regulatory agenda. Introduced under the Ecodesign for Sustainable Products Regulation (ESPR), the DPP requires manufacturers to associate each product — or product type — with a digital record containing standardised data on its materials, components, repairability, recyclability, and environmental footprint.

The DPP is designed to be accessible to all actors in the value chain: consumers, repair technicians, recyclers, and regulatory authorities. It will be linked to the product via a physical data carrier — a QR code, RFID chip, or similar — and must remain accessible throughout the product’s lifecycle.

Rollout is phased by product category. Batteries were the first category subject to DPP requirements under the Battery Regulation (EU) 2023/1542, with obligations already in force for industrial and EV batteries. Textiles, electronics, furniture, and construction products are among the categories scheduled to follow, with applicability dates staggered through 2030.

For manufacturers, the DPP represents a fundamental change in how product information is managed. It is not a label or a declaration — it is a living data infrastructure that must be maintained and updated over the product’s commercial life.

Carbon Border Adjustment Mechanism (CBAM)

The Carbon Border Adjustment Mechanism is the EU’s tool for addressing carbon leakage — the risk that EU climate policies lose effectiveness when production simply shifts to countries with less stringent emissions regulation.

CBAM applies to imports of carbon-intensive products into the EU: currently cement, iron and steel, aluminium, fertilisers, electricity, and hydrogen. Importers are required to purchase CBAM certificates corresponding to the carbon price that would have been paid under the EU Emissions Trading System (ETS) had the goods been produced in the EU.

The transitional reporting period ran from October 2023 to December 2025. The definitive system entered into force on 1 January 2026, with CBAM certificate purchases required from February 2027.

The practical implication for non-EU manufacturers is significant: importers cannot meet their CBAM obligations without accurate embedded emissions data from the manufacturer. This makes CBAM not just a customs or finance issue, but a supply chain and documentation challenge that starts at the production level.

Detailed information on CBAM obligations and how they affect manufacturers exporting to the EU is available on the CBAM Obligations page.

Ecodesign for Sustainable Products Regulation (ESPR)

The ESPR replaces the previous Ecodesign Directive (2009/125/EC) and dramatically expands its scope. Where the old directive focused primarily on energy efficiency of energy-related products, the ESPR applies to virtually all physical products placed on the EU market and introduces requirements across the entire product lifecycle.

Key requirements under ESPR include:

  • Durability and repairability — products must be designed to last longer and be repairable; spare parts and repair information must be available
  • Recyclability and recycled content — products must facilitate end-of-life disassembly and use of recycled materials
  • Environmental information — lifecycle data must be disclosed, feeding into the Digital Product Passport
  • Restrictions on destruction of unsold goods — particularly relevant for textiles and electronics

The ESPR operates through delegated acts, meaning the European Commission publishes specific requirements for each product category on a rolling basis. The first product categories — textiles, furniture, iron and steel, and electronics — are being addressed in the 2024–2027 period. Manufacturers should monitor the publication of delegated acts relevant to their sector as a priority.

EU Artificial Intelligence Act

The EU AI Act is the world’s first comprehensive legal framework for artificial intelligence. It entered into force in August 2024, with obligations applying in phases through 2027.

The Act classifies AI systems into four risk tiers:

  • Unacceptable risk — prohibited AI practices (social scoring, subliminal manipulation, real-time biometric surveillance in public spaces)
  • High risk — AI used in critical infrastructure, employment, education, law enforcement, and certain product safety functions; subject to strict conformity assessment, documentation, and human oversight requirements
  • Limited risk — transparency obligations (e.g., chatbots must disclose they are AI)
  • Minimal risk — no specific obligations

For manufacturers, the most relevant category is high-risk AI embedded in regulated products. Under the AI Act, a machine, medical device, or vehicle that incorporates an AI system classified as high-risk must meet AI Act obligations in addition to the product-specific CE marking requirements. This creates overlapping compliance tracks that must be managed simultaneously.

The interaction between the AI Act and existing product regulations — particularly the Machinery Regulation and the Medical Devices Regulation — is one of the most technically complex areas of the current EU regulatory landscape.

The interaction between the AI Act and existing product regulations is discussed in more detail on the New Machinery Safety Regulation page, which covers how the new Machinery Regulation (EU) 2023/1230 already integrates AI and cybersecurity obligations for machinery manufacturers.

Cyber Resilience Act (CRA)

The Cyber Resilience Act introduces mandatory cybersecurity requirements for all products with digital elements placed on the EU market. This covers an extraordinarily broad range of goods — from industrial control systems and connected machinery to consumer routers, smart home devices, and software sold as a standalone product.

