This week at the PLASA European PlugFest in Lille, France, the entertainment lighting industry got its first hands-on look at Sig-Net: A new protocol designed to bring cybersecurity to lighting networks. QubiCast co-founder Mitja Schmakeit was on-site as participants began testing their first implementations against each other.
The timing isn't accidental. The EU Cyber Resilience Act (CRA) takes full effect in December 2027, and every manufacturer selling networked lighting equipment in Europe needs to comply. Sig-Net is the industry's most concrete answer to that deadline so far.
What Sig-Net Is
Sig-Net is a free-to-use, royalty-free communication framework for entertainment lighting, designed by Wayne Howell, the same engineer who created Art-Net over 25 years ago and co-designed the RDM protocol. It provides a secure transport layer for DMX, RDM, timecode, and firmware updates, built from the ground up with CRA compliance in mind.
Rather than encrypting every packet of DMX level data (which would introduce unacceptable latency for live production), Sig-Net focuses on authentication and integrity.
The core idea: verify that a device sending control data is authorized to do so, and ensure the data hasn't been tampered with in transit.
Real-time DMX levels don't need the same cryptographic treatment as a financial transaction but the network does need to know who's talking and whether the data is trustworthy.
Sig-Net is built to succeed Art-Net and sACN, not discard them. It carries forward what worked from both:
- sACN's multicast architecture,
- Art-Net's device discovery and RDM transport,
- E1.37-4's firmware upload mechanism
and wraps them in a security framework.
It also drops the RDMnet broker requirement that limited RDMnet adoption and replaces LLRP with its own device recovery mechanism.
Why the Industry Needs This Now
The Cyber Resilience Act (Regulation EU 2024/2847) applies to any hardware or software product with digital elements sold in the EU. That includes lighting consoles, network nodes, DMX gateways, and any fixture with a network interface. From December 2027, non-compliant products cannot carry CE marking and cannot be sold in the European market. Penalties reach up to €15 million or 2.5% of global annual turnover.
The reporting obligations start even earlier in September 2026. Manufacturers must notify ENISA of any actively exploited vulnerability within 24 hours.
For an industry that has largely operated on unencrypted, unauthenticated protocols for decades, this is a significant shift. Art-Net and sACN were designed for closed, trusted networks. Neither includes any form of authentication, encryption, or access control. Under a strict reading of the CRA, it's difficult to argue that an unauthenticated protocol meets the regulation's "secure by default" requirement, even on a physically isolated lighting network.
This is where Sig-Net's positioning as "CRA defensible" becomes important. It doesn't claim to meet every possible security requirement. Instead, it provides a framework that manufacturers can reference in their CRA risk assessments, demonstrating that they've implemented appropriate security measures proportionate to the actual threat landscape of a live lighting environment.
What Happened at PlugFest
The PLASA European PlugFest is a four-day residential event where manufacturers and developers test the interoperability of their protocol implementations. It's hosted by Hamish Dumbreck (JESE Ltd), Wayne Howell (Singularity UK), and Peter Willis (Howard Eaton Lighting), and has been running annually in Lille for years.
Sig-Net launched as a pre-release for peer review on April 15, with the full specification, C++ example code, a Sig-Net dissector for wireshark and a developer Discord community going live alongside the event. Participants were already testing early implementations against each other, a sign of how urgently manufacturers are looking for a practical CRA solution.
The enthusiasm from our perspective is clear: Manufacturers are ready to adopt Sig-Net because it offers a concrete, implementable path to CRA compliance without requiring a fundamental redesign of their products.
A dedicated "Sig-Fest" — a testing event focused entirely on Sig-Net implementations — is expected within the next six months.
The Partner List Tells a Story
The companies publicly supporting Sig-Net include ChamSys, Robert Juliat, Avolites, Astera, ETC, Elation, ADJ, Obsidian Control Systems, X-Laser, TMB, and Company NA alongside Singularity UK. This isn't a fringe initiative. It's a cross-section of the industry's major console manufacturers, fixture makers, and infrastructure providers.
That breadth matters because Sig-Net only works if it becomes a common standard. A single manufacturer implementing it gains nothing if the devices on the other end of the network don't speak the same language. The partner list suggests that the critical mass for adoption may already be forming.
What This Means for Monitoring
From a network monitoring perspective, Sig-Net's architecture is interesting. Because it's built on multicast, like sACN but with improved scalability through what Sig-Net calls "multicast folding", monitoring tools can observe network traffic passively without needing to inject discovery packets or poll individual devices. A monitoring tool like QubiSet on the same network segment can see what's being transmitted, by whom, and whether the authentication checks are passing.
For venues and production companies that adopt Sig-Net, network monitoring becomes more straightforward than it is with Art-Net's mixed broadcast/unicast model. The authenticated nature of the protocol also means that monitoring can distinguish between authorized and unauthorized traffic, a capability that doesn't exist in current lighting protocols.
The Transition Question
One thing that isn't fully resolved yet is how the transition from Art-Net and sACN to Sig-Net will play out in practice. Manufacturers can ship devices that support Sig-Net alongside Art-Net and sACN today, multi-protocol support is standard practice. But after December 2027, the CRA compliance question applies to every protocol the device exposes. A device that supports both Sig-Net (secured) and Art-Net or sACN (unsecured) may face scrutiny about whether the unsecured interface undermines its CRA compliance.
How this gets resolved will depend heavily on how individual manufacturers write their risk assessments and how market surveillance authorities interpret the regulation. The industry is navigating new territory here, and the practical answers will emerge over the next 18 months.
What's less uncertain is that the conversation has shifted. The question is no longer whether the lighting industry needs to address cybersecurity, it's how quickly manufacturers can implement a solution before the deadline arrives. Sig-Net is the most complete answer the industry has produced so far, and as of this week in Lille, it's no longer theoretical.
QubiCast co-founder Mitja Schmakeit attended PLASA PlugFest 2026 in Lille. QubiCast builds networking tools for the professional lighting industry, including QubiSet — a monitoring and configuration platform for Art-Net, RDM, LLRP, and sACN networks. qubicast.com