The CRA entered into force in December 2024, with a 36-month transition period running to December 2027 for most obligations (21 months for vulnerability reporting requirements).

Key obligations under the CRA include:

  • Security by design — products must be developed following a cybersecurity risk assessment, with vulnerabilities addressed throughout the development lifecycle
  • Vulnerability handling — manufacturers must have a process for identifying, documenting, and disclosing vulnerabilities, and must provide security updates for a defined support period
  • Incident reporting — actively exploited vulnerabilities and severe incidents must be reported to ENISA within 24 hours of discovery
  • Conformity assessment — most products can self-declare conformity; critical products (defined in Annex I) require third-party assessment

The CRA significantly raises the bar for software-containing and connected products. Manufacturers who have not previously considered cybersecurity as a compliance matter — rather than a purely technical one — will need to restructure their development and post-market processes accordingly.

General Product Safety Regulation (GPSR)

The General Product Safety Regulation (EU) 2023/988 replaced the General Product Safety Directive in December 2024. While it applies to consumer products not covered by specific sector legislation, its broader significance lies in the new obligations it introduces for online marketplaces and non-EU manufacturers selling directly to EU consumers.

Key changes from the previous directive include:

  • Mandatory EU-based responsible person — non-EU manufacturers must designate an EU-based responsible person before placing products on the EU market
  • Digital product traceability — products must carry a type, batch, or serial number; a QR code or equivalent is increasingly expected
  • Online marketplace obligations — platforms are directly obligated to ensure the products offered through them are safe, creating new upstream pressure on manufacturers
  • Recall and corrective measure procedures — standardised processes for product recalls, with notification obligations to both authorities and consumers

For manufacturers selling through e-commerce channels to EU consumers — including via global marketplaces — the GPSR introduces obligations that may not have applied under the previous directive.

What These Regulations Have in Common

Across all of the legislation described above, four structural themes recur consistently:

Traceability. Every new regulation requires manufacturers to document their products, supply chains, and processes in greater detail and for longer periods. The days of minimal paper trails are ending.

Sustainability. From CBAM’s carbon pricing to ESPR’s lifecycle requirements and the DPP’s material transparency, environmental accountability is being built directly into product compliance obligations.

Cybersecurity. The CRA, the AI Act’s high-risk product provisions, and the RED cybersecurity standards collectively establish cybersecurity as a mainstream product compliance requirement, not an optional technical enhancement.

Transparency. Consumers, repair technicians, recyclers, authorities, and supply chain partners are all being granted greater rights of access to product information. Manufacturers are expected to produce and maintain this information as a standard part of their operations.

Understanding these themes helps manufacturers prioritise. Rather than treating each new regulation as an isolated compliance project, the most efficient approach is to build the underlying data infrastructure — documentation systems, supply chain data flows, cybersecurity processes — that satisfies multiple regulatory requirements simultaneously.

How to Prepare Your Business

Given the volume and pace of regulatory change, manufacturers face a real risk of compliance fatigue — attempting to respond to each new obligation reactively, without a coherent strategy. A more sustainable approach involves three principles:

Early compliance. Engaging with regulatory requirements during the product design phase — rather than after the product is finalised — significantly reduces the cost and disruption of compliance. Design decisions that seem minor at the product level (material selection, software architecture, repairability) often have major regulatory implications.

Regulatory monitoring. The EU’s legislative pipeline is publicly available, and delegated acts under ESPR, implementing acts under the AI Act, and technical standards under the CRA are published on a rolling basis. Manufacturers should have a process for tracking developments relevant to their product categories.

Integrated compliance management. The overlap between regulations — particularly between the AI Act, the CRA, the Machinery Regulation, and sector-specific CE marking requirements — means that siloed compliance teams managing each regulation separately will duplicate effort and risk inconsistencies. An integrated approach, ideally with a single point of regulatory coordination, is considerably more efficient.

Whether you are at the early stages of understanding which regulations apply to your product, or working through the documentation requirements of a specific framework, we can help you build a compliance approach that is both thorough and proportionate.

If you would like to discuss your regulatory situation, request a quote — no obligation, and with a response focused on your specific context.

For authoritative and up-to-date information on EU regulatory developments, the EUR-Lex portal provides direct access to all EU legislation, official journal publications, and legislative proposals currently in progress.

Category: CE Marking
Tags: Cyber Resilience Act, Digital Product Passport, ESPR ecodesign regulation, EU AI Act manufacturers, EU CBAM obligations manufacturers, EU regulatory trends 2025 2030

Looking for human beings to handle this? Here we are.